BILL ANALYSIS �Ó
AB 1219
Page 1
Date of Hearing: May 2, 2011
ASSEMBLY COMMITTEE ON BANKING AND FINANCE
Mike Eng, Chair
AB 1219 (Perea) - As Amended: April 25, 2011
SUBJECT : Credit cards: personal information.
SUMMARY : Provides clarification for those instances when an
entity that accepts credit cards may not request certain types
of personal information to complete the transaction.
Specifically, this bill :
1)Specifies that if a cardholder physically presents a credit
card to an employee, authorized agent, or representative of a
person, firm, partnership, association, or corporation as
payment, and the card functions properly, then the entity
accepting the card may not request, nor record certain types
of personal information from the consumer.
EXISTING LAW
1)Provides that under the Song-Beverly Credit Card Act of 1971
(Credit Card Act) (Civil Code Section 1747 et seq), no person,
firm, partnership, association or corporation that accepts
credit cards shall do any of the following:
a) Require, or request, as condition of accepting the
credit card, the cardholder to write any personal
identification information upon the credit card transaction
form or other document. ÝSection 1747.08a(1)]
b) Require, or request, as a condition of accepting the
credit card, the cardholder to provide personal
identification information which the entity accepting the
card would then write or record upon the credit transaction
form or otherwise. ÝSection 1747.08a(2)]
c) Utilize in any credit card transaction, a credit card
form that contains preprinted spaces for personal
identification information of the cardholder. ÝSection
1747.08a(3)]
2)Specifies that the prohibitions in a, b and c do not apply
under the following circumstances:
a) If the credit card is being used as a deposit to secure
�
AB 1219
Page 2
payment in the event of default, loss, damage, or other
similar occurrence. ÝSection 1747.08(1)]
b) Cash advance transactions. ÝSection 1747.08(2)]
c) If the entity requesting the information is
contractually obligated to provide the personal information
in order to complete the transaction, or is obligated to
collect and record the personal identification information
by federal law or regulation. ÝSection 1747.08(3)]
d) If personal identification information is required for a
special purpose incidental but related to the individual
credit card transaction, including but not limited to,
information relating to shipping, delivery, servicing, or
installation of the purchased merchandise, or for special
orders. ÝSection 1747.08(4)]
3)Clarifies that the prohibitions on collecting personal
identification information relating to the credit card
transaction does not prohibit a requirement that the
cardholder provide reasonable forms of positive
identification, including a driver's license or California
State identification card, or another form of identification.
ÝSection 1747.08(4)d]
4)Specifies that if the cardholder pays for the transaction with
a credit card number and does not make the credit card
available upon request to verify the number, the cardholder's
driver's license number or identification card number may be
recorded on the credit card transaction form. Ý1747.08(4)d].
5)Defines "personal identification information" (PII) as
information concerning the cardholder, other than information
set forth on the credit card, and including but not limited
to, the cardholder's address and telephone number. ÝSection
1747.08(3)b]
FISCAL EFFECT : None
COMMENTS :
The need for this bill arises from the Pineda v. Williams-Sonoma
Stores, Inc., 51 Cal.4th 524 (Cal. 2011) case in which the
California Supreme Court ruled that a consumer's ZIP code is
personal identification information under the Credit Card Act,
and as such, falls under the restricted uses contained within
�
AB 1219
Page 3
the statute. Prior to addressing how this bill would address
this issue, it is important to provide background on the case.
Pineda v. Williams-Sonoma Stores
The plaintiff sued retailer Williams-Sonoma Stores, Inc.,
claiming that the retailer violated the Credit Card Act during a
transaction in which a cashier at the retailer asked the
plaintiff for her ZIP code. The plaintiff complied with the
request, believing that her ZIP code was necessary for
completing the transaction. Subsequently, the defendant used
computer software to conduct reverse searches and cross checks
against databases that contain millions of names, email address,
telephone numbers, and street addresses. Using the software,
the defendant was able to match the name and ZIP code of the
plaintiff to match with her address which was then retained in
the defendant's own database used for marketing purpose.
Additionally, such information was also sold by the defendant to
other businesses. The plaintiff filed a class action alleging
that the retailer had violated the Credit Card Act.
The trial court and Court of Appeal agreed with the defendant
that ZIP code does not constitute "personal identification
information." The California Supreme Court agreed to take up
the issue. The court concluded that under the Credit Card Act,
"personal identification information" does include ZIP. The
court concluded that because "address" is a sum of its parts
(name, street, city, ZIP) in that ZIP "is readily understood to
be part of an address; when one addresses a letter to another
person, a ZIP code is always included. The question then is
whether the Legislature?intended to include components of the
address. The answer must be yes." Additionally, the court also
found that the broad language used in the statute demonstrated
that the Legislature intended the statute to be interpreted
broadly.
Subsequent to this decision, hundreds of lawsuits have been
filed against retailers for violating the Credit Card Act in
collecting ZIP codes for a variety of purposes.
Arguments in support .
Several groups, including the California Retailers Association
write in support of the bill:
Since the Pineda decision was handed down, over 150 class
�
AB 1219
Page 4
action suits have been filed against retailers in
California. Many of those retailers were collecting zip
codes for legitimate reasons that should be allowable under
the law. For example, some retailers have been sued simply
for collecting zip codes when the customer placed an order
online and the zip code was needed for delivery. Others
have been sued when they were only collecting the zip code
in order to reduce the likelihood of fraud or identity
theft.
The purpose of AB 1219 is to continue to limit the
collection of PII while still allowing and recognizing the
legitimate business need for a retailer to use PII to
appropriately process and complete all components of
customer transaction. AB 1219 will also help protect
against criminal activity, such as identity theft, which is
currently the number one source of consumer complaints to
the Federal Trade Commission. AB 1219 will help address
the potential for identity theft in situations where the
person or functioning card is not present.
Arguments in opposition .
The Consumer Attorneys of California write in opposition:
The retailers do not need personal identifying
information-instead they use it for marketing or to sell to
marketers, a very profitable endeavor for the retailer, but
one that puts the consumer at risk. Retailers use customized
computer software to perform reverse searches from databases
that contain millions of names, e-mail addresses, telephone
numbers, and street addresses. The information is then used
to create customer records for business purposes, like mailing
lists for in-house marketing efforts, or it is sold to
direct-mailing specialists. The contents of these records
can be viewed, printed, and sold by the store. In a nutshell,
they make money off of your personal information.
Pineda v. Williams Sonoma was correctly decided and
protects the intent of the statute and the privacy
interests of consumers.
Pineda , a unanimous California Supreme Court decision, held
that Williams Sonoma had violated the Beverly Song Credit Card
Act when it asked customers for their zip codes during a
credit card purchase. This decision clarified the law, as the
legislative history was perfectly clear that such identifying
information was included in the prohibition of requesting
�
AB 1219
Page 5
personal identifying information.
The retailers now claim that they will be subject to extreme
penalties under the law as they had continued to violate the
law until the decision was issued. The bill's sponsors want
AB 1219 to include language that the decision would be
prospective only.
First, the allegation that the sky will fall if the decision
is not applied prospectively only is erroneous. The plain
language in the statute clearly limits penalty assessment and
gives the judge the discretion on the amount of civil
penalties to be awarded to the cardholder for each violation
of the statute. Section (e) of the statute states that "any
person who violates this section shall be subject to a civil
penalty not to exceed $250 for the first violation and $1000
for each subsequent violation." In other words, the judge has
complete discretion on how much, the civil penalty should be
for violations. Certainly a judge would consider the
retailer's claim that it was relying on a lower court decision
when it determines how much, if any, assessment should apply.
Second, CAOC has always opposed, and will continue to oppose,
any effort to affect pending litigation. It is simply against
public policy to legislatively affect a consumer's existing
legal right in a manner that retroactively guts a claim. We
appreciate the retailer's frankness that this is their main
concern, and have met with them several times. However, on
this issue, there is no compromise for CAOC.
CAOC must oppose AB 1219, as amended on April 25, 2011,
unless it is amended.
The recently amended language is an attempt to clarify that
online transactions are not covered under the bill. However,
it is too broad. We agree that in some instances (for example
fraud prevention or shipping), the statute doesn't apply.
However, this language is not so limited.
For these reasons, CAOC must oppose AB 1219.
Privacy Rights Clearinghouse also writes in opposition to the
bill:
The California Legislature recognized the dangers
associated with collecting and maintaining consumers'
personal identification information by enacting an
amendment to the Song Beverly Credit Card Act in 1990 to
�
AB 1219
Page 6
protect consumers' privacy rights. The Pineda decision
clearly re-affirmed the consumer privacy protections of the
Song Beverly Credit Card Act.
With the rapid advances in technology in recent years, many
retailers have begun collecting customer zip codes during
credit card purchase transactions in order to match them to
customer names and thereby identify their customers and
obtain their home addresses. Using customers' zip codes is
an effective subterfuge to obtain their home addresses
because consumers are less likely to object to requests for
their zip code since they believe it is being used to
verify their credit cards. Consumers have become accustomed
to this practice at gas stations, where zip codes are
required by credit card companies during "pay at the pump"
transactions.
Requesting zip codes from customers under the false
pretense that zip codes are required to complete credit
card transactions, and then utilizing the zip codes, along
with the customers' names obtained from their credit cards,
to obtain the customers' home addresses, clearly defeats
the express purpose of the Song Beverly Credit Card Act.
The rights of consumers whose privacy has been violated
must be respected. We urge you to honor the privacy rights
of consumers, and allow courts the discretion to determine
on case by case basis what remedies, if any, are
appropriate for violations of the Song Beverly Credit Card
Act.
Discussion .
In the Pineda case, the retailer was collecting ZIP codes for
marketing purposes and potentially for sale to other businesses.
However, the court did not address uses of ZIP codes for what
could be described as more legitimate purposes. Specifically,
ZIP codes are also used for fraud prevention purposes, or at a
basic level, as part of the shipping address for an online
internet transaction. The author of this bill is concerned that
the court's decision could the interpreted to disallow
legitimate uses of ZIP codes that may actually benefit
consumers.
Gas stations have commonly required the input of a zip code when
the customer uses a credit card to purchase gas as a form of
fraud detection. This process originally was implemented as gas
�
AB 1219
Page 7
stations with high incidences of fraudulent transactions
involving stolen cards, but has migrated to include almost all
gas stations. While the protection of personal identification
information has a been a paramount concern of the California
Legislature for many years, so has establishing those parameters
in which information is necessary to protect the consumer
engaged in various electronic transactions.
Other than fraud prevention, another legitimate use for ZIP code
is in an online retail transaction in which the retailer needs
the address, including ZIP code of the consumer in order to ship
the item. Many retailers have expressed concern, and a several
lawsuits attest, that the necessity to require an address for
shipping is being used as a cause of action in civil litigation.
In order to clarify these issues, this bill provides that the
restrictions on collecting personal information within the
Credit Card Act only applies to transaction in which the
cardholder physically presents the card and it has a functioning
magnetic strip or other electronically readable device. Thus
far, various interest groups have conducted several meetings to
arrive at a solution to this problem that would allow reasonable
usage of a ZIP code under specific circumstances.
The bill under consideration is a first attempt to reach a
compromise on this issue that is palatable to all parties as the
current language in the bill may be too broad to retain
essential consumer protections but also allow for legitimate use
of ZIP codes. Currently, opponents of the bill find that the
language is too broad and would allow use of the use of personal
information in circumstances that are not within the intent of
the Credit Card Act.
The author of the bill acknowledges that additional
clarification of the language will be necessary. Should an
appropriate resolution not occur in the future the committee may
wish to consider calling this bill back for further review.
This bill is double referred to Judiciary.
REGISTERED SUPPORT / OPPOSITION :
Support
California Business Properties Association
California Chamber of Commerce
California Grocers Association
California Retailers Association
�
AB 1219
Page 8
Civil Justice Association of California
First Data
International Council of Shopping Centers
Opposition
Consumer Attorneys of California
Privacy Rights Clearinghouse
Analysis Prepared by : Mark Farouk / B. & F. / (916) 319-3081