BILL ANALYSIS ��
AB 844
Page 1
ASSEMBLY THIRD READING
AB 844 (Dickinson)
As Amended May 28, 2013
Majority vote
BANKING & FINANCE 8-3 JUDICIARY 7-3
-----------------------------------------------------------------
|Ayes:|Dickinson, Blumenfield, |Ayes:|Wieckowski, Alejo, Chau, |
| |Bonta, Chau, Gatto, | |Dickinson, Garcia, |
| |Perea, Torres, Weber | |Muratsuchi, Stone |
| | | | |
|-----+--------------------------+-----+--------------------------|
|Nays:|Morrell, Mansoor, Linder |Nays:|Wagner, Gorell, |
| | | |Maienschein |
-----------------------------------------------------------------
APPROPRIATIONS 9-5
--------------------------------
|Ayes:|Gatto, Bocanegra, |
| |Bradford, |
| |Ian Calderon, Gomez, |
| |Hall, Ammiano, Quirk, |
| |Weber |
| | |
|-----+--------------------------|
|Nays:|Harkey, Bigelow, |
| |Donnelly, Linder, Wagner |
| | |
--------------------------------
SUMMARY : Provides that a person, firm, partnership,
association, corporation or operator of a commercial Internet
Web site or online service that accepts credit cards or debit
cards for the transaction of business shall not request or
require the cardholder to provide any personal identifiable
information (PII) as a condition of the transaction.
Specifically, this bill :
1)Specifies that the above requirements do not apply in the
following circumstances:
a) The PII is needed for detection, investigation or
prevention of fraud, theft, criminal activity, or
enforcement of terms of sale;
�
AB 844
Page 2
b) Instances in which the credit card or debit card is
being used as a deposit to secure payment in the event of
default, loss, damage, or other similar occurrence;
c) Cash advance transactions;
d) Layaway transactions;
e) An operator of a commercial Internet Web site or online
service is contractually obligated to provide PII in order
to complete the credit card or debit card transaction;
f) An operator of a commercial Internet Web site or online
service is obligated to collect and record the PII by
federal or state law or regulation;
g) An operator or its affiliated entities of a commercial
Internet Web site or online service maintains a preexisting
account associated with the cardholder or debit cardholder
where the cardholder or debit cardholder has previously
provided PII as part of the establishment, updating or
maintenance of an account on the commercial Internet Web
site or online service;
h) Instances in which PII is required for a special purpose
incidental but related to the individual credit card or
debit card transaction, including, but not limited to,
information relating to shipping, delivery, servicing, or
installation of the purchased merchandise, or for special
orders; or,
i) The cardholder is advised, or it is apparent, that the
provisions of the personal identification information is
not a condition to accepting the credit card or debit card
as a payment in full or in part for goods or services and
the cardholder has consented to the collection of the PII.
2)Defines "Personal identifiable information" as individually
identifiable information concerning a cardholder or debit
cardholder, other than information set forth on the credit
card or debit card, collected online by the operator from that
cardholder or debit cardholder, including, but not limited to,
the following:
�
AB 844
Page 3
a) Home or other physical address, including street name
and name of a city or town;
b) Email address; or,
c) Telephone number.
3)Defines "Operator" as a person or entity that owns an Internet
Web site or an online service that collects and maintains
personal identifiable information from a cardholder or debit
cardholder residing in California who uses or visits the
Internet Web site or online service if the Internet Web site
or online service is operated for commercial purposes. This
excludes the state of California, a county, city, city and
county or any other public entity.
4)Extends the above provisions to debit cards.
EXISTING LAW :
1)Provides that under the Song-Beverly Credit Card Act of 1971
(Credit Card Act) (Civil Code Section 1747 et seq.), no
person, firm, partnership, association or corporation that
accepts credit cards shall do any of the following:
a) Require, or request, as condition of accepting the
credit card, the cardholder to write any PII upon the
credit card transaction form or other document; [Section
1747.08a(1))
b) Require, or request, as a condition of accepting the
credit card, the cardholder to provide personal
identification information which the entity accepting the
card would then write or record upon the credit transaction
form or otherwise; or, [Section 1747.08a(2)]
c) Utilize in any credit card transaction, a credit card
form that contains preprinted spaces for PII of the
cardholder. [Section 1747.08a(3)]
2)Specifies that the prohibitions in a), b), and c) do not apply
under the following circumstances:
�
AB 844
Page 4
a) If the credit card is being used as a deposit to secure
payment in the event of default, loss, damage, or other
similar occurrence; [Section 1747.08(1)]
b) Cash advance transactions; [Section 1747.08(2)]
c) If the entity requesting the information is
contractually obligated to provide the personal information
in order to complete the transaction, or is obligated to
collect and record the PII by federal law or regulation;
[Section 1747.08(3)]
d) If the entity accepting the credit card in a sales
transaction at a retail motor fuel dispenser or retail
motor fuel payment island automated cashier uses the ZIP
code information solely for the prevention of fraud, theft,
or identity theft; or [Section 1747.08 (3)]
e) If PII is required for a special purpose incidental but
related to the individual credit card transaction,
including but not limited to, information relating to
shipping, delivery, servicing, or installation of the
purchased merchandise, or for special orders. [Section
1747.08(4)]
3)Clarifies that the prohibitions on collecting PII relating to
the credit card transaction does not prohibit a requirement
that the cardholder provide reasonable forms of positive
identification, including a driver's license or California
State identification card, or another form of identification.
[Section 1747.08(4)d]
4)Specifies that if the cardholder pays for the transaction with
a credit card number and does not make the credit card
available upon request to verify the number, the cardholder's
driver's license number or identification card number may be
recorded on the credit card transaction form. [1747.08(4)d].
5)Defines PII as information concerning the cardholder, other
than information set forth on the credit card, and including
but not limited to, the cardholder's address and telephone
number. [Section 1747.08(3)b]
6)Defines "debit card" and "debit cardholder" as defined in this
�
AB 844
Page 5
measure. [Civil Code, Section 1748.30]
FISCAL EFFECT : According to the Assembly Appropriations
Committee, as amended it has a negligible fiscal impact.
COMMENTS : This bill is in response to the recent court decision
from February 4, 2013, Apple v. Superior Court of Los Angeles
County (Krescent) S199384 (February 04, 2013). In Apple, the
California Supreme Court opined that the state's statutory
protection against the collection of PII when making credit card
purchases does not apply to online retailers of electronically
downloadable products. Apple v. Superior Court of Los Angeles
County (Krescent) decision highlights the need for California
privacy law to be updated from the "brick and mortar" world to
an online world.
The underlying statute, the Song Beverly Credit Card Act passed
in 1990, generally prohibits businesses from requesting or
requiring consumers to provide unnecessary PII during a credit
card transaction. However, the Apple Court found, in essence,
that the statute and its anti-fraud provisions had been designed
for "brick and mortar" transactions that pre-dated the Internet
era and the explosion of e-commerce, and that online retailers
of electronically downloadable products were therefore outside
of the intended scope of the law.
The Court also recognized the problem of new technologies
outpacing existing laws, and the majority opinion explicitly
invited the state Legislature to revisit the matter, and update
its consumer protection laws accordingly should it so desire.
This bill provides that an operator of a commercial Internet Web
site or online service can collect only the ZIP code for a
credit card or debit card transaction if it is used for the
prevention of fraud, theft or identity theft. The worry
surrounding the recent court case decision encompasses the
concern of online retailers having the unlimited ability to ask
consumers for any amount of personal information when making an
online transaction. Due to the recent Court decision online
merchants selling digital goods no longer need to worry about
the Song-Beverly Act. This bill attempts to limit this abuse
and maintain that the online retailer can only collect the PII
under limited circumstances.
To be clear, the bill allows the collection of PII by a retailer
�
AB 844
Page 6
or website operator under the following circumstances:
1)The PII is need for detection investigation or prevention of
fraud, theft, criminal activity, or enforcement of terms of
sale.
2)Instances when the card is being used as a deposit to secure
payment in the event of default, loss, damage, or other
similar occurrences, or as part of a layaway transaction.
3)Cash advance transactions.
4)The online retailer is contractually obligated to provide PII
in order to complete the card transactions.
5)Federal or state law regulations require information to be
collected by the operator.
6)An operator maintains a preexisting account associated with
the cardholder where the cardholder has previously provided
personal identifiable information as part of the account.
7)If PII is needed for shipping, delivery, servicing, sales
documentation or installation of the purchased merchandise.
8)The cardholder is advised, or it is apparent, that the
provisions of the personal identification information is not a
condition to accepting the credit card or debit card as
payment in full or in part for goods or services and the
cardholder has consented to the collection of the personal
identification information.
In response to the Court case, this bill attempts to strike a
balance between protecting consumer's privacy while also
allowing online retailers to collect the necessary information
to complete the transaction.
Key amongst its provisions, this bill includes an exception to
the prohibition on using PII if it is used for detection,
investigation or prevention of theft, identity theft, criminal
activity, or enforcement of terms of sale. This exception
should be understood as necessary to complete the online
transaction and ensure that the consumer is protected from fraud
and identity theft. Additionally, this is designed to ensure
�
AB 844
Page 7
that retailers and financial institutions are not constrained
when investigating legitimate concerns regarding potential
fraudulent transactions. However, this exemption must be
interpreted narrowly for the purposes for which it is stated and
not an authorization for the unrestrained sharing of PII among
entities for additional uses that would only increase the risk
of that the information becoming part of the very thing the
exception is designed to prevent; criminal activity, fraud and
identity theft. Lastly, information collected for these
purposes should not accompany carte blanche authorization on how
long such information may be stored by the entities that have
collected the information.
BACKGROUND:
Song-Beverly Credit Card Act of 1971 : Under state law, a person
who accepts a credit card for payment shall not record the
consumer's PII on the credit card transaction form, except as
specified. Originally enacted in 1971, the Song-Beverly Credit
Card Act (Act) regulates the issuance and use of credit cards
and the respective rights and responsibilities of cardholders
and retailers. Section 1747.08 of the Act, in particular, seeks
to protect a consumer's privacy and to address "the misuse of
personal identification information for, inter alia, marketing
purposes." Specifically, the Act prohibits a retailer from
requesting, as a condition of acceptance of a credit card, that
the cardholder provide the retailer with PII, which is defined
to mean any information about the cardholder that does not
appear on the card, including, but not limited to, the
cardholder's name and address.
Existing law carves out reasonable exceptions to this general
rule, including where the business is contractually or legally
required to collect the information, or where the business needs
the information to perform some "special purpose," such as
shipping, installing, or servicing a purchased item. A business
that accepts credit cards is also permitted to require the
cardholder, as a condition to accepting the card as payment, to
provide reasonable forms of identification, such as a driver's
license. AB 1219 (Perea), Chapter 690, Statutes of 2011,
created another limited exception: in order to prevent fraud, a
business that sells fuel may ask the purchaser to provide a ZIP
code in order to process a fuel purchase at an automated fuel
dispenser island. A person or business that violates the Act is
�
AB 844
Page 8
subject to civil penalties, which may be assessed in a civil
action by an affected cardholder, or in an action brought by the
Attorney General or a district or city attorney.
"Personal Identification Information" Under Song-Beverly-Pineda :
In 2011 the California Supreme Court confronted the question of
what constitutes "personal identification information" under the
Song-Beverly Credit Card Act and, more specifically, whether a
person's ZIP code - with nothing else - constitutes an
"address." (Pineda v. Williams- Sonoma Stores, Inc. (2011) 51
Cal. 4th. 524.) In Pineda, a customer sued a retailer claiming
that it had violated the provisions of the Song-Beverly Act when
a store clerk asked the customer for a ZIP code during the
credit card transaction, and then recorded that ZIP code along
with the customer's name and credit card number. The customer
subsequently learned that the retailer used this information to
do a "reverse search" to locate the customer's home address.
The retailer then kept the customer's information in a data base
that it used for marketing purposes. The customer filed the
matter as a putative class action, alleging invasion of privacy,
unfair competition, and violation of the Song-Beverly Act. Both
the trial court and the Court of Appeal sided with the retailer,
finding that a ZIP code, without any other component of the
address, was too general to be considered "personal
identification information." However the California Supreme
Court reversed, holding, unanimously, that the word "address" in
the statute means either a complete address or any portion of an
address, and that a ZIP code is "readily understood to be part
of an address."
The Recent Apple Case - Online Businesses Held Not to Be Covered
by Song-Beverly : A bare majority of four justices held that it
did not apply to online businesses. The majority opinion
conceded that the statute does not make any express exception
for online business transactions applying as it does to any
person, firm, etc. that accepts credit cards. However, the
court concluded that both the legislative history and the
overall statutory framework strongly suggest that the statute
was only meant to apply to in-person transactions at brick and
mortar businesses; online purchasers were not contemplated, as
it was crafted prior to the explosion of online commerce.
In support of this conclusion, the Court made the following
points:
�
AB 844
Page 9
1)When the statute was originally enacted in 1971 the Internet
did not exist, and even at the time of the most recent
amendment - 1991 - online commercial sales were virtually
non-existent and certainly not widespread, suggesting that the
original intent of the Legislature concerned in-person brick
and mortar transactions.
2)In order to prevent fraud, the statute permits a business to
require the customer to present a form of identification, such
as a driver's license or other photo ID, so long as none of
the information is written down or recorded. This provision,
the court reasoned, showed that the overall framework did not
contemplate online transactions, for an online business would
not be able to request a photo ID for purposes of fraud
prevention.
CALIFORNIA'S RIGHT TO PRIVACY :
The California Constitution expressly protects an individual's
right to privacy. Added to the California Constitution in 1972
when voters adopted Proposition 11, the California privacy
provision protects an individual's right to privacy from both
governmental and private actors.
The California Supreme Court has held that the privacy provision
in the California Constitution "creates a legal and enforceable
right of privacy for every Californian." (White v. Davis (1975)
13 Cal. 3d 757, 775.) Despite this express protection, however,
just what is included in the state's constitutional right of
privacy has necessarily been developed in a body of case law.
These cases tend to be very fact-specific. As a general rule,
however, in order to maintain a claim for infringement of one's
right of privacy under the California Constitution, the
plaintiff must 1) identify a legally protected privacy interest;
2) establish that he or she had a "reasonable expectation of
privacy" under the circumstances; and 3) that the defendant's
conduct constituted a "serious" invasion of privacy. If a
plaintiff establishes all three of these elements, the defendant
may still show the invasion of privacy was justified if it
furthers a legitimate and competing interest. Specifically, the
California Supreme Court has held that an "invasion of a privacy
interest is not a violation of the state constitutional right to
privacy if the invasion is justified by a competing interest."
�
AB 844
Page 10
RELATED LEGISLATION : SB 383 (Jackson) of the current
legislative session, authorizes a person or entity that accepts
credit cards in an online to require a cardholder, as a
condition to accepting a credit card as payment in full or in
part for goods or services, to provide the billing ZIP Code and
street address number associated with the credit card, if used
solely for the prevention of fraud, theft, or identity theft.
The bill would require that person or entity to destroy or
dispose of the ZIP Code and street address number information in
a secure manner after it is no longer needed for the prevention
of fraud, theft, or identity theft. The bill would further
prohibit that person or entity from aggregating the ZIP Code and
street address number information with any other personal
identification information, and from sharing the ZIP Code.
Currently, SB 383 is pending in the Senate.
PREVIOUS LEGISLATION: AB 1219 (Perea), Chapter 690, Statutes of
2011 provided clarification for those instances when an entity
that accepts credit cards may not request certain types of PII
to complete the transaction. Created an express exemption from
the prohibition against the collection and retention of ZIP code
information when the ZIP code is used solely for prevention of
fraud, theft, or identify theft in a sales transaction at a
retail motor fuel dispenser or retail motor fuel payment island
automated cashier.
Analysis Prepared by : Mark Farouk / B. & F. / (916) 319-3081
FN: 0001031