BILL ANALYSIS �Ó
AB 844
Page 1
Date of Hearing: April 22, 2013
ASSEMBLY COMMITTEE ON BANKING AND FINANCE
Roger Dickinson, Chair
AB 844 (Dickinson) - As Amended: April 15, 2013
SUBJECT : Credit and debit cards: transactions: personal
information.
SUMMARY : Permits the operator of a commercial Internet Web
site or online service that collects personal identifiable
information (PII) to request a credit cardholder or debit
cardholder to provide only the billing ZIP Code to complete the
online credit card or debit card transaction. Specifically,
this bill :
1)Requires that the ZIP Code is solely collected for the
prevention of fraud, theft, or identify theft, except under
specified circumstances.
2)Requires the operator to destroy or dispose of the ZIP Code in
a secure manner after it is no longer needed for the
prevention of fraud, theft, or identity theft.
3)Prohibits an operator of a commercial internet Web site or
online service accepting the credit card or debit from
aggregating the ZIP Code with any other personal identifiable
information.
4)Prohibits an operator of a commercial internet Web site from
sharing the ZIP Code with any other operator.
5)Provides that the above requirements do not apply in the
following circumstances:
a) Instances in which the credit card or debit card is
being used as a deposit to secure payment in the event of
default, loss, damage, or other similar occurrence.
b) Cash advance transactions.
c) An operator of a commercial Internet Web site or online
service is contractually obligated to provide PII in order
to complete the credit card or debit card transaction.
�
AB 844
Page 2
d) An operator of a commercial Internet Web site or online
service is obligated to collect and record the PII by
federal or state law or regulation.
e) An operator of a commercial Internet Web site or online
service maintains a preexisting account associated with the
cardholder or debit cardholder where the cardholder or
debit cardholder has previously provided PII as part of the
creation of an account on the commercial Internet Web site
or online service.
f) Instances in which PII is required for a special purpose
incidental but related to the individual credit card or
debit card transaction, including, but not limited to,
information relating to shipping, delivery, servicing, or
installation of the purchased merchandise, or for special
orders.
6)Defines "Personal identifiable information" as individually
identifiable information concerning a cardholder or debit
cardholder, other than information set forth on the credit
card or debit card, collected online by the operator from that
cardholder or debit cardholder, including, but not limited to,
the following:
a) Home or other physical address, including street name
and name of a city or town,
b) Email address,
c) Telephone number.
7)Defines "Operator" as a person or entity and any and all
affiliated corporate entities that own an Internet Web site or
an online service that collects and maintains personal
identifiable information from a cardholder or debit cardholder
residing in California who uses or visits the Internet Web
site or online service if the Internet Web site or online
service is operated for commercial purposes.
8)Extends the above provisions to debit cards.
a) Defines "debit card" as an accepted debit card or other
means of access to a debit cardholder's account that may be
used to initiate electronic funds transfers and may be used
�
AB 844
Page 3
without unique identifying information such as personal
identification number to initiate access to the debit
cardholder's account.
b) Defines "debit cardholder" as a natural person to whom a
debit card is issued.
9)Removes specific references of terms that could be inferred
only applying to "brick and mortar" retailers.
10)Authorizes the assessment of civil penalties or an action for
injunctive relief, or both, for a violation of the provisions.
EXISTING LAW
1)Provides that under the Song-Beverly Credit Card Act of 1971
(Credit Card Act) (Civil Code Section 1747 et seq), no person,
firm, partnership, association or corporation that accepts
credit cards shall do any of the following:
a) Require, or request, as condition of accepting the
credit card, the cardholder to write any PII upon the
credit card transaction form or other document. [Section
1747.08a(1)]
b) Require, or request, as a condition of accepting the
credit card, the cardholder to provide personal
identification information which the entity accepting the
card would then write or record upon the credit transaction
form or otherwise. [Section 1747.08a(2)]
c) Utilize in any credit card transaction, a credit card
form that contains preprinted spaces for PII of the
cardholder. [Section 1747.08a(3)]
2)Specifies that the prohibitions in a, b and c do not apply
under the following circumstances:
a) If the credit card is being used as a deposit to secure
payment in the event of default, loss, damage, or other
similar occurrence. [Section 1747.08(1)]
b) Cash advance transactions. [Section 1747.08(2)]
�
AB 844
Page 4
c) If the entity requesting the information is
contractually obligated to provide the personal information
in order to complete the transaction, or is obligated to
collect and record the PII by federal law or regulation.
[Section 1747.08(3)]
d) If the entity accepting the credit card in a sales
transaction at a retail motor fuel dispenser or retail
motor fuel payment island automated cashier uses the ZIP
Code information solely for the prevention of fraud, theft,
or identity theft. [Section 1747.08 (3)]
e) If PII is required for a special purpose incidental but
related to the individual credit card transaction,
including but not limited to, information relating to
shipping, delivery, servicing, or installation of the
purchased merchandise, or for special orders. [Section
1747.08(4)]
3)Clarifies that the prohibitions on collecting PII relating to
the credit card transaction does not prohibit a requirement
that the cardholder provide reasonable forms of positive
identification, including a driver's license or California
State identification card, or another form of identification.
[Section 1747.08(4)d]
4)Specifies that if the cardholder pays for the transaction with
a credit card number and does not make the credit card
available upon request to verify the number, the cardholder's
driver's license number or identification card number may be
recorded on the credit card transaction form. [1747.08(4)d].
5)Defines "personal identification information" (PII) as
information concerning the cardholder, other than information
set forth on the credit card, and including but not limited
to, the cardholder's address and telephone number. [Section
1747.08(3)b]
6)Defines "debit card" and "debit cardholder" as defined in this
measure. [Civil Code, Section 1748.30]
FISCAL EFFECT : Unknown.
COMMENTS :
�
AB 844
Page 5
AB 844 is in response to the recent court decision from February
4, 2013, Apple v Superior Court of Los Angeles County (Krescent)
S199384 (February 04, 2013). In Apple, the California Supreme
Court opined that the state's statutory protection against the
collection of PII when making credit card purchases does not
apply to online retailers of electronically downloadable
products. Apple v Superior Court of Los Angeles County
(Krescent) decision highlights the need for California privacy
law to be updated from the "brick and mortar" world to an online
world.
The underlying statute, the Song Beverly Credit Card Act passed
in 1990, generally prohibits businesses from requesting or
requiring consumers to provide unnecessary PII during a credit
card transaction. However, the Apple Court found, in essence,
that the statute and its anti-fraud provisions had been designed
for "brick and mortar" transactions that pre-dated the Internet
era and the explosion of e-commerce, and that online retailers
of electronically downloadable products were therefore outside
of the intended scope of the law.
The Court also recognized the problem of new technologies
outpacing existing laws, and the majority opinion explicitly
invited the state Legislature to revisit the matter, and update
its consumer protection laws accordingly should it so desire.
AB 844 provides that an operator of a commercial Internet
Website or online service can collect only the ZIP code for a
credit card or debit card transaction if it is used for the
prevention of fraud, theft or identity theft. The worry
surrounding the recent court case decision encompasses the
concern of online retailers having the unlimited ability to ask
consumers for any amount of personal information when making an
online transaction. Due to the recent Court decision online
merchants selling digital goods no longer need to worry about
the Song-Beverly Act. AB 844 attempts to limit this abuse and
maintain that the online retailer can only collect the zip code
unless more information is allowed under the exemptions provided
in the bill.
To be clear, those exemptions in the bill where more than a
billing ZIP Code would be allowed are:
1)Instances when the card is being used as a deposit to secure
payment in the event of default, loss, damage, or other
similar occurrences.
�
AB 844
Page 6
2)Cash advance transactions.
3)the online retailer is contractually obligated to provide
personal identifiable information in order to complete the
card transactions.
4)Federal or state law regulations require information to be
collected by the operator.
5)An operator maintains a preexisting account associated with
the cardholder where the cardholder has previously provided
personal identifiable information as part of the account.
6)If personal identifiable information is needed for shipping,
delivery, servicing, or installation of the purchased
merchandise.
In response to the Court case, AB 844 attempts to strike a
balance between protecting consumer's privacy while also
allowing online retailers to collect the necessary information
to complete the transaction.
BACKGROUND:
Song-Beverly Credit Card Act of 1971 : Under state law, a person
who accepts a credit card for payment shall not record the
consumer's PII on the credit card transaction form, except as
specified. Originally enacted in 1971, the Song-Beverly Credit
Card Act regulates the issuance and use of credit cards and the
respective rights and responsibilities of cardholders and
retailers. Section 1747.08 of the Act, in particular, seeks to
protect a consumer's privacy and to address "the misuse of
personal identification information for, inter alia, marketing
purposes." Specifically, the Act prohibits a retailer from
requesting, as a condition of acceptance of a credit card, that
the cardholder provide the retailer with PII, which is defined
to mean any information about the cardholder that does not
appear on the card, including, but not limited to, the
cardholder's name and address.
Existing law carves out reasonable exceptions to this general
rule, including where the business is contractually or legally
required to collect the information, or where the business needs
the information to perform some "special purpose," such as
�
AB 844
Page 7
shipping, installing, or servicing a purchased item. A business
that accepts credit cards is also permitted to require the
cardholder, as a condition to accepting the card as payment, to
provide reasonable forms of identification, such as a driver's
license. AB 1219 (2012 legislative year), created another
limited exception: in order to prevent fraud, a business that
sells fuel may ask the purchaser to provide a zip code in order
to process a fuel purchase at an automated fuel dispenser
island. A person or business that violates the Act is subject
to civil penalties, which may be assessed in a civil action by
an affected cardholder, or in an action brought by the Attorney
General or a district or city attorney.
"Personal Identification Information" Under Song-Beverly-Pineda :
In 2011 the California Supreme Court confronted the question of
what constitutes "personal identification information" under the
Song-Beverly Credit Card Act and, more specifically, whether a
person's zip code - with nothing else - constitutes an
"address." (Pineda v. Williams- Sonoma Stores, Inc. (2011) 51
Cal. 4th. 524.) In Pineda, a customer sued a retailer claiming
that it had violated the provisions of the Song-Beverly Act when
a store clerk asked the customer for a zip code during the
credit card transaction, and then recorded that zip code along
with the customer's name and credit card number. The customer
subsequently learned that the retailer used this information to
do a "reverse search" to locate the customer's home address. The
retailer then kept the customer's information in a data base
that it used for marketing purposes. The customer filed the
matter as a putative class action, alleging invasion of privacy,
unfair competition, and violation of the Song-Beverly Act. Both
the trial court and the Court of Appeal sided with the retailer,
finding that a zip code, without any other component of the
address, was too general to be considered "personal
identification information." However the California Supreme
Court reversed, holding, unanimously, that the word "address" in
the statute means either a complete address or any portion of an
address, and that a zip code is "readily understood to be part
of an address."
The Recent Apple Case - Online Businesses Held Not to Be Covered
by Song-Beverly: A bare majority of four justices held that it
did not apply to online businesses. The majority opinion
conceded that the statute does not make any express exception
for online business transactions - applying as it does to any
person, firm, etc. that accepts credit cards. However, the
�
AB 844
Page 8
court concluded that both the legislative history and the
overall statutory framework strongly suggest that the statute
was only meant to apply to in-person transactions at brick and
mortar businesses; online purchasers were not contemplated, as
it was crafted prior to the explosion of online commerce.
In support of this conclusion, the Court made the following
points:
When the statute was originally enacted in 1971 the Internet
did not exist, and even at the time of the most recent
amendment - 1991 - online commercial sales were virtually
non-existent and certainly not widespread, suggesting that the
original intent of the legislature concerned in-person brick
and mortar transactions.
In order to prevent fraud, the statute permits a business to
require the customer to present a form of identification, such
as a driver's license or other photo ID, so long as none of
the information is written down or recorded. This provision,
the court reasoned, showed that the overall framework did not
contemplate online transactions, for an online business would
not be able to request a photo ID for purposes of fraud
prevention.
CALIFORNIA'S RIGHT TO PRIVACY :
The California Constitution expressly protects an individual's
right to privacy. Added to the California Constitution in 1972
when voters adopted Proposition 11, the California privacy
provision protects an individual's right to privacy from both
governmental and private actors.
The California Supreme Court has held that the privacy provision
in the California Constitution "creates a legal and enforceable
right of privacy for every Californian." (White v. Davis (1975)
13 Cal. 3d 757, 775.) Despite this express protection, however,
just what is included in the state's constitutional right of
privacy has necessarily been developed in a body of case law.
These cases tend to be very fact-specific. As a general rule,
however, in order to maintain a claim for infringement of one's
right of privacy under the California Constitution, the
plaintiff must (1) identify a legally protected privacy
interest; (2) establish that he or she had a "reasonable
expectation of privacy" under the circumstances; and (3) that
�
AB 844
Page 9
the defendant's conduct constituted a "serious" invasion of
privacy. If a plaintiff establishes all three of these elements,
the defendant may still show the invasion of privacy was
justified if it furthers a legitimate and competing interest.
Specifically, the California Supreme Court has held that an
"invasion of a privacy interest is not a violation of the state
constitutional right to privacy if the invasion is justified by
a competing interest."
SUGGESTED AMENDMENTS:
The author is actively considering prosed changes proposed by
the opposition but not all the issues have been resolved, to
date. The author has committed to continue to work with the
opposition. The clarification below reflects taking at least
one concern from the opposition and ensuring the measure is not
intended to capture consumer online accounts.
The amendments clarify that should a consumer create an account
and opt-in to save this information on an internet website, then
this information would not apply to the provisions of ZIP code
only.
On Page 9, line 20, delete "a preexisting" and insert, "an"
On Page 9, line 22, delete, "has previously provided" and insert
"provides"
On Page 9, line 23, delete, "creation of an"
RELATED LEGISLATION :
SB 383 (Jackson, 2013 Legislative Year) authorizes a person or
entity that accepts credit cards in an online transaction
involving an electronically downloadable product, to require a
cardholder, as a condition to accepting a credit card as payment
in full or in part for goods or services, to provide the billing
ZIP Code and street address number associated with the credit
card, if used solely for the prevention of fraud, theft, or
identity theft. The bill would require that person or entity to
destroy or dispose of the ZIP Code and street address number
information in a secure manner after it is no longer needed for
the prevention of fraud, theft, or identity theft. The bill
would further prohibit that person or entity from aggregating
the ZIP Code and street address number information with any
other personal identification information, and from sharing the
ZIP Code. Currently in Senate Judiciary.
�
AB 844
Page 10
PREVIOUS LEGISLATION:
AB 1219 (Perea, Chapter 690, Statutes of 2011) provided
clarification for those instances when an entity that accepts
credit cards may not request certain types of PII to complete
the transaction. Created an express exemption from the
prohibition against the collection and retention of zip code
information when the zip code is used solely for prevention of
fraud, theft, or identify theft in a sales transaction at a
retail motor fuel dispenser or retail motor fuel payment island
automated cashier.
REGISTERED SUPPORT / OPPOSITION :
Support
Consumer Attorneys of California
Opposition
California Bankers Association (CBA)
California Cable and Telecommunications Association
California Chamber of Commerce
California Grocers Association
California Land Title Association
California Manufacturers and Technology Association
California Retailers Association
California Travel Association
Direct Marketing Association
Internet Alliance
Personal Insurance Federation of California
State Privacy and Security Coalition, Inc.
TechAmerica
Analysis Prepared by : Kathleen O'Malley / B. & F. / (916)
319-3081