AB 844, as amended, Dickinson. Credit and debit cards: transactions: personal information.
Existing state and federal law regulate the provision of credit and the use of credit cards. Existing state law prohibits a person, firm, partnership, association, or corporation that accepts credit cards for the transaction of business from requesting or requiring the cardholder to provide personal identification information, which is then recorded, as a condition to accepting the credit card as payment in full or in part for goods or services, but provides various exceptions to this prohibition.
Under existing law, a person who violates the above provisions is subject to specified civil penalties, an action for injunctive relief, or both.
This bill would extend the above restrictions regarding the collection of personal identification information to debit cards. The bill would define “debit card” and related terms for these purposes, and would make conforming changes.
This bill would permit the operator of a commercial Internet Web site or online servicebegin delete that collectsend deletebegin insert to collectend insert personalbegin delete identifiableend deletebegin insert identificationend insert information, as defined,begin delete to require a credit cardholder or debit cardholder to provide only a ZIP Code to complete the Internet credit card or debit card transaction,end delete if used solely for the prevention of fraud, theft, or identity theftbegin delete, except under specified circumstancesend delete.
The bill would require that operator to destroybegin insert or dispose ofend insert thebegin delete ZIP Codeend deletebegin insert personal identificationend insert information so collectedbegin delete, as specified,end delete and would prohibit the operator frombegin delete aggregating orend delete sharing thebegin delete ZIP Codeend deletebegin insert personal identificationend insert information, as specified. The bill would authorize the assessment of civil penalties or an action for injunctive relief, or
both, for a violation of these provisions.
Existing law prohibits a person, firm, partnership, association, corporation, or limited liability company that accepts credit or debit cards for the transaction of business from printing more than the last 5 digits of an individual’s credit card or debit card number, or the expiration date, on a transaction receipt, as specified.
This bill would revise the above provisions to remove specific references to printed receipts, and would make other conforming changes.
Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no.
The people of the State of California do enact as follows:
Section 1747.02 of the Civil Code is amended
2to read:
As used in this title:
4(a) “Credit card” means any card, plate, coupon book, or other
5single credit device existing for the purpose of being used from
6time to time to obtain money, property, labor, or services on credit.
7“Credit card” does not mean any of the following:
8(1) Any single credit device used to obtain telephone property,
9labor, or services in any transaction under public utility tariffs.
10(2) Any device that may be used to obtain credit pursuant to an
11electronic fund transfer, but only if the credit is obtained under an
12agreement between a consumer and a financial institution to extend
13
credit when the consumer’s asset account is overdrawn or to
P3 1
maintain a specified minimum balance in the consumer’s asset
2account.
3(3) Any key or card key used at an automated dispensing outlet
4to obtain or purchase petroleum products, as defined in subdivision
5(c) of Section 13401 of the Business and Professions Code, that
6will be used primarily for business rather than personal or family
7purposes.
8(b) “Accepted credit card” means any credit card that the
9cardholder has requested or applied for and received or has signed,
10or has used, or has authorized another person to use, for the purpose
11of obtaining money, property, labor, or services on credit. Any
12credit card issued in renewal of, or in substitution for, an accepted
13credit card becomes an accepted credit card when received by the
14cardholder, whether the credit card
is issued by the same or a
15successor card issuer.
16(c) “Debit card” means an accepted debit card or other means
17of access to a debit cardholder’s account that may be used to initiate
18electronic funds transfers and may be used without unique
19identifying information such as a personal identification number
20to initiate access to the debit cardholder’s account.
21(d) “Accepted debit card” means a debit card that the debit
22cardholder has requested and received or has signed, or has used,
23or has authorized another person to use, for the purpose of
24obtaining money, property, labor, or services. Any debit card issued
25in renewal of, or in substitution for, an accepted debit card becomes
26an accepted debit card when received by the debit cardholder,
27whether the debit card is issued by the
same or by a successor card
28issuer.
29(e) “Card issuer” means any person who issues a credit card or
30the agent of that person for that purpose with respect to the credit
31card.
32(f) “Cardholder” means a natural person to whom a credit card
33is issued for consumer credit purposes, or a natural person who
34has agreed with the card issuer to pay consumer credit obligations
35arising from the issuance of a credit card to another natural person.
36For purposes of Sections 1747.05, 1747.10, and 1747.20, the term
37includes any person to whom a credit card is issued for any
38purpose, including business, commercial, or agricultural use, or a
39person who has agreed with the card issuer to pay obligations
40arising from the issuance of that credit card to another person.
P4 1(g) “Debit card issuer” means any person who issues a debit
2card or the agent of that person for that purpose.
3(h) “Debit cardholder” means a natural person to whom a debit
4card is issued.
5(i) “Retailer” means every person other than a card issuer or
6debit card issuer who furnishes money, goods, services, or anything
7else of value. “Retailer” does not mean the state, a county, city,
8city and county, or any other public agency.
9(j) “Unauthorized use” means the use of a credit card or debit
10card by a person, other than the cardholder or debit cardholder,
11(1) who does not have actual, implied, or apparent authority for
12that use and (2) from which the cardholder or
debit cardholder
13receives no benefit. “Unauthorized use” does not include the use
14of a credit card or debit card by a person who has been given
15authority by the cardholder or debit cardholder to use the credit
16card or debit card. Any attempted termination by the cardholder
17or debit cardholder of the person’s authority is ineffective as against
18the card issuer or debit card issuer until the cardholder or debit
19cardholder complies with the procedures required by the card issuer
20or debit card issuer to terminate that authority. Notwithstanding
21the above, following the card issuer’s or debit card issuer’s receipt
22of oral or written notice from a cardholder or debit cardholder
23indicating that it wishes to terminate the authority of a previously
24authorized user of a credit card or debit card, the card issuer or
25debit card issuer shall follow its usual procedures for precluding
26any further use of a credit
card or debit card by an unauthorized
27person.
28(k) “Inquiry” means a writing that is posted by mail to the
29address of the card issuer or debit card issuer to which payments
30are normally tendered, unless another address is specifically
31indicated on the statement for that purpose, then to that other
32address, and that is received by the card issuer or debit card issuer
33no later than 60 days after the card issuer transmitted the first
34periodic statement that reflects the alleged billing error, and that
35does all of the following:
36(1) Sets forth sufficient information to enable the card issuer or
37debit card issuer to identify the cardholder or debit cardholder and
38the account.
39(2) Sufficiently identifies the billing error.
P5 1(3) Sets forth information providing the basis for the
2cardholder’s or debit cardholder’s belief that the billing error exists.
3(l) “Response” means a writing that is responsive to an inquiry
4and mailed to the cardholder’s or debit cardholder’s address last
5known to the card issuer or debit card issuer.
6(m) “Timely response” means a response that is mailed within
7two complete billing cycles, but in no event later than 90 days,
8after the card issuer or debit card issuer receives an inquiry.
9(n) “Billing error” means an error by omission or commission
10in (1) posting any debit or credit, or (2) in computation or similar
11error of an accounting nature contained in a
statement given to the
12cardholder or debit cardholder by the card issuer or debit card
13issuer. A “billing error” does not mean any dispute with respect
14to value, quality, or quantity of goods, services, or other benefit
15obtained through use of a credit card or debit card.
16(o) “Adequate notice” means a printed notice to a cardholder
17or debit cardholder that sets forth the pertinent facts clearly and
18conspicuously so that a person against whom it is to operate could
19reasonably be expected to have noticed it and understood its
20meaning.
21(p) “Secured credit card” means any credit card issued under
22an agreement or other instrument that pledges, hypothecates, or
23places a lien on real property or money or other personal property
24to secure the cardholder’s obligations to the card
issuer.
25(q) “Student credit card” means any credit card that is provided
26to a student at a public or private college or university and is
27provided to that student solely based on his or her enrollment in a
28public or private university, or is provided to a student who would
29not otherwise qualify for that credit card on the basis of his or her
30income. A “student credit card” does not include a credit card
31issued to a student who has a cocardholder or cosigner who would
32otherwise qualify for a credit card other than a student credit card.
33(r) “Retail motor fuel dispenser” means a device that dispenses
34fuel that is used to power internal combustion engines, including
35motor vehicle engines, that processes the sale of fuel through a
36remote electronic payment system, and that is in a location
where
37an employee or other agent of the seller is not present.
38(s) “Retail motor fuel payment island automated cashier” means
39a remote electronic payment processing station that processes the
40retail sale of fuel that is used to power internal combustion engines,
P6 1including motor vehicle engines, that is in a location where an
2employee or other agent of the seller is not present, and that is
3located in close proximity to a retail motor fuel dispenser.
Section 1747.08 of the Civil Code is amended to read:
(a) Except as provided in subdivision (c), no person,
6firm, partnership, association, or corporation that accepts credit
7cards or debit cards for the transaction of business shall do any of
8the followingbegin insert, whether in person or through an operator of a
9commercial Internet Web site or online serviceend insert:
10(1) Request, or require as a condition to accepting the credit
11card or debit card as payment in full or in part for goods or services,
12the cardholder or debit cardholder to provide any personal
13identification information.
14(2) Request, or require
as a condition to accepting the credit
15card or debit card as payment in full or in part for goods or services,
16the cardholder or debit cardholder to provide personal identification
17information, which the person, firm, partnership, association, or
18corporation accepting the credit card or debit card collects, causes
19to be collected, or otherwise records upon the credit card or debit
20card transaction template or otherwise.
21(3) Utilize, in any credit card or debit card transaction, a credit
22card or debit card template which contains spaces specifically
23designated for filling in any personal identification information of
24the cardholder or debit cardholder.
25(b) For purposes of this sectionbegin delete “personalend deletebegin insert,
the following terms
26have the following meanings:end insert
27begin insert(1)end insertbegin insert end insertbegin insert“Personalend insert identification information,” means information
28concerning the cardholder or debit cardholder, other than
29information set forth on the credit card or debit card, and including,
30but not limited to, the cardholder’s or debit cardholder’s address
31and telephone number.
32(2) “Operator” means a person or entity and any and all
33affiliated corporate entities that own an Internet Web site or online
34service and that accepts a credit card or debit card for the
35transaction of business from a cardholder or debit
cardholder
36residing in California.
37(c) Subdivision (a) does not apply in the following instances:
38(1) If the credit card or debit card is being used as a deposit to
39secure payment in the event of default, loss, damage, or other
40similar occurrence.
P7 1(2) Cash advance transactions.
2(3) If any of the following applies:
3(A) The person, firm, partnership, association, or corporation
4accepting the credit card or debit card is contractually obligated
5to provide personal identification information in order to complete
6the credit card or debit card transaction.
7(B) The person, firm, partnership, association, or corporation
8accepting the credit card or debit card in a sales transaction at a
9retail motor fuel dispenser or retail motor fuel payment island
10automated cashier uses the ZIP Code information solely for
11prevention of fraud, theft, or identity theft.
12(C) The person, firm, partnership, association, or corporation
13accepting the credit card or debit card is obligated to collect and
14record the personal identification information by federal or state
15law or regulation.
16(D) The person, firm, partnership, association, or corporation,
17including the operator of a commercial Internet Web site or online
18service, accepting the
credit card or debit card in a business
19transaction uses the personal identification information solely for
20the prevention of fraud, theft, or identity theft. An operator of a
21commercial Web Site or online service accepting the credit card
22or debit card shall destroy or dispose of the personal identification
23information in a secure manner after it is no longer needed for the
24prevention of fraud, theft, or identity theft. An operator of a
25commercial Web Site or online service may not share the personal
26identification information with any other operator of a commercial
27Internet Web site or online service.
28(4) If personal identification information is required for a special
29purpose incidental but related to the individual credit card or debit
30card transaction, including, but not limited to, information relating
31to shipping, delivery, servicing, or installation of the purchased
32merchandise,
or for special orders.
33(d) This section does not prohibit any person, firm, partnership,
34association, or corporation from requiring the cardholder or debit
35cardholder, as a condition to accepting the credit card or debit card
36as payment in full or in part for goods or services, to provide
37reasonable forms of positive identification, which may include a
38driver’s license or a California state identification card, or where
39one of these is not available, another form of photo identification,
40provided that none of the information contained thereon is collected
P8 1or recorded on the credit card or debit card transaction template
2or otherwise. If the cardholder or debit cardholder pays for the
3transaction with a credit card or debit card number and does not
4make the credit card or debit card available upon request to verify
5the number, the cardholder’s
or debit cardholder’s driver’s license
6number or identification card number may be recorded on the
7credit card or debit card transaction or otherwise.
8(e) This section does not prohibit any person, firm, partnership,
9association, or corporation, including the operator of a commercial
10Internet Web site or online service, from collecting personal
11identification information if the operator maintains an account
12associated with the credit cardholder or debit cardholder and if
13the cardholder provides personal information as part of that
14account.
15(e)
end delete
16begin insert(f)end insert Any person who violates this section shall be subject to a
17civil penalty not to exceed two hundred fifty dollars ($250) for the
18first violation and one thousand dollars ($1,000) for each
19subsequent violation, to be assessed and collected in a civil action
20brought by the person paying with a credit card or debit card, by
21the Attorney General, or by the district attorney or city attorney
22of the county or city in which the violation occurred. However,
23no civil penalty shall be assessed for a violation of this section if
24the defendant shows by a preponderance of the evidence that the
25violation was not intentional and resulted from a bona fide error
26made notwithstanding the defendant’s maintenance of procedures
27reasonably adopted to avoid that error. When collected, the civil
28penalty shall be payable, as appropriate, to the person paying with
29a credit card or debit card who brought the action,
or to the general
30fund of whichever governmental entity brought the action to assess
31the civil penalty.
32(f)
end delete
33begin insert(g)end insert The Attorney General, or any district attorney or city attorney
34within his or her respective jurisdiction, may bring an action in
35the superior court in the name of the people of the State of
36California to enjoin violation of subdivision (a) and, upon notice
37to the defendant of not less than five days, to temporarily restrain
38and enjoin the violation. If it appears to the satisfaction of the court
39that the defendant has, in fact, violated subdivision (a), the court
40may issue an
injunction restraining further violations, without
P9 1requiring proof that any person has been damaged by the violation.
2In these proceedings, if the court finds that the defendant has
3violated subdivision (a), the court may direct the defendant to pay
4any or all costs incurred by the Attorney General, district attorney,
5or city attorney in seeking or obtaining injunctive relief pursuant
6to this subdivision.
7(g)
end delete
8begin insert(h)end insert Actions for collection of civil penalties under subdivision
9begin delete(e)end deletebegin insert
(f)end insert and for injunctive relief under subdivisionbegin delete (f)end deletebegin insert (g)end insert may be
10consolidated.
11(h)
end delete
12begin insert(i)end insert The changes made to this section by Chapter 458 of the
13Statutes of 1995 apply only to credit card transactions entered into
14on and after January 1, 1996. Nothing in those changes shall be
15construed to affect any civil action which was filed before January
161, 1996.
Section 1747.08.1 is added to the Civil Code, to read:
(a) An operator of a commercial Internet Web site
19or online service that collects personal identifiable information for
20a credit card or debit card transaction may require a cardholder or
21debit cardholder, as a condition to accepting a credit card or debit
22card as payment in full or in part in an online transaction, to provide
23only the billing ZIP Code number associated with the credit card
24or debit card, if used solely for the prevention of fraud, theft, or
25identity theft. An operator of a commercial Internet Web site or
26online service accepting the credit card or debit card shall destroy
27or dispose of the ZIP Code in a secure manner after it is no longer
28needed for the prevention of fraud, theft, or identity theft. An
29
operator of a commercial Internet Web site or online service
30accepting the credit card or debit card may not aggregate the ZIP
31Code with any other personal identifiable information and may
32not share the ZIP Code with any other operator of a commercial
33Internet Web site or online service.
34(b) Subdivision (a) does not apply to any of the following:
35(1) Instances in which the credit card or debit card is being used
36as a deposit to secure payment in the event of default, loss, damage,
37or other similar occurrence.
38(2) Cash advance transactions.
39(3) Instances in which any of the following applies:
P10 1(A) An operator of a commercial Internet Web site or online
2service is contractually obligated to provide personal identifiable
3information in order to complete the credit card or debit card
4transaction.
5(B) An operator of a commercial Internet Web site or online
6service is obligated to collect and record the personal identifiable
7information by federal or state law or regulation.
8(C) An operator of a commercial Internet Web site or online
9service maintains an account associated with the cardholder or
10debit cardholder where the cardholder or debit cardholder
provides
11personal identifiable information as part of the account on the
12commercial Internet Web site or online service.
13(4) Instances in which personal identifiable information is
14required for a special purpose incidental but related to the
15individual credit card or debit card transaction, including, but not
16limited to, information relating to shipping, delivery, servicing, or
17installation of the purchased merchandise, or for special orders.
18(c) For purposes of this section, the following definitions apply:
19(1) “Personal identifiable information” means individually
20identifiable information
concerning a cardholder or debit
21cardholder, other than information set forth on the credit card or
22debit card, collected online by the operator from that
cardholder
23or debit cardholder, including, but not limited to, the following:
24(A) Home or other physical address, including street name and
25name of a city or town.
26(B) Email address.
27(C) Telephone number.
28(2) “Operator” means a person or entity and any and all affiliated
29corporate entities that own an Internet Web site or an online service
30that collects and maintains personal identifiable information from
31a cardholder or debit cardholder
residing in California who uses
32or visits the Internet Web site or online service if the Internet Web
33site or online service is operated for commercial purposes.
34(d) (1) A person who violates this section shall be subject to a
35civil penalty not to exceed two hundred fifty dollars ($250) for the
36first violation and one thousand dollars ($1,000) for each
37subsequent violation, to be assessed and collected in a civil action
38brought by the person paying with a credit card or debit card, by
39the Attorney General, or by the district attorney or city attorney
40of the county or city in which the violation occurred.
P11 1(2) Notwithstanding paragraph (1), a civil penalty shall not be
2assessed for a violation of this section if the defendant shows, by
3a
preponderance of the evidence, that the violation was not
4intentional and resulted from a bona fide error made
5notwithstanding the defendant’s maintenance of procedures
6reasonably adopted to avoid that error.
7(3) When collected, the civil penalty shall be payable, as
8appropriate, to the person paying with a credit card or debit card
9who brought the action, or to the general fund of the governmental
10entity that brought the action to assess the civil penalty.
11(e) The Attorney General, or any district attorney or city attorney
12within his or her respective jurisdiction, may bring an action in
13the superior court in the name of the people of the State of
14California to enjoin violation of subdivision (a) and, upon notice
15to the defendant of not less than five days, to temporarily restrain
16and
enjoin the violation. If it appears to the satisfaction of the court
17that the defendant has, in fact, violated subdivision (a), the court
18may issue an injunction restraining further violations, without
19requiring proof that any person has been damaged by the violation.
20In these proceedings, if the court finds that the defendant has
21violated subdivision (a), the court may direct the defendant to pay
22any or all costs incurred by the Attorney General, district attorney,
23or city attorney in seeking or obtaining injunctive relief pursuant
24to this subdivision.
25(f) Actions for collection of civil penalties under subdivision
26(d) and for injunctive relief under subdivision (e) may be
27consolidated.
28(g) This section shall apply only to credit card and debit card
29transactions entered into on
and after January 1, 2014. This section
30shall not be construed to affect any civil action that was filed before
31January 1, 2014.
Section 1747.09 of the Civil Code is amended to read:
(a) Except as provided in this section, no person,
35firm, partnership, association, corporation, or limited liability
36company that accepts credit or debit cards for the transaction of
37business shall display more than the last five digits of the credit
38or debit card account number or the expiration date upon any of
39the following:
40(1) Any receipt provided to the cardholder.
P12 1(2) Any receipt retained by the person, firm, partnership,
2association, corporation, or limited liability company.
3(3) Any receipt retained by the person, firm,
partnership,
4association, corporation, or limited liability company that at the
5time of the purchase, exchange, refund, or return, is not signed by
6the cardholder, because the cardholder or debit cardholder used a
7personal identification number to complete the transaction.
8(b) This section shall apply only to receipts that include a credit
9or debit card account number that are electronically printed and
10shall not apply to transactions in which the sole means of recording
11the person’s credit or debit card account number is by handwriting
12or by an imprint or copy of the credit or debit card.
13(c) This section shall not apply to documents, other than the
14receipts described in paragraphs (1) to (3), inclusive, of subdivision
15(a), used for internal administrative purposes.
16(d) Paragraphs (2) and (3) of subdivision (a) shall become
17operative on January 1, 2009.
Section 1748.30 of the Civil Code is amended to read:
For purposes of this title, the following definitions
21shall apply:
22(a) “Accepted debit card” means any debit card which the debit
23cardholder has requested and received or has signed, or has used,
24or has authorized another person to use, for the purpose of
25obtaining money, property, labor, or services. Any debit card issued
26in renewal of, or in substitution for, an accepted debit card becomes
27an accepted debit card when received by the debit cardholder,
28whether the debit card is issued by the same or by a successor card
29issuer.
30(b) “Account” means a demand deposit (checking), savings, or
31other
consumer asset account, other than an occasional or incidental
32credit balance in a credit plan, established primarily for personal,
33family, or household purposes.
34(c) “Adequate notice” has the same meaning as found in
35subdivision (o) of Section 1747.02.
36(d) “Debit card” means an accepted debit card or other means
37of access to a debit cardholder’s account that may be used to initiate
38electronic funds transfers and may be used without unique
39identifying information such as a personal identification number
40to initiate access to the debit cardholder’s account.
P13 1(e) “Debit card issuer” means any person who issues a debit
2card or the agent of that person for that purpose.
3(f) “Debit cardholder” means a natural person to whom a debit
4card is issued.
5(g) “Unauthorized use” means the use of a debit card by a
6person, other than the debit cardholder, to initiate an electronic
7fund transfer from the debit cardholder’s account without actual
8authority to initiate the transfer and from which the debit cardholder
9receives no benefit. The term does not include an electronic fund
10transfer initiated in any of the following manners:
11(1) By a person who was furnished the debit card to the debit
12cardholder’s account by the debit cardholder, unless the debit
13cardholder has notified the debit card issuer that transfers by that
14person are no longer authorized.
15(2) With fraudulent intent by the
debit cardholder or any person
16acting in concert with the debit cardholder.
17(3) By the debit card issuer or its employee.
Section 99030 of the Education Code is amended to
20read:
The Regents of the University of California and the
22governing body of each accredited private or independent college
23or university in the state are requested to, and the Trustees of the
24California State University and the Board of Governors of the
25California Community Colleges shall, adopt policies to regulate
26the marketing practices used on campuses by credit card
27companies. In adopting the policies, it is the intent of the
28Legislature that those entities consider including all of the
29following requirements:
30(a) That sites at which student credit cards are marketed be
31registered with the campus administration and that consideration
32be given to limiting the
number of sites allowed on a campus.
33(b) That marketers of student credit cards be prohibited from
34offering gifts to students for filling out credit card applications.
35(c) That credit card and debt education and counseling sessions
36become a regular part of campus orientation of new students. For
37purposes of this section, colleges and universities shall utilize
38existing debt education materials prepared by nonprofit entities
39and thus not incur the expense of preparing new materials.
P14 1(d) For the purposes of this chapter, “student credit card” has
2the meaning set forth in subdivision (q) of Section 1747.02 of the
3Civil Code.
O
95