BILL ANALYSIS �Ó
SENATE BANKING & FINANCIAL INSTITUTIONS COMMITTEE
Senator Lou Correa, Chair
2013-2014 Regular Session
AB 844 (Dickinson) Hearing Date: June 19, 2013
As Amended: May 28, 2013
Fiscal: Yes
Urgency: No
SUMMARY Would update provisions of the Song-Beverly Credit
Card Act of 1971 (Song-Beverly) related to the protection of
personal identification information (PII), to reflect the
increasing use of debit cards to purchase goods and services and
the increasing use of the Internet as a venue for use of both
credit cards and debit cards to purchase goods and services.
DESCRIPTION
1. Would apply the provisions of the Song-Beverly Credit Card
Act relating to the collection of PII to debit card
transactions at brick-and-mortar stores and to online
transactions, in which either a credit card or a debit card
is used. Would make a small number of additional changes to
provisions of Song-Beverly, to update the act. Provisions of
Song-Beverly that are amended by this bill are summarized
immediately below, with language in bold and italics,
reflecting the manner in which this bill would modify those
provisions.
2. Would define PII as information concerning the credit or
debit cardholder, other than information set forth on the
credit or debit card, including, but not limited to, the
cardholder's address and telephone number.
3. Would prohibit any person, firm, partnership, association,
or corporation that accepts credit cards or debit cards for
the transaction of business from doing any of the following:
a. Requesting or requiring a credit or debit cardholder
to write any PII, on the credit card or debit card
transaction form or otherwise, or requesting or requiring
a credit or debit cardholder to provide PII, which the
person, firm, partnership, association, or corporation
�
AB 844 (Dickinson), Page 2
accepting the card writes on the credit card transaction
form or otherwise, as a condition of accepting the credit
or debit card as payment in full or in part for goods or
services.
b. Using a credit card form or debit card template that
contains preprinted spaces specifically designated for
filling in any personal identification information of the
cardholder.
4. Exempts from the prohibitions summarized above all of the
following situations:
a. Situations in which the credit or debit card is
being used as a deposit to secure payment in the event of
default, loss, or damage� or as part of a layaway
transaction.
b. Cash advance transactions.
c. Situations in which the person, firm, partnership,
association, or corporation accepting the credit or debit
card is contractually obligated to provide PII in order
to complete the transaction, or is obligated to collect
and record PII by federal or state law or regulation.
d. Situations in which the person, firm, partnership,
association, or corporation accepting the credit or debit
card in a sales transaction at a retail motor fuel
dispenser or motor fuel payment island uses zip code
information solely for the prevention of fraud, theft, or
identity theft.
e. Situations in which the PII is required for a
special purpose, incidental but related to the credit or
debit card transaction, including, but not limited to,
information relating to shipping, delivery, servicing,
sales documentation, or installation of purchased
merchandise.
f. Situations in which the person, firm, partnership,
association, or corporation, including the operator of a
commercial Internet web site or online service, accepting
the credit or debit card in a business transaction, uses
the PII for the detection, investigation, or prevention
of fraud, theft, identity theft, or criminal activity, or
�
AB 844 (Dickinson), Page 3
to enforce terms of sale.
g. Situations in which the cardholder is advised, or it
is apparent, that the provision of PII is not a condition
to accepting the credit or debit card as payment for
goods and services, and the cardholder has consented to
the collection of the PII.
5. Would clarify that Song-Beverly does not prohibit any
person, firm, partnership, association, or corporation from
requiring a cardholder, as a condition of accepting the
credit or debit card as payment for goods or services, to
provide reasonable forms of positive identification,
provided that none of the information contained on that
identification is collected or recorded on the credit or
debit card transaction template or otherwise.
6. Would clarify that the Song-Beverly Credit Card Act does
not prohibit any person, firm, partnership, association, or
corporation, including the operator of a commercial Internet
web site or online service, as defined, from collecting or
using PII, if the operator or its affiliated corporate
entities maintain an account associated with the credit
cardholder or debit cardholder, and if the cardholder
provides PII as part of the establishment, updating, or
maintenance of that account.
7. Would update provisions of Song-Beverly governing the
display of card numbers on receipts to incorporate debit
card transactions and transactions conducted online, by
providing that no person, firm, partnership, association,
corporation, or limited liability company may display more
than the last five digits of a credit or debit card account
number, or the card's expiration date, on any of the
following, unless the sole means of recording the person's
credit or debit card account number is by handwriting or by
an imprint or copy of the credit or debit card:
a. Any receipt provided to the cardholder.
b. Any receipt retained by the person, firm,
partnership, association, corporation, or limited
liability company which is printed at the time of the
purchase, exchange, refund, or return.
c. Any receipt retained by the person, firm,
�
AB 844 (Dickinson), Page 4
partnership, association, corporation, or limited
liability company which is printed that is not signed by
the credit or debit cardholder at the time of the
purchase, exchange, refund, or return, because the credit
or debit cardholder used a personal identification number
to complete the transaction.
EXISTING LAW
1. Establishes every Californian's right to privacy
(California Constitution, Article 1).
2. Provides for Song-Beverly, which was originally enacted to
impose obligations in connection with credit card
transactions (Civil Code Sections 1747 et seq.).
Song-Beverly governs multiple obligations of credit card
issuers, credit cardholders, and retailers that accept
credit cards; it is not limited to collection and retention
of PII by retailers.
3. Subjects persons who violate the provisions of
Song-Beverly governing collection of PII to a civil penalty
not to exceed $250 for the first violation and $1,000 for
each subsequent violation, which may be assessed in an
action brought by the person paying with the credit card,
the Attorney General, or by the district attorney or city
attorney of the county or city in which the violation
occurred. Further provides that no civil penalty may be
assessed for a violation if the defendant shows, by a
preponderance of the evidence, that the violation was not
intentional and results from a bona fide error made
notwithstanding the defendant's maintenance of procedures
reasonably adopted to avoid that error.
COMMENTS
1. Purpose: This bill is sponsored by the author to increase
consumer privacy, by safeguarding against the exploitation
of personal information, while also ensuring appropriate
fraud and identity theft protection.
2. Background: This bill is a response to a recent California
Supreme Court decision (Apple v Superior Court of Los
Angeles County (Krescent) S199384, February 4, 2013). In
that decision, the court ruled 4-3 that "upon careful
�
AB 844 (Dickinson), Page 5
consideration of the statute's text, structure, and purpose,
we hold that Civil Code Section 1747.08 [one of the code
sections that this bill would amend] does not apply to
online purchases in which the product is downloaded
electronically."
The Apple case involved an individual who had been asked for his
address and telephone number as a condition of accepting his
credit card for payment. Although a majority of Supreme
Court justices found that Song-Beverly does not apply to
online downloads, the majority opinion observed, "existing
state and federal laws provide consumers with a degree of
protection against unwanted use or disclosure of personal
identification information. The Legislature may believe
these measures are inadequate and, if so, may enact
additional protections." The author of this bill accepted
the Court's challenge, by applying provisions of
Song-Beverly governing the collection of PII to online
transactions.
This bill's author is also proposing to apply the provisions of
Song-Beverly governing the collection of PII to retail
transactions involving debit cards. Just as Song-Beverly
largely predates use of the Internet for retail
transactions, it also predates the use of debit cards to
conduct retail transactions. This bill's author believes
that persons who use debit cards to purchase goods or
services deserve to have their PII protected to the same
extent as persons who use credit cards for the same purpose.
3. Discussion: The current language of this bill is a product
of extensive debate and negotiation. The history of privacy
debates in the California Legislature suggests that
compromise on such a highly personal issue is challenging;
there remains an ongoing tension between retailers' and
consumers' need for fraud and identity theft protection and
the constitutional right to privacy to which all
Californians are entitled. The most recent (May 28th
amendments) are believed to have removed all outstanding
opposition to this bill. No substantive amendments are
suggested in this analysis, in order to protect the delicate
compromise its language currently represents.
4. Summary of Arguments in Support (Revised): None received.
�
AB 844 (Dickinson), Page 6
5. Summary of Arguments in Opposition: None received. A
coalition of trade associations that were previously opposed
to this bill removed their opposition, based on the May
28th, 2013 amendments.
6. Amendments: The following technical and clarifying
amendment is recommended:
Page 8, strike line 5 and insert: or criminal activity, or to
enforce terms of sale.
7. Prior and Related Legislation:
a. SB 383 (Jackson): Would allow for the collection of
PII in connection with online credit card transactions,
if that information is used solely to prevent fraud,
theft, or identity theft, and would require the
destruction or disposal of that information once its use
is no longer necessary to prevent fraud, theft, or
identity theft. Pending on the Senate Floor Inactive
File.
b. AB 1219 (Perea), Chapter 690, Statutes of 2011:
Responded to a different California Supreme Court
decision regarding the PII provisions of Song-Beverly
(Pineda v. Williams-Sonoma Stores, Inc. (2011), 51 Cal.
4th 524). Expressly allowed allowing the collection and
retention of PII when required by state law, and the
collection of zip code information, when the zip code is
used solely for the prevention of fraud, theft, or
identity theft in a sales transaction at a retail motor
fuel dispenser or retail motor fuel payment island
automated cashier.
LIST OF REGISTERED SUPPORT/OPPOSITION
Support (Revised)
None received
Opposition
None received
Consultant: Eileen Newhall (916) 651-4102
�
AB 844 (Dickinson), Page 7