BILL ANALYSIS �Ó
AB 844
Page 1
Date of Hearing: April 30, 2013
ASSEMBLY COMMITTEE ON JUDICIARY
Bob Wieckowski, Chair
AB 844 (Dickinson) - As Amended: April 24, 2013
As Proposed to be Amended
SUBJECT : Debit and Credit Cards: Personal Information
KEY ISSUES :
1)Should the provisions of the Song-Beverly Credit Card Act that
prohibit a business from requiring a consumer to provide
personal information as a condition of accepting a credit card
be extended to online transactions?
2)Should the SAME provisions of the Song-Beverly Credit Card Act
be extended to debit card transactions?
FISCAL EFFECT : As currently in print this bill is keyed fiscal.
SYNOPSIS
Among other things, the Song-Beverly Credit Card Act prohibits a
business from requesting and recording a customer's personal
information as a condition of accepting a credit card, subject
to such exceptions as are necessary to complete the transaction.
The Act allows the business to require production of photo
identification for purposes of verification, so long as none of
the information on the identification is recorded. These
provisions seek to protect the consumer from unnecessary
disclosure of the kinds of personal information that might lead
to identity theft. Reflecting the era of its initial enactment
(1971), Song-Beverly presumed a "brick and mortar" world with
face-to-face transactions, as is evidenced by the provision
permitting the business to request photo identification.
Earlier this year, the California Supreme Court considered
whether these provisions of Song-Beverly apply to purchases that
are made with a credit card online. The Court concluded that it
did not; so there is virtually no limitation on the kinds of
personal information that an online retailer can require and
record. The Court did, however, note that it was up to the
Legislature to decide if the emergence of new technologies
�
AB 844
Page 2
requires updating the Song-Beverly Act. Taking its cue from the
Court, this bill would extend the Act to cover online
transactions, but at the same time permit an online business to
require reasonably sufficient information to prevent fraud,
theft, or identity theft. In addition, this bill would extend
Song-Beverly to debit card transactions, since debit cards are
increasingly used to purchase goods in the same way that credit
cards are used, both online and elsewhere. This bill is
supported by the Consumer Attorneys of California. It is
opposed by the Chamber of Commerce and other business,
financial, technology, and trade associations. The bill
recently passed out of the Assembly Banking and Finance
Committee on an 8-3 vote.
SUMMARY : Extends certain restrictions of the Song-Beverly Act
to include both credit cards and debit cards, and also extends
the Act to cover online retailers that accept credit cards or
debit cards for payment of online purchases, subject to certain
exceptions. Specifically, this bill :
1)Prohibits the operator of a commercial Internet Web site or
online service (operator), that accepts credit cards or debit
cards for the transaction of business, from doing any of the
following:
a) Request, or require as a condition to accepting the
credit card or debit card as payment for goods or services,
that the cardholder write any personal identification
information (PII) upon the credit card form or otherwise.
b) Request, or require as a condition of accepting the
credit card or debit card as payment for goods or services,
that the cardholder provide PII, which the operator
accepting the card collects, causes to be collected, or
otherwise records upon a transaction template or otherwise.
c) Use, in any credit or debit transaction, a transaction
template that contains spaces specifically designated for
filling in any PII of the cardholder.
2)Provides that the above requirements do not apply in the
following circumstances:
a) Instances in which the credit card or debit card is
being used as a deposit to secure payment in the event of
�
AB 844
Page 3
default, loss, damage, or other similar occurrence.
b) Cash advance transactions.
c) An operator is contractually obligated to provide PII in
order to complete the credit card or debit card
transaction.
d) An operator is obligated to collect and record the PII
by federal or state law or regulation.
e) An operator uses the PII solely for the prevention of
fraud, theft, or identity theft, destroys or securely
disposes the PII after it is no longer needed for the
prevention of fraud, theft, or identity theft, and does not
share the PII with any other operator.
3)Permits the operator of a commercial Internet Web site or
online service to collect personal identification information
if the operator maintains an account associated with the
credit cardholder or debit cardholder and where the cardholder
provides personal information as part of that account.
4)Defines "personal identification information" to mean
information concerning the cardholder, other than information
set forth on the card, and including, but not limited to, the
cardholder's address and telephone number.
5)Defines "operator" to mean a person or entity and any and all
affiliated corporate entities that own an Internet Web site or
an online service and accepts a credit card or debit card for
the transaction of business from a cardholder residing in
California.
6)Defines "debit card" as an accepted debit card or other means
of access to a debit cardholder's account that may be used to
initiate electronic funds transfers and may be used without
unique identifying information to initiate access to the debit
cardholder's account. Defines "debit cardholder" as a natural
person to whom a debit card is issued.
7)Makes any person who violates this section subject to a civil
penalty not to exceed $250 for the first offense and not to
exceed $1000 for each subsequent violation, to be assessed and
collected in an action brought by the cardholder, or by the
Attorney General, or by the district attorney or city attorney
of the county or city in which the violation occurred, and
permits the Attorney General, or any district attorney or city
attorney, to bring an action for injunctive relief, as
�
AB 844
Page 4
specified.
EXISTING LAW :
1)Provides that no person or entity that accepts credit cards
for the transaction of business shall do any of the following:
a) Request, or require as a condition to accepting the
credit card as payment for goods or services, that the
cardholder write any personal identification information on
the credit card transaction form or otherwise.
b) Request, or require as a condition of accepting the
credit card as payment for goods or services, that the
cardholder provide personal identification information,
which the person or entity accepting the credit card
writes, causes to be written, or otherwise records upon the
credit card transaction form or otherwise.
c) Use a credit card form which contains preprinted spaces
specifically designated for filling in any personal
identification information of the cardholder. (Civil Code
Section 1747.08 (a).)
2)Provides that the above restrictions do not apply in the
following instances:
a) If the credit card is being used as deposit to secure
payment in the event of default, loss, damages, or similar
occurrence.
b) Cash advance transactions.
c) If the person or entity accepting the credit card is
contractually obligated to provide personal identification
information in order to complete the credit card
transaction or is obligated to collect the personal
identification information by a federal law or regulation.
d) If the personal identification information is required
for a special purpose incidental but related to the
individual credit card transaction, including, but not
limited to, information relating to shipping, delivery,
servicing, or installation of the purchased merchandise, or
for special orders.
e) If the entity accepting the credit card in a sales
transaction at a retail motor fuel dispenser or retail
motor fuel payment island automated cashier uses the ZIP
Code information solely for the prevention of fraud, theft,
or identity theft. (Civil Code Section 1747.08 (c).)
�
AB 844
Page 5
3)Specifies that the above provisions do not prohibit a person
or business from requiring a cardholder, as a condition of
accepting the card, to provide reasonable forms of positive
identification, such as a driver's license or other photo
identification, provided that none of the information recorded
thereon is written or recorded on the credit card transaction
form or otherwise. Provides that if the cardholder does make
the credit card available upon request to verify the number,
the cardholder's driver's license or identification card
number may be recorded on the credit card transaction form or
otherwise. (Civil Code Section 1747.08 (d).)
4)Defines "personal identification information" to mean
information concerning the cardholder, other than information
set forth on the credit card, and including, but not limited
to, the cardholder's address and telephone number. (Civil
Code Section 1747.08 (b).)
5)Makes any person who violates this section subject to a civil
penalty not to exceed $250 for the first offense and not to
exceed $1000 for each subsequent violation, to be assessed and
collected in an action brought by the cardholder, or by the
Attorney General, or by the district attorney or city attorney
of the county or city in which the violation occurred, and
permits the Attorney General, or any district attorney or city
attorney, to bring an action for injunctive relief, as
specified. (Civil Code Section 1747.08 (e)-(g).)
COMMENTS : Originally enacted in 1971, the Song-Beverly Credit
Card Act (Civil Code Section 1747.01 et seq.) regulates the
issuance and use of credit cards and the respective rights and
responsibilities of cardholders and retailers. Most notably for
purposes of this bill, the Act prohibits a retailer from
requiring, or requesting as a condition of acceptance of a
credit card, that the cardholder provide the retailer with
"personal identification information," which is defined to mean
any information about the cardholder that does not appear on the
card, including, but not limited to, the cardholder's name and
address. Existing law carves out many exceptions to this
general rule, including where the business is contractually or
legally obligated to collect the information, or where the
business needs the information to perform some "special
purpose," such as shipping, installing, or servicing a purchased
item. A business that accepts credit cards is also permitted to
�
AB 844
Page 6
require the cardholder, as a condition to accepting the card as
payment, to provide reasonable forms of identification, such as
a driver's license. A person or business that violates these
provisions is subject to civil penalties, which may be assessed
in a civil action by an affected cardholder, or in an action
brought by the Attorney General or a district or city attorney.
Civil penalties may not exceed $250 for a first offense and
$1000 for each subsequent offense. The purpose of the Act is to
protect a consumer's privacy and to address the "the misuse of
personal identification information for, inter alia, marketing
purposes." (Absher v. Autozone, Inc. (2008) 164 Cal. App. 4th
332, 345.) The exemptions in the Act recognize instances in
which a business may have a legitimate interest in requiring
personal identification information.
The Apple Decision : Earlier this year the California Supreme
Court considered whether the provisions of the Song-Beverly Act
applied to online businesses. (Apple v. Superior Court of Los
Angeles (Krescent).) A bare majority of four justices held that
it did not. The majority opinion conceded that the statute does
not make any express exception for online business transactions
- applying as it does to any person, firm, etc. that accepts
credit cards. However, the court concluded that both the
legislative history and the overall statutory framework strongly
suggest that the statute was only meant to apply to in-person
transactions at "brick and mortar" businesses; online purchasers
were not, according to the slim majority, contemplated by the
Act.
In support of this conclusion, the Court made the following
points:
When the statute was originally enacted in 1971 the
Internet did not exist, and even at the time of the most
recent amendment - 1991 - online commercial sales were
virtually non-existent and certainly not widespread,
suggesting that the original intent of the legislation
concerned in-person brick and mortar transactions.
In order to prevent fraud, the statute permits a
business to require the customer to present a form of
identification, such as a driver's license or other photo
ID, so long as none of the information is written down or
recorded. This provision, the Court reasoned, showed that
�
AB 844
Page 7
the overall framework did not contemplate online
transactions, for an online business would not be able to
request a photo ID for purposes of fraud prevention.
The California Online Privacy Protection Act (Cal OPPA,
B&P Section 22575 et seq.), which expressly regulates
commercial websites and online services, clearly
anticipates that online businesses can and do collect
personal information. Cal OPPA, rather than Song-Beverly,
the Court suggested, regulated the data collection
practices of online businesses.
The Apple Court found, in short, that the statute and its
anti-fraud provisions had been designed for "brick and mortar"
transactions that pre-dated the Internet era and the explosion
of e-commerce, and that online retailers of electronically
downloadable products were therefore outside of the intended
scope of the law. Of course, the Court also recognized that new
technologies can outpace existing laws, and both the majority
and dissenting opinions effectively invited the Legislature to
revisit the matter and update its consumer protection laws
accordingly should it so desire.
This bill takes up the Court's challenge. It expressly applies
the Song-Beverly Act to online transactions, while at the same
recognizing, as did the California Supreme Court, that the lack
of face-to-face interaction in an online transaction requires an
exemption to the general rule against collecting any kind of
personal information. This bill therefore (recognizing that an
online business cannot ask the consumer for a photo to verify
identity), would permit the online business to request PII-- but
only for the limited purpose of preventing fraud, theft, or
identify theft, and only if the online business destroyed or
securely disposed of the PII when it was no longer needed for
this limited purpose.
In other words, under this bill an online business could not
collect the information for marketing purposes. It should be
noted, too, that the online businesses would be entitled to the
same exemptions that apply to existing brick and mortar
businesses: for example, for cash advance transactions; where
the business is obligated to collect the PII by contract or by
state or federal law; where the PII is required for an
�
AB 844
Page 8
incidental purpose, such as shipping, delivering, servicing, or
installing the purchased merchandise.
Logical Extension to Debit Cards : In addition to extending the
Song-Beverly Act to online business transactions, this measure
would also logically extend Song-Beverly to debit cards as well
as credit cards. At the time that Song-Beverly was enacted
debit cards, to the extent that they existed at all, were
limited to use at automated teller machines to draw money from a
bank account. However, in recent years, debit cards have become
the functional equivalent of credit cards, containing credit
card company logos and often are used to purchase goods without
need of entering a PIN number. Given that these similar uses
create similar security concerns, the author and supporters
believe that this measure is an appropriate and logical
extension of Song-Beverly.
On the other hand, the opponents, especially the California
Bankers Association (CBA), argue that while the uses may
superficially appear to be the same, credit cards and debit
cards actually serve quite different functions. Credit cards
give a person access to credit, while a debit card gives a
person access to an already existing bank account. While these,
to be sure, are important differences, it is not entirely clear
why these differences should matter to either the online
retailer or the consumer for the purposes of this bill. Whether
a consumer is technically accessing credit, or accessing a bank
account, he or she is still making a purchase and the online
retailer still has the same need to verify that the card,
whether credit or debit, belongs to the person making the
purchase. CBA also points out that, under existing law, debit
and credit cards are regulated under different statutes. Again,
this is true enough; but it is not uncommon that a particular
financial activity is affected by more than one statute, or that
a single statute may regulate more than one financial activity.
From the author's point of view, it makes sense to regulate
credit cards and debit cards under a single statutory provision
to the extent that both can be used in more or less the same
manner to make the same online purchase.
PROPOSED AUTHOR AMENDMENTS : As currently in print, this bill
would have permitted an online business to request only a ZIP
code as a means of verification. This approach was recently
�
AB 844
Page 9
used in AB 1219 (Chapter 690, Statutes of 2011), and amendment
to the Song-Beverly Act that permitted the operator of an
automated fueling station to require the consumer to enter a ZIP
code if a credit card were used to purchase fuel. As with
online purchases, the now pervasive automated fuel stations
present a problem akin to online transactions: that is, there is
no face-to-face interaction such that a clerk or attendant can
ask for photo identification in order to verify that person
making the purchase is the authorized cardholder. However, the
author, after discussions with various stakeholders, agreed that
online businesses may sometimes need more than a ZIP code in
order to adequately prevent fraud, theft, or identify theft.
After all, a ZIP code may be more easily obtained or inferred by
a thief than other kinds of personal information. Therefore,
the section permitting the collection of ZIP codes - modeled in
principle after the AB 1219 approach - will be deleted by the
author amendments adopted in Committee today. In lieu of that,
an online business will be permitted to request whatever PII is
necessary - which may be a ZIP code or something else - so long
as the online business destroys or securely disposes of the PII
after it is no longer needed for the prevention of fraud, theft,
or identify theft. In order to effectuate this change, the
author will take the following amendments in this Committee:
- On page 6 line 7 after "following" insert: ,whether in
person or through an operator of a commercial Internet Web
site or online service
- On page 6 line 23 after (b) insert: (1)
- On page 6 after line 27 insert: (2) "Operator" means a
person or entity and any and all affiliated corporate
entities that own an Internet Web site or an online service
and that accept credit cards or debit cards for the
transaction of business from a credit card holder or debit
card holder residing in California.
- On page 7 after line 6 insert: The person, firm,
partnership, association, or corporation, including the
operator of a commercial Internet Web site or online
service, accepting the credit card or debit card in a
sales transaction uses the personal identification
information solely for the prevention of fraud, theft, or
identity theft. An operator of a commercial Web Site or
online service accepting the credit card or debit card
�
AB 844
Page 10
shall destroy or dispose of the personal identification
information in a secure manner after it is no longer needed
for the prevention of fraud, theft, or identity theft. An
operator of a commercial Web Site or online service may not
share the personal identification information with any
other operator of a commercial Internet Web site or online
service.
- On page 7 after line 26 insert: (e) This section does
not prohibit any person, firm, partnership, association, or
corporation, including the operator of a commercial
Internet Web site or online service, from collecting
personal identification information if the operator
maintains an account associated with the credit cardholder
or debit cardholder and where the cardholder provides
personal information as part of that account.
- From page 7 line 27 through page 8 line 24 change
subdivisions (e), (f), (g), and (h) to ( f), (g), (h), and
(i) , respectively.
- Delete SEC. 3 of the bill in its entirety, from line 25
of page 8 through line 40 of page 10.
ARGUMENTS IN SUPPORT : According to the author, "AB 844
increases consumer privacy while also ensuring appropriate fraud
and identity theft protection." The author argues that in the
Apple decision [see above] the Court pointed out that the
Song-Beverly Credit Card Act had "not kept pace with emerging
technologies." The author believes that this measure "attempts
to find the right balance between protecting merchants from
losing money to fraud and shielding shoppers from unnecessary
intrusions into their privacy."
The Consumer Attorneys of California (CAOC) believes that the
California Supreme Court's Apple decision, holding that the
Song-Beverly Act did not apply to online transactions, was
"wrongly decided, and its effect is to allow online retailers to
continue to require consumers to provide personal data, such as
home addresses and/or phone numbers, to verify their credit
cards when purchasing products online." CAOC believes that this
measure is a proper response to the Apple decision and that it
will provide consumers with greater protection against identity
theft and financial fraud.
�
AB 844
Page 11
ARGUMENTS IN OPPOSITION : The California Chamber of Commerce and
a coalition of business, technology, and trade associations
argue that this measure will "prohibit the operators of a
commercial Internet Web Site or Online Service that collects
personally identifiable information from requiring a credit
cardholder or debit cardholder to provide any information other
than a ZIP code to complete the internet credit card or debit
card transaction except under specified circumstances." [NOTE:
The bill does not apply to businesses that "collect personally
identifiable information;" it applies to any business that
accepts a credit card or debit card for a business transaction
and limits their ability to collect personal identification
information. In addition, the section that limits the business
to collecting only a ZIP code, as discussed above, will be
amended out in this Committee.] The opposition coalition also
contends that this bill will make it more difficult for online
business to prevent fraud and identify theft, especially given
that, unlike traditional retail settings, the online transaction
lacks the face-to-face human interaction that could verify the
physical presence of a card and the identification of the person
submitting it. Opponents also argue that fraud prevention in
the online world is based on a variety of factors, so that a
"one-size-fits-all limitation of what information is appropriate
for fraud prevention purposes cannot accommodate these critical
considerations that can vary from company to company."
The California Bankers Association (CBA) opposes this bill for
many of the same reasons noted above, but CBA focuses primarily
on the alleged confusion that will arise from extending
Song-Beverly from credit cards to debit cards. Song-Beverly was
enacted, according to CBA, not only to protect consumer privacy,
but also to protect consumers from liability for fraudulent
transactions, billing errors, and unlawful surcharges, among
other things. However debit card protections, the CBA points
out, "are established in a different title separate from
Song-Beverly. By adding debit cards into Song-Beverly, the bill
creates compliance confusion for debit card issuers." CBA also
stresses that "[c]redit cards and debit cards are different
payment interests." Credit cards extend credit, "whereas debit
cards are access devices for transaction accounts." For this
reason and others, CBA contends, credit cards and debit cards
are also governed differently under federal law. "Extending
Song-Beverly provisions to debit cards," CBA concludes, "may
create conflicting compliance issues." CBA notes other problems
with the bill as well, including its failure to adequately
�
AB 844
Page 12
account for situations in which the consumer has an established
relationship with the business and the extension of the Act to
affiliates of the online business. Finally, CBA opposes the
provisions relating to providing only ZIP codes, but those
concerns are presumably no longer relevant in light of the
amendments that will be adopted today.
RELATED LEGISLATION : SB 383 (Jackson, 2013 session) authorizes
a person or entity that accepts credit cards in an online
transaction involving an electronically downloadable product, to
require a cardholder, as a condition to accepting a credit card
as payment in full or in part for goods or services, to provide
the billing ZIP Code and street address number associated with
the credit card, if used solely for the prevention of fraud,
theft, or identity theft. The bill would require that person or
entity to destroy or dispose of the ZIP Code and street address
number information, as specified, and prohibit that person or
entity from aggregating the ZIP Code and street address number
information with any other PII or from sharing the ZIP Code.
PREVIOUS LEGISLATION : AB 1219 (Perea, Chapter 690, Statutes of
2011) clarified when an entity that accepts credit cards may or
may not request certain types of PII to complete a transaction.
The legislation also created an express exemption allowing
collection of a ZIP code only where a consumer is purchasing
fuel at an automated fueling station.
REGISTERED SUPPORT / OPPOSITION :
Support
Consumer Attorneys of California
Opposition (prior to proposed amendments)
California Bankers Association (CBA)
California Cable and Telecommunications Association
California Chamber of Commerce
California Grocers Association
California Land Title Association
California Manufacturers and Technology Association
California Retailers Association
California Travel Association
Direct Marketing Association
Internet Alliance
�
AB 844
Page 13
Personal Insurance Federation of California
State Privacy and Security Coalition, Inc.
TechAmerica
Analysis Prepared by : Thomas Clark / JUD. / (916) 319-2334