BILL ANALYSIS �Ó
SENATE BANKING & FINANCIAL INSTITUTIONS COMMITTEE
Senator Lou Correa, Chair
2013-2014 Regular Session
AB 844 (Dickinson) Hearing Date: July 3, 2013
As Amended: May 28, 2013
Fiscal: Yes
Urgency: No
SUMMARY Would update provisions of the Song-Beverly Credit
Card Act of 1971 (Song-Beverly) related to the protection of
personal identification information (PII), to reflect the
increasing use of debit cards to purchase goods and services and
the increasing use of the Internet as a venue for use of both
credit cards and debit cards to purchase goods and services.
DESCRIPTION
1. Would apply the provisions of the Song-Beverly Credit Card
Act relating to the collection of PII to debit card
transactions at brick-and-mortar stores and to online
transactions, in which either a credit card or a debit card
is used. Would make a small number of additional changes to
provisions of Song-Beverly, to update the Act. Provisions of
Song-Beverly that are amended by this bill are summarized
immediately below, with language in bold and italics,
reflecting the manner in which this bill would modify those
provisions.
2. Would define PII as information concerning the credit or
debit cardholder, other than information set forth on the
credit or debit card, including, but not limited to, the
cardholder's address and telephone number.
3. Would prohibit any person, firm, partnership, association,
or corporation that accepts credit cards or debit cards for
the transaction of business from doing any of the following:
a. Requesting or requiring a credit or debit cardholder
to write any PII, on the credit card or debit card
transaction form or otherwise, or requesting or requiring
a credit or debit cardholder to provide PII, which the
person, firm, partnership, association, or corporation
accepting the card writes on the credit card transaction
�
AB 844 (Dickinson), Page 2
form or otherwise, as a condition of accepting the credit
or debit card as payment in full or in part for goods or
services.
b. Using a credit card form or debit card template that
contains preprinted spaces specifically designated for
filling in any personal identification information of the
cardholder.
4. Would exempt from the prohibitions summarized above all of
the following situations:
a. Situations in which the credit or debit card is
being used as a deposit to secure payment in the event of
default, loss, or damage� or as part of a layaway
transaction.
b. Cash advance transactions.
c. Situations in which the person, firm, partnership,
association, or corporation accepting the credit or debit
card is contractually obligated to provide PII in order
to complete the transaction, or is obligated to collect
and record PII by federal or state law or regulation.
d. Situations in which the person, firm, partnership,
association, or corporation accepting the credit or debit
card in a sales transaction at a retail motor fuel
dispenser or motor fuel payment island uses zip code
information solely for the prevention of fraud, theft, or
identity theft.
e. Situations in which the PII is required for a
special purpose, incidental but related to the credit or
debit card transaction, including, but not limited to,
information relating to shipping, delivery, servicing,
sales documentation, or installation of purchased
merchandise.
f. Situations in which the person, firm, partnership,
association, or corporation, including the operator of a
commercial Internet web site or online service, accepting
the credit or debit card in a business transaction, uses
the PII for the detection, investigation, or prevention
of fraud, theft, identity theft, or criminal activity, or
to enforce terms of sale.
�
AB 844 (Dickinson), Page 3
g. Situations in which the cardholder is advised, or it
is apparent, that the provision of PII is not a condition
to accepting the credit or debit card as payment for
goods and services, and the cardholder has consented to
the collection of the PII.
5. Would clarify that Song-Beverly does not prohibit any
person, firm, partnership, association, or corporation from
requiring a cardholder, as a condition of accepting the
credit or debit card as payment for goods or services, to
provide reasonable forms of positive identification,
provided that none of the information contained on that
identification is collected or recorded on the credit or
debit card transaction template or otherwise.
6. Would clarify that the Song-Beverly Credit Card Act does
not prohibit any person, firm, partnership, association, or
corporation, including the operator of a commercial Internet
web site or online service, as defined, from collecting or
using PII, if the operator or its affiliated corporate
entities maintain an account associated with the credit
cardholder or debit cardholder, and if the cardholder
provides PII as part of the establishment, updating, or
maintenance of that account.
7. Would update provisions of Song-Beverly governing the
display of card numbers on receipts to incorporate debit
card transactions and transactions conducted online, by
providing that no person, firm, partnership, association,
corporation, or limited liability company may display more
than the last five digits of a credit or debit card account
number, or the card's expiration date, on any of the
following, unless the sole means of recording the person's
credit or debit card account number is by handwriting or by
an imprint or copy of the credit or debit card:
a. Any receipt provided to the cardholder.
b. Any receipt retained by the person, firm,
partnership, association, corporation, or limited
liability company which is printed at the time of the
purchase, exchange, refund, or return.
c. Any receipt retained by the person, firm,
partnership, association, corporation, or limited
�
AB 844 (Dickinson), Page 4
liability company which is printed that is not signed by
the credit or debit cardholder at the time of the
purchase, exchange, refund, or return, because the credit
or debit cardholder used a personal identification number
to complete the transaction.
EXISTING LAW
1. Establishes every Californian's right to privacy
(California Constitution, Article 1).
2. Provides for Song-Beverly, which was originally enacted to
impose obligations in connection with credit card
transactions (Civil Code Sections 1747 et seq.).
Song-Beverly governs multiple obligations of credit card
issuers, credit cardholders, and retailers that accept
credit cards; it is not limited to collection and retention
of PII by retailers.
3. Subjects persons who violate the provisions of
Song-Beverly governing collection of PII to a civil penalty
not to exceed $250 for the first violation and $1,000 for
each subsequent violation, which may be assessed in an
action brought by the person paying with the credit card,
the Attorney General, or by the district attorney or city
attorney of the county or city in which the violation
occurred. Further provides that no civil penalty may be
assessed for a violation if the defendant shows, by a
preponderance of the evidence, that the violation was not
intentional and resulted from a bona fide error made
notwithstanding the defendant's maintenance of procedures
reasonably adopted to avoid that error.
COMMENTS
1. Purpose: This bill is sponsored by the author to increase
consumer privacy, by safeguarding against the exploitation
of personal information, while also ensuring appropriate
fraud and identity theft protection.
2. Background: This bill is a response to a recent California
Supreme Court decision (Apple v Superior Court of Los
Angeles County (Krescent) S199384, February 4, 2013). In
that decision, the court ruled 4-3 that "upon careful
consideration of the statute's text, structure, and purpose,
we hold that Civil Code Section 1747.08 [one of the code
�
AB 844 (Dickinson), Page 5
sections that this bill would amend] does not apply to
online purchases in which the product is downloaded
electronically."
The Apple case involved an individual who had been asked for his
address and telephone number as a condition of accepting his
credit card for payment. Although a majority of Supreme
Court justices found that Song-Beverly does not apply to
online downloads, the majority opinion observed, "existing
state and federal laws provide consumers with a degree of
protection against unwanted use or disclosure of personal
identification information. The Legislature may believe
these measures are inadequate and, if so, may enact
additional protections." The author of this bill accepted
the Court's challenge, by proposing to apply provisions of
Song-Beverly governing the collection of PII to online
transactions.
This bill's author is also proposing to apply the provisions of
Song-Beverly governing the collection of PII to retail
transactions involving debit cards. Just as Song-Beverly
largely predates use of the Internet for retail
transactions, it also predates the use of debit cards to
conduct retail transactions. This bill's author believes
that persons who use debit cards to purchase goods or
services deserve to have their PII protected to the same
extent as persons who use credit cards for the same purpose.
3. Discussion: This current language of this bill is a product
of amendments made by the Assembly Appropriations Committee,
when it passed AB 844 off its Suspense file in late May.
Prior to the May 28th amendments, the bill was supported by
many of the organizations that now oppose it (see opposition
arguments below), and the bill was opposed by a coalition of
business trade associations. The May 28th amendments
removed the trade group opposition to the bill, but
attracted opposition from consumer organizations.
4. Summary of Arguments in Support: None received.
5. Summary of Arguments in Opposition:
a. The Consumer Federation of California writes that
the current version of AB 844 "would eviscerate
Song-Beverly privacy provisions that have applied to
�
AB 844 (Dickinson), Page 6
brick and mortar and other credit card purchases for over
20 years. AB 844 would give merchants in any credit card
transaction a license to violate a consumer's right to
privacy with impunity." The provision of AB 844 that
prompts these concerns allows for the collection of PII
in situations where the cardholder is advised, or it is
apparent, that the provision of PII is not a condition to
accepting the credit or debit card as payment for goods
and services, and the cardholder has consented to the
collection of the PII.
In its letter, the Consumer Federation cites the 2011
Pineda v. Williams Sonoma court case (51 Cal 4th 524).
The Pineda court observed that the 1991 addition to
Song-Beverly of a prohibition against requesting PII was
intended to prevent a retailer from making an end-run
around the law by claiming the customer furnished the PII
voluntarily. The Consumer Federation also cites Florez
v. Linens 'N Things 108 Cal App. 4th 447, which concluded
that a retailer could not request PII from a consumer
paying with a credit card, even if the consumer's
response was voluntary and made only for marketing
purposes. The Consumer Federation of California believes
that the amendments to AB 844 will exacerbate the
potential for fraud, theft, and identity theft; lead to
the dissemination of individuals' PII; and lead to acts
of harassment and violence by store clerks who obtain
customers' PII. A retailer could comply with this
provision of the bill by posting a small sign in his or
her retail establishment, informing customers that PII is
being collected for marketing purposes, and could be in
compliance with the bill, even if a customer never saw
the sign.
The Consumer Federation is also opposed to the May 28th
amendment that deleted the word "solely" from the
provision that allows PII to be collected when it is used
for the detection, investigation, or prevention of fraud,
theft, identity theft, or criminal activity, or to
enforce terms of sale. Eliminating the word "solely"
will allow merchants to use PII for any purpose,
including marketing, consumer profiling, or sale to third
parties.
The Consumer Federation is similarly opposed to the
provision of AB 844 that allows PII to be collected if it
�
AB 844 (Dickinson), Page 7
is part of an account that a merchant establishes for a
customer. This language provides online businesses a
loophole against privacy protection, since virtually
every online credit card transaction is, or could become,
associated with a cardholder's account.
b. The California Public Interest Research Group
(CALPIRG), Privacy Rights Clearinghouse, and Consumer
Action oppose the bill for the same reasons stated by the
Consumer Federation.
6. Amendments: The following technical and clarifying
amendment is recommended:
Page 8, strike line 5 and insert: or criminal activity, or to
enforce terms of sale.
7. Prior and Related Legislation:
a. SB 383 (Jackson): Would allow for the collection of
PII in connection with online credit card transactions,
if that information is used solely to prevent fraud,
theft, or identity theft, and would require the
destruction or disposal of that information once its use
is no longer necessary to prevent fraud, theft, or
identity theft. Pending on the Senate Floor Inactive
File.
b. AB 1219 (Perea), Chapter 690, Statutes of 2011:
Responded to a different California Supreme Court
decision regarding the PII provisions of Song-Beverly
(Pineda v. Williams-Sonoma Stores, Inc. (2011), 51 Cal.
4th 524). Expressly allowed allowing the collection and
retention of PII when required by state law, and the
collection of zip code information, when the zip code is
used solely for the prevention of fraud, theft, or
identity theft in a sales transaction at a retail motor
fuel dispenser or retail motor fuel payment island
automated cashier.
LIST OF REGISTERED SUPPORT/OPPOSITION
Support
None received
�
AB 844 (Dickinson), Page 8
Opposition
CALPIRG
Consumer Action
Consumer Federation of California
Privacy Rights Clearinghouse
Consultant: Eileen Newhall (916) 651-4102