Why utility companies ask for your Social Security number is one of those search questions people only type when they are already under pressure. They may need electricity turned on before moving day, gas service before winter, water service before a lease starts, or internet service to work from home. The form feels administrative, but the SSN field can make the whole application feel much larger. That single number can support identity checks, deposit decisions, account matching, and future collection activity long after the lights are on.
The privacy risk is not that every utility request is suspicious. Some utilities genuinely use consumer reports, identity checks, or deposit screening to manage fraud and unpaid balances. The CFPB's consumer-reporting resources help show that consumer reports are used in more places than many people realize. A utility application may therefore be part of a broader screening ecosystem, not just a simple service request. The problem is that the form often tells the applicant very little about which purpose applies, which parties receive the data, and whether alternatives exist.
A better question is what the utility actually needs at each step. NIST's digital identity guidance separates identity proofing from ordinary account use, which is useful here because service setup is not the same as opening a bank account. If the goal is to verify a household for service delivery, the company should explain whether the SSN is for identity proofing, fraud prevention, deposit review, or collections matching. It should also explain whether the result is a soft verification, a consumer report pull, or a retained account credential that will be used again later.
The data-minimization principle is the core consumer defense. The CPPA advisory says collection, use, retention, and sharing should be reasonably necessary and proportionate to the disclosed purpose. Applied to a utility form, that means the company should ask only for the fields it truly needs to start service, not the fields it wants because they are convenient for later billing or marketing. If partial SSN, a government ID check, a lease record, or an in-person option would work, the consumer should be told that clearly before typing sensitive information into a web form or saying it aloud on the phone.
FTC privacy guidance gives the practical habit: limit what you share until you understand who is collecting it. That matters because utility setup often happens during a move, a breakup, a new job, or another stressful life change when people are more likely to rush. A rushed applicant may hand over an SSN to a call-center script without asking whether the number is stored, how it is protected, or whether the company can accept less sensitive proof. A phone agent may sound official, but the same rules should apply: purpose, necessity, retention, and a clear path to ask questions.
The household consequences can be surprisingly broad. A utility account can expose who moved in, who pays the bill, whether the person is renting or buying, whether the household has had deposit trouble, and whether a family member is trying to establish service quietly after a dispute or separation. If the account is later sold, transferred, or collected, the SSN can become a durable join key that follows the consumer into back-office systems they never see. That is why the field matters even when the bill itself looks ordinary.
cloak should treat utility setup as sensitive onboarding, not as a harmless utility form. It can warn when a service site asks for an SSN before explaining why, when the data flow looks like a deposit screen dressed up as an onboarding page, or when marketing and account-recovery reuse are bundled into the same step. The safer default is simple: disclose the purpose, minimize the fields, offer alternatives when possible, and keep the number from becoming a reusable profile stitched across billing, collections, and advertising systems. People should not have to trade a utility hookup for a permanent identity trail.