What the Privacy Act of 1974 Actually Says About Your Social Security Number
The Privacy Act of 1974 is the federal law that gives you the right to refuse Social Security Number (SSN) disclosure in most non-credit business situations. Most people learn about it only after a data breach or after a private business demands an SSN that the law does not require them to collect. This guide explains what the Act covers, what it does not cover, and how it shapes the legal use of Credit Privacy Numbers (CPNs) for non-credit identification.
The exact text that protects you: Section 7
The Privacy Act, codified at 5 U.S.C. § 552a, is most famous for restricting how federal agencies share personal data. Section 7, however, is what consumers cite most often. It says, in plain English:
“It shall be unlawful for any Federal, State or local government agency to deny to any individual any right, benefit, or privilege provided by law because of such individual’s refusal to disclose his social security account number.”
That single sentence means a government agency cannot deny you a license, a permit, a job, or a benefit only because you refused to disclose your SSN — unless a separate federal statute specifically requires the SSN for that program. Most state and municipal forms fall outside that exception.
Where the Act applies — and where it does not
The Privacy Act applies to government agencies. It does not directly bind private businesses. However, two separate forces extend similar protection to private settings:
- The Fair Credit Reporting Act (FCRA, 15 U.S.C. § 1681) regulates how credit bureaus use your SSN. Bureaus must verify identity, and they must give you the right to dispute inaccurate use of your SSN.
- State data-protection laws in California, Illinois, New York, Massachusetts, and several other states limit private-sector SSN collection. California Civil Code § 1798.85, for example, prohibits printing SSNs on identification cards or routinely transmitting them.
The practical takeaway: a private business is generally not required to collect your SSN unless one of the following applies — they are extending credit, opening a financial account regulated by the Patriot Act, withholding payroll taxes as your employer, or processing a federal tax document.
How the Privacy Act backs the legal use of CPNs
A Credit Privacy Number is a 9-digit identifier used as an alternative to an SSN in non-credit contexts. The Privacy Act of 1974 does not “create” CPNs, but it creates the legal space in which they can be used. Three principles from the Act make CPN use legitimate when handled correctly:
- You can refuse SSN disclosure in non-credit contexts. Section 7 of the Act protects that refusal when interacting with government, and contract law protects it when interacting with most private businesses that are not legally required to collect an SSN.
- You can use a different identifier in those contexts. Nothing in federal law requires that an alternative identifier be issued by the SSA. As long as the identifier is not used to commit fraud or to evade legal SSN-collection requirements, an alternative is permitted.
- Misuse becomes fraud. The Act does not protect using a CPN where the law specifically requires an SSN. Using a CPN on a tax return, a credit card application, an FHA mortgage application, or a federal student loan is application fraud under 18 U.S.C. § 1028.
What you can legally do with a CPN under the Privacy Act
The following situations typically allow alternative identifiers under Privacy Act guidelines:
- Non-credit business applications where the business does not extend credit and is not required to verify identity for KYC purposes — gym memberships, magazine subscriptions, dating sites, online accounts.
- Most rental applications where the landlord is not running a credit pull that requires an SSN. Some screening services accept alternative identifiers; others insist on SSNs and you should not use a CPN there.
- Utility connections where the utility company offers a deposit-based or alternative-ID path. Many utilities will accept a non-SSN identifier in exchange for a security deposit.
- Background checks for non-financial roles where the employer is not required to use an SSN for tax withholding or for federal compliance.
- Privacy-protected reservations and sign-ups for services that ask for an SSN purely as a customer identifier rather than for credit or tax reasons.
What you cannot legally do with a CPN
The Privacy Act does not protect any of the following uses:
- Tax returns to the IRS
- Credit card applications, auto loans, mortgages, federal student loans, or any other application that legally requires an SSN under penalty of perjury
- Bank account applications subject to Patriot Act KYC verification
- Federal benefit applications (Social Security, Medicare, federal student aid)
- Application for an Employer Identification Number (the IRS issues those directly)
- Any government form that specifies “Social Security Number” as a required field under federal statute
Using a CPN in any of these contexts is identity-related fraud and carries federal penalties.
How CROA compliance fits in
The Credit Repair Organizations Act (CROA), 15 U.S.C. §§ 1679 et seq., is a separate federal law that regulates anyone selling credit-related services. It works alongside the Privacy Act. A legitimate CPN provider must:
- Bill only after services are performed (no upfront fees for credit-related work)
- Provide a written contract with itemized services
- Honor the federal three-day cancellation right with no penalty
- Make no guarantees of a specific credit-score outcome
- Disclose that consumers can dispute credit items themselves at no cost
If a service violates CROA, the FTC can sue and consumers can recover damages plus attorney fees. As of March 2026, the FTC issued 17 federal lawsuits against credit-related services for CROA violations and returned $10.9 million to victims of credit pyramid schemes. Always verify CROA compliance in writing before signing.
Privacy Act of 1974 vs other privacy laws
| Law | What it does | Who it binds |
|---|---|---|
| Privacy Act of 1974 | Restricts SSN disclosure to government agencies; gives consumers refusal right | Federal/state/local governments |
| Fair Credit Reporting Act (FCRA) | Regulates credit bureau use of consumer data including SSNs | Credit bureaus + furnishers |
| Gramm-Leach-Bliley Act (GLBA) | Requires financial institutions to protect non-public customer info | Banks, lenders, insurers |
| Credit Repair Organizations Act (CROA) | Regulates paid credit-related services and CPN sales | Credit repair companies, CPN providers |
| HIPAA | Restricts SSN-linked health record disclosure | Healthcare providers + insurers |
Why the Privacy Act matters more in 2026 than ever
Roughly 350 million Social Security Numbers leaked in confirmed data breaches between 2017 and 2024. Once your SSN is on the dark web, identity-theft risk persists for the rest of your life. The Privacy Act is the legal foundation for reducing your SSN’s exposure surface — choosing not to share it where the law does not require you to share it.
Combined with practical privacy tools — credit freezes at all three bureaus, a CPN file for non-credit contexts, and active credit monitoring — you can dramatically reduce identity theft risk while staying inside the law.
Get a Legal New Credit File backed by the Privacy Act
Legal New Credit File (LNCF) operates under both the Privacy Act of 1974 and the Credit Repair Organizations Act. We help consumers build CROA-compliant CPN files with authorized-user tradelines, three-bureau credit dispute services, business credit building under EINs, and rental approvals using alternative identifiers where legally permitted.
Call (800) 597-2560 or text (725) 290-2778 to verify which Privacy Act protections apply to your situation. Email [email protected]. Register a new credit file today.
Frequently asked questions about the Privacy Act of 1974
Can a private business legally require my Social Security Number?
Only if a federal statute specifically requires SSN collection for that purpose — extending credit (Equal Credit Opportunity Act and FCRA), opening a Patriot Act-covered financial account, processing payroll tax withholding, or filing a federal tax document. Most other SSN requests by private businesses are not legally mandatory and you may decline.
What happens if a government agency denies me service for refusing my SSN?
Under Section 7 of the Privacy Act, that denial is unlawful unless a separate federal statute specifically requires the SSN. You can file a complaint with the agency’s Office of Inspector General and pursue a civil action for damages.
Is using a CPN the same as committing identity theft?
No. Identity theft requires using another person’s identifier without authorization. A CPN is a separate identifier you obtained legally for your own use in non-credit contexts. It becomes problematic only when you use it where federal law requires an SSN — at that point it is application fraud.
Does the IRS recognize the Privacy Act of 1974 for tax filings?
No. Tax filings require either a Social Security Number or an Individual Taxpayer Identification Number (ITIN). The IRS is operating under separate federal authority that the Privacy Act does not override.
Can I use a CPN to apply for an apartment?
Often yes, when the landlord does not run an SSN-based credit pull or when the screening service accepts alternative identifiers. Many CPN packages include authorized-user tradelines specifically to build the credit file thickness needed for rental approvals. Always confirm with the landlord that they will accept an alternative identifier before submitting your application.
What is the difference between a CPN and an EIN?
An EIN is a tax identifier issued directly by the IRS for businesses. A CPN is a privacy identifier for individuals in non-credit, non-tax contexts. They are not interchangeable. The two work together when an entrepreneur uses a CPN for personal privacy and an EIN for business credit applications.
Where is the full text of the Privacy Act of 1974?
The full statutory text is at justice.gov/opcl/privacy-act-1974. The Department of Justice publishes the official current version, including the Section 7 text most relevant to consumer SSN protection.