AB 844, as amended, Dickinson. Credit and debit cards: transactions: personal information.
Existing state and federal lawbegin delete regulateend deletebegin insert regulatesend insert the provision of credit and the use of credit cards.begin delete Existing state lawend deletebegin insert The Song-Beverly Credit Card Act of 1971 generallyend insert prohibits a person, firm, partnership, association, or corporation that accepts credit cards for the transaction of business from requesting or requiring the cardholder to provide personal identification information, which is then recorded, as a condition to accepting the credit card as payment in full or in part for goods or services, but
provides various exceptions to this prohibition.
Under existing law, a person who violates the above provisions is subject to specified civil penalties, an action for injunctive relief, or both.
This bill would extend the above restrictions regarding the collection of personal identification information to debit cards. The bill would define “debit card” and related terms for these purposes, and would make conforming changes.
This
end delete
begin insertThe bill would permit the collection of personal identification information if the credit card or debit card is being used as part of
a layaway transaction. Theend insert bill would permitbegin insert a person, firm, partnership, association, or corporation, includingend insert the operator of a commercial Internet Web site or online servicebegin insert, accepting the credit card or debit card in a business transactionend insert to collect personal identification information, as defined, if usedbegin delete solelyend delete for thebegin insert detection, investigation, orend insert prevention of fraud, theft,begin delete orend delete identity theftbegin insert, criminal activity,
or enforcement of terms of saleend insert. The bill wouldbegin delete require that operator to destroy or dispose of the personal identification information so collected and would prohibit the operator from sharing the personal identification information, as specified. The bill would authorize the assessment of civil penalties or an action for injunctive relief, or
both, for a violation of these provisionsend deletebegin insert also permit the collection of personal identification information if the cardholder is advised, or if it is apparent, that the provision of personal identification information is not a condition to accepting the credit card or debit card as payment in full or in part for goods or services and the cardholder has consented to the collection of the personal identification informationend insert.
Existing law prohibits a person, firm, partnership, association, corporation, or limited liability company that accepts credit or debit cards for the transaction of business from printing more than the last 5 digits of an individual’s credit card or debit card number, or the expiration date, on a transaction receipt, as specified.
This bill would revise the above provisions to remove specific references to printed receipts, and would make other conforming changes.
Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no.
The people of the State of California do enact as follows:
Section 1747.02 of the Civil Code is amended
2to read:
As used in this title:
4(a) “Credit card” means any card, plate, coupon book, or other
5single credit device existing for the purpose of being used from
6time to time to obtain money, property, labor, or services on credit.
7“Credit card” does not mean any of the following:
8(1) Any single credit device used to obtain telephone property,
9labor, or services in any transaction under public utility tariffs.
10(2) Any device that may be used to obtain credit pursuant to an
11electronic fund transfer, but only if the credit is obtained under an
12agreement between a consumer and a financial institution to extend
13
credit when the consumer’s asset account is overdrawn or to
14
maintain a specified minimum balance in the consumer’s asset
15account.
16(3) Any key or card key used at an automated dispensing outlet
17to obtain or purchase petroleum products, as defined in subdivision
18(c) of Section 13401 of the Business and Professions Code, that
19will be used primarily for business rather than personal or family
20purposes.
21(b) “Accepted credit card” means any credit card that the
22cardholder has requested or applied for and received or has signed,
23or has used, or has authorized another person to use, for the purpose
24of obtaining money, property, labor, or services on credit. Any
25credit card issued in renewal of, or in substitution for, an accepted
26credit card becomes an accepted credit card when received by the
27cardholder, whether the credit card is
issued by the same or a
28successor card issuer.
29(c) “Debit card”begin delete means an accepted debit card or other means begin insert has the same
30of access to a debit cardholder’s account that may be used to initiate
31electronic funds transfers and may be used without unique
32identifying information such as a personal identification number
33to initiate access to the debit cardholder’s account.end delete
34meaning as defined in Section 1748.30.end insert
35(d) “Accepted debit card”begin delete means a debit card that the debit
36cardholder has requested and received or has signed, or has used,
37or has authorized another person to use, for the purpose of
38obtaining money, property, labor, or services. Any debit card issued
P4 1in renewal of, or in substitution for, an accepted debit card becomes
2an accepted debit card when received by the debit cardholder,
3whether the debit card is issued by the same
or by a successor card
4issuer.end delete
5(e) “Card issuer” means any person who issues a credit card or
6the agent of that person for that purpose with respect to the credit
7card.
8(f) “Cardholder” means a natural person to whom a credit card
9is issued for consumer credit purposes, or a natural person who
10has agreed with the card issuer to pay consumer credit obligations
11arising from the issuance of a credit card to another natural person.
12For purposes of Sections 1747.05, 1747.10, and 1747.20, the term
13includes any person to whom a credit card is issued for any
14purpose, including business, commercial, or agricultural use, or a
15person
who has agreed with the card issuer to pay obligations
16arising from the issuance of that credit card to another person.
17(g) “Debit card issuer”begin delete means any person who issues a debit begin insert has the same
18card or the agent of that person for that purpose.end delete
19meaning as defined in Section 1748.30.end insert
20(h) “Debit cardholder”begin delete means a natural person to whom a debit begin insert has the same meaning as defined in Section 1748.30.end insert
21card is issued.end delete
22(i) “Retailer” means every person other than a card issuer or
23debit card issuer who furnishes money, goods, services, or anything
24else of value. “Retailer” does not mean the state, a county, city,
25city and county, or any other public agency.
26(j) “Unauthorized use” means the use of a credit card begin deleteor debit by a person, other than the cardholder
27card end deletebegin delete or debit cardholderend delete,
28(1) who does not have actual, implied, or apparent authority for
29that use and (2) from which the cardholder begin deleteor
debit cardholderend delete
30 receives no benefit. “Unauthorized use” does not include the use
31of a credit cardbegin delete or debit cardend delete by a person who has been given
32authority by the cardholderbegin delete or debit cardholderend delete to use the credit
33cardbegin delete or debit cardend delete. Any attempted termination by the cardholder
34begin delete or debit cardholderend delete of the person’s authority is ineffective as against
35the card issuerbegin delete or debit card issuerend delete until the cardholderbegin delete or debit complies with the
procedures required by the card issuer
36cardholderend delete
37begin delete or debit card issuerend delete to terminate that authority. Notwithstanding
38the above, following the card issuer’sbegin delete or debit card issuer’send delete receipt
39of oral or written notice from a cardholder begin deleteor debit cardholderend delete
40 indicating that it wishes to terminate the authority of a previously
P5 1authorized user of a credit cardbegin delete or debit cardend delete, the card issuerbegin delete or shall follow its usual procedures for precluding
2debit card issuerend delete
3any further use of a credit cardbegin delete or debit cardend delete
by an unauthorized
4person.
5(k) “Inquiry” means a writing that is posted by mail to the
6address of the card issuerbegin delete or debit card issuerend delete to which payments
7are normally tendered, unless another address is specifically
8indicated on the statement for that purpose, then to that other
9address, and that is received by the card issuer begin deleteor debit card issuerend delete
10 no later than 60 days after the card issuer transmitted the first
11periodic statement that reflects the alleged billing error, and that
12does all of the following:
13(1) Sets forth sufficient information to enable the card issuerbegin delete or
to identify the cardholder
14debit card issuerend deletebegin delete or debit cardholderend delete and
15the account.
16(2) Sufficiently identifies the billing error.
17(3) Sets forth information providing the basis for the
18cardholder’sbegin delete or debit cardholder’send delete belief that the billing error exists.
19(l) “Response” means a writing that is responsive to an inquiry
20and mailed to the cardholder’sbegin delete or debit cardholder’send delete address last
21known to the card issuerbegin delete or debit card issuerend delete.
22(m) “Timely response” means a response that is mailed within
23two complete billing cycles, but in no event later than 90 days,
24after the card issuerbegin delete or debit card issuerend delete receives an inquiry.
25(n) “Billing error” means an error by omission or commission
26in (1) posting any debit or credit, or (2) in computation or similar
27error of an accounting nature contained in a statement given to the
28cardholderbegin delete or debit cardholderend delete by the card issuerbegin delete or debit card . A “billing error” does not mean any dispute with respect
29issuerend delete
30to value, quality, or quantity of goods, services, or
other benefit
31obtained through use of a credit cardbegin delete or debit cardend delete.
32(o) “Adequate notice” means a printed notice to a cardholder
33begin delete or debit cardholderend delete that sets forth the pertinent facts clearly and
34conspicuously so that a person against whom it is to operate could
35reasonably be expected to have noticed it and understood its
36meaning.
37(p) “Secured credit card” means any credit card issued under
38an agreement or other instrument that pledges, hypothecates, or
39places a lien on real property or money or other personal property
40to secure the cardholder’s obligations to the card issuer.
P6 1(q) “Student credit card” means any credit card that is provided
2to a student at a public or private college or university and is
3provided to that student solely based on his or her enrollment in a
4public or private university, or is provided to a student who would
5not otherwise qualify for that credit card on the basis of his or her
6income. A “student credit card” does not include a credit card
7issued to a student who has a cocardholder or cosigner who would
8otherwise qualify for a credit card other than a student credit card.
9(r) “Retail motor fuel dispenser” means a device that dispenses
10fuel that is used to power internal combustion engines, including
11motor vehicle engines, that processes the sale of fuel through a
12remote electronic payment system, and that is in a location where
13an employee or other agent of the seller is not
present.
14(s) “Retail motor fuel payment island automated cashier” means
15a remote electronic payment processing station that processes the
16retail sale of fuel that is used to power internal combustion engines,
17including motor vehicle engines, that is in a location where an
18employee or other agent of the seller is not present, and that is
19located in close proximity to a retail motor fuel dispenser.
Section 1747.08 of the Civil Code is amended to read:
(a) Except as provided in subdivision (c), no person,
22firm, partnership, association, or corporation that accepts credit
23cards or debit cards for the transaction of business shall do any of
24the following, whether in person or through an operator of a
25commercial Internet Web site or online service:
26(1) Request, or require as a condition to accepting the credit
27card or debit card as payment in full or in part for goods or services,
28the cardholder or debit cardholder to provide any personal
29identification information.
30(2) Request, or require as a condition to accepting the credit
31card or debit card as payment in full or in part for
goods or services,
32the cardholder or debit cardholder to provide personal identification
33information, which the person, firm, partnership, association, or
34corporation accepting the credit card or debit card collects, causes
35to be collected, or otherwise records upon the credit card or debit
36card transaction template or otherwise.
37(3) Utilize, in any credit card or debit card transaction, a credit
38 card or debit card template which contains spaces specifically
39designated for filling in any personal identification information of
40the cardholder or debit cardholder.
P7 1(b) For purposes of this section, the following terms have the
2following meanings:
3(1) “Personal identification information,” means information
4concerning
the cardholder or debit cardholder, other than
5information set forth on the credit card or debit card, and including,
6but not limited to, the cardholder’s or debit cardholder’s address
7and telephone number.
8(2) “Operator” means a person or entitybegin delete and any and all affiliated that
9corporate entitiesend deletebegin delete ownend deletebegin insert ownsend insert an Internet Web site or online
10service and that accepts a credit card or debit card for the
11transaction of business from a cardholder or debit cardholder
12residing in California.begin insert “Operator” does not mean the state, a
13
county, city, city and county, or any other public agency.end insert
14(c) Subdivision (a) does not apply in the following instances:
15(1) If the credit card or debit card is being used as a deposit to
16secure payment in the event of default, loss, damage, or other
17similar occurrencebegin insert, or as part of a layaway transactionend insert.
18(2) Cash advance transactions.
19(3) If any of the following applies:
20(A) The person, firm, partnership, association, or corporation
21accepting the credit card or debit card is contractually
obligated
22to provide personal identification information in order to complete
23the credit card or debit card transaction.
24(B) The person, firm, partnership, association, or corporation
25accepting the credit card or debit card in a sales transaction at a
26retail motor fuel dispenser or retail motor fuel payment island
27automated cashier uses the ZIP Code information solely for
28prevention of fraud, theft, or identity theft.
29(C) The person, firm, partnership, association, or corporation
30accepting the credit card or debit card is obligated to collect and
31record the personal identification information by federal or state
32law or regulation.
33(D) The person, firm, partnership, association, or corporation,
34including the operator of
a commercial Internet Web site or online
35service, accepting the credit card or debit card in a business
36transaction uses the personal identification informationbegin delete solelyend delete for
37thebegin insert detection, investigation, orend insert prevention of fraud, theft,begin delete orend delete identity
38begin delete theft. An operator of a commercial Web Site or online service begin insert
theft,
39accepting the credit card or debit card shall destroy or dispose of
40the personal identification information in a secure manner after it
P8 1is no longer needed for the prevention of fraud, theft, or identity
2theft. An operator of a commercial Web Site or online service may
3not share the personal identification information with any other
4operator of a commercial Internet Web site or online service.end delete
5criminal activity, or enforcement of terms of sale.end insert
6(E) The cardholder is advised, or it is apparent, that the
7provision of personal identification information is not a condition
8to accepting the credit card or debit card as payment in full or in
9part for goods or services and the cardholder has consented to
10the collection of the personal identification information.
11(4) If personal identification information is required for a special
12purpose incidental but related to the individual credit card or debit
13card transaction, including, but not limited to, information relating
14to shipping, delivery, servicing,begin insert sales
documentation,end insert or installation
15of the purchased merchandise, or for special orders.
16(d) This section does not prohibit any person, firm, partnership,
17association, or corporation from requiring the cardholder or debit
18cardholder, as a condition to accepting the credit card or debit card
19as payment in full or in part for goods or services, to provide
20reasonable forms of positive identification, which may include a
21driver’s license or a California state identification card, or where
22one of these is not available, another form of photo identification,
23provided that none of the information contained thereon is collected
24or recorded on the credit card or debit card transaction template
25or otherwise. If the cardholder or debit cardholder pays for the
26transaction with a credit card or debit card number and does not
27make
the credit card or debit card available upon request to verify
28the number, the cardholder’s or debit cardholder’s driver’s license
29number or identification card number may be recorded on the
30credit card or debit card transaction or otherwise.
31(e) This section does not prohibit any person, firm, partnership,
32association, or corporation, including the operator of a commercial
33Internet Web site or online service, from collectingbegin insert or usingend insert
34 personal identification information if the operatorbegin delete maintainsend deletebegin insert or its
35affiliated corporate entities maintainend insert an account associated with
36the credit cardholder or
debit cardholder and if the cardholder
37provides personal information as part ofbegin insert the establishment,
38updating, or maintenance ofend insert that account.
39(f) Any person who violates this section shall be subject to a
40civil penalty not to exceed two hundred fifty dollars ($250) for the
P9 1first violation and one thousand dollars ($1,000) for each
2subsequent violation, to be assessed and collected in a civil action
3brought by the person paying with a credit card or debit card, by
4the Attorney General, or by the district attorney or city attorney
5of the county or city in which the violation occurred. However,
6no civil penalty shall be assessed for a violation of this section if
7the defendant shows by a preponderance of the evidence that the
8violation was not
intentional and resulted from a bona fide error
9made notwithstanding the defendant’s maintenance of procedures
10reasonably adopted to avoid that error. When collected, the civil
11penalty shall be payable, as appropriate, to the person paying with
12a credit card or debit card who brought the action, or to the general
13fund of whichever governmental entity brought the action to assess
14the civil penalty.
15(g) The Attorney General, or any district attorney or city attorney
16within his or her respective jurisdiction, may bring an action in
17the superior court in the name of the people of the State of
18California to enjoin violation of subdivision (a) and, upon notice
19to the defendant of not less than five days, to temporarily restrain
20and enjoin the violation. If it appears to the satisfaction of the court
21that the defendant has, in fact, violated
subdivision (a), the court
22may issue an injunction restraining further violations, without
23requiring proof that any person has been damaged by the violation.
24In these proceedings, if the court finds that the defendant has
25violated subdivision (a), the court may direct the defendant to pay
26any or all costs incurred by the Attorney General, district attorney,
27or city attorney in seeking or obtaining injunctive relief pursuant
28to this subdivision.
29(h) Actions for collection of civil penalties under subdivision
30
(f) and for injunctive relief under subdivision (g) may be
31consolidated.
32(i) The changes made to this section by Chapter 458 of the
33Statutes of 1995 apply only to credit card transactions entered into
34on and after January 1, 1996. Nothing in those changes shall be
35construed to affect any civil action which was filed before January
361, 1996.
Section 1747.09 of the Civil Code is amended to read:
(a) Except as provided in this section, no person,
39firm, partnership, association, corporation, or limited liability
40company that accepts credit or debit cards for the transaction of
P10 1business shall display more than the last five digits of the credit
2or debit card account number or the expiration date upon any of
3the following:
4(1) Any receipt provided to the cardholder.
5(2) Any receipt retained by the person, firm, partnership,
6association, corporation, or limited liability company.
7(3) Any receipt retained by the person,
firm, partnership,
8association, corporation, or limited liability company that at the
9time of the purchase, exchange, refund, or return, is not signed by
10the cardholder, because the cardholder or debit cardholder used a
11personal identification number to complete the transaction.
12(b) This section shall apply only to receipts that include a credit
13or debit card account number that are electronically printed and
14shall not apply to transactions in which the sole means of recording
15the person’s credit or debit card account number is by handwriting
16or by an imprint or copy of the credit or debit card.
17(c) This section shall not apply to documents, other than the
18receipts described in paragraphs (1) to (3), inclusive, of subdivision
19(a), used for internal administrative purposes.
20(d) Paragraphs (2) and (3) of subdivision (a) shall become
21operative on January 1, 2009.
Section 1748.30 of the Civil Code is amended to read:
For purposes of this title, the following definitions
24shall apply:
25(a) “Accepted debit card” means any debit card which the debit
26cardholder has requested and received or has signed, or has used,
27or has authorized another person to use, for the purpose of
28obtaining money, property, labor, or services. Any debit card issued
29in renewal of, or in substitution for, an accepted debit card becomes
30an accepted debit card when received by the debit cardholder,
31whether the debit card is issued by the same or by a successor card
32issuer.
33(b) “Account” means a demand deposit (checking), savings, or
34other
consumer asset account, other than an occasional or incidental
35credit balance in a credit plan, established primarily for personal,
36family, or household purposes.
37(c) “Adequate notice” has the same meaning as found in
38subdivision (o) of Section 1747.02.
39(d) “Debit card” means an accepted debit card or other means
40of access to a debit cardholder’s account that may be used to initiate
P11 1electronic funds transfers and may be used without unique
2identifying information such as a personal identification number
3to initiate access to the debit cardholder’s account.
4(e) “Debit card issuer” means any person who issues a debit
5card or the agent of that person for that purpose.
6(f) “Debit cardholder” means a natural person to whom a debit
7card is issued.
8(g) “Unauthorized use” means the use of a debit card by a
9person, other than the debit cardholder, to initiate an electronic
10fund transfer from the debit cardholder’s account without actual
11authority to initiate the transfer and from which the debit cardholder
12receives no benefit. The term does not include an electronic fund
13transfer initiated in any of the following manners:
14(1) By a person who was furnished the debit card to the debit
15cardholder’s account by the debit cardholder, unless the debit
16cardholder has notified the debit card issuer that transfers by that
17person are no longer authorized.
18(2) With fraudulent intent by the debit
cardholder or any person
19acting in concert with the debit cardholder.
20(3) By the debit card issuer or its employee.
Section 99030 of the Education Code is amended to
23read:
The Regents of the University of California and the
25governing body of each accredited private or independent college
26or university in the state are requested to, and the Trustees of the
27California State University and the Board of Governors of the
28California Community Colleges shall, adopt policies to regulate
29the marketing practices used on campuses by credit card
30companies. In adopting the policies, it is the intent of the
31Legislature that those entities consider including all of the
32following requirements:
33(a) That sites at which student credit cards are marketed be
34registered with the campus administration and that consideration
35be given to limiting the
number of sites allowed on a campus.
36(b) That marketers of student credit cards be prohibited from
37offering gifts to students for filling out credit card applications.
38(c) That credit card and debt education and counseling sessions
39become a regular part of campus orientation of new students. For
40purposes of this section, colleges and universities shall utilize
P12 1existing debt education materials prepared by nonprofit entities
2and thus not incur the expense of preparing new materials.
3(d) For the purposes of this chapter, “student credit card” has
4the meaning set forth in subdivision (q) of Section 1747.02 of the
5Civil Code.
O
94