BILL ANALYSIS                                                                                                                                                                                                    Ó






                             SENATE JUDICIARY COMMITTEE
                             Senator Noreen Evans, Chair
                              2013-2014 Regular Session


          SB 383 (Jackson)
          As Amended April 1, 2013
          Hearing Date: May 7, 2013
          Fiscal: No
          Urgency: No
          TH


                                        SUBJECT
                                           
              Credit Cards: Downloadable products: Personal information

                                      DESCRIPTION  

          Existing law prohibits a person or entity that accepts credit  
          cards for the transaction of business from requesting, or  
          requiring as a condition of accepting the credit card, that a  
          cardholder provide his or her personal identification  
          information, except under certain circumstances.   
          Notwithstanding these prohibitions, existing law authorizes a  
          person or entity that accepts credit cards to require the  
          cardholder to provide reasonable forms of identification, which  
          may include a driver's license or a California state  
          identification card, as a condition of accepting the credit  
          card, provided that personal identification information is not  
          written or recorded in the process.

          This bill would authorize a person or entity that accepts credit  
          cards as part of an online transaction involving an  
          electronically downloadable product to require a cardholder, as  
          a condition of accepting a credit card as payment for goods or  
          services, to provide the billing ZIP Code and the numerical  
          portion of the street address associated with the credit card,  
          to be used solely for the prevention of fraud, theft, or  
          identity theft.  This bill would additionally require the person  
          or entity to dispose of the ZIP Code and street address number  
          information in a secure manner after it is no longer needed for  
          the prevention of fraud, theft, or identity theft.  This bill  
          would also prohibit the person or entity from aggregating the  
          ZIP Code and street address number information with any other  
          personal identification information, or from sharing the ZIP  
                                                                (more)



          SB 383 (Jackson)
          Page 2 of ?



          Code and street address number information with any third party.

                                      BACKGROUND  

          The Song Beverly Credit Card Act (Civ. Code Sec. 1747 et. seq.)  
          broadly prohibits businesses and others from requesting or  
          requiring a credit card holder to provide personal  
          identification information during a credit card transaction,  
          except in certain limited situations.  Enacted in 1971, the act  
          regulates the issuance of credit cards to consumers in the State  
          of California, and specifies the rights and obligations of  
          retailers and cardholders in their use.  The act articulates  
          "fair business practices for the protection of . . . consumers,"  
          and "made major changes in the law dealing with credit card  
          practices by prescribing procedures for billing, billing errors,  
          dissemination of false credit information, issuance and  
          unauthorized use of credit cards."  (Pineda v. Williams-Sonoma  
          Stores, Inc. (2011) 51 Cal.4th 524, 538-39 [internal citations  
          and quotation marks omitted].)

          The Legislature amended the Song Beverly Credit Card Act in  
          1990, "seeking to address the misuse of personal identification  
          information for, inter alia, marketing purposes" by retailers.   
          (Pineda, 51 Cal.4th at 534.)  "[F]inding that there would be no  
          legitimate need to obtain such information from credit card  
          customers if it was not necessary to the completion of the  
          credit card transaction" (Id. at 534.), the Legislature amended  
          the statute to protect from disclosure "information concerning  
          the cardholder, other than information set forth on the credit  
          card, . . . including, but not limited to, the cardholder's  
          address and telephone number." (See Civ. Code Sec. 1747.08(b).)   
          These new amendments prohibited merchants from "[r]equest[ing],  
          or requir[ing] as a condition to accepting the credit card as  
          payment in full or in part for goods or services, the cardholder  
          to provide personal identification information" to be recorded  
          by the merchant.  (See Civ. Code Sec. 1747.08(a).)  Courts  
          interpreting these amendments have viewed them as strengthening  
          the act's existing protections and furthering the act's  
          "overriding purpose," which is to "protect the personal privacy  
          of consumers who pay for transactions with credit cards."   
          (Pineda, 51 Cal.4th at 534.)

          In Pineda v. Williams-Sonoma Stores, Inc., the California  
          Supreme Court issued its first major opinion construing the  
          scope of the act.  Williams-Sonoma, a chain retailer of home  
          furnishings and cookware, was accused by a patron of violating  
                                                                      



          SB 383 (Jackson)
          Page 3 of ?



          the act by, among other things, collecting the ZIP Code  
          information of credit card customers at the point of sale in its  
          retail stores, using customized computer software to discern a  
          customer's address by matching information in a database to the  
          information collected at the point of sale, and then marketing  
          its products to its credit card customers using the previously  
          undisclosed address or selling the information it had compiled  
          to other businesses.  The patron brought a lawsuit under the  
          act, seeking classwide relief for credit card customers based on  
          Williams-Sonoma's alleged violation of its provisions concerning  
          the collection of personal identification information.  (See  
          Pineda, 51 Cal.4th 524.)  Siding with the patron, the Supreme  
          Court held that personal identification information protected  
          under the act included, among other things, a credit card user's  
          ZIP Code.  Construing the statute broadly, the Supreme Court  
          held that the act provided "robust consumer protections by  
          prohibiting retailers from soliciting and recording information  
          about the cardholder that is unnecessary to the credit card  
          transaction," and stated that, as a remedial statute, it ought  
          to be liberally construed "in favor of [its] protective  
          purpose," which is to address "the misuse of personal  
          identification information for, inter alia, marketing purposes."  
           (Id. at 536-37.)

          The Supreme Court revisited the Song Beverly Credit Card Act  
          earlier this year in Apple Inc. v. Superior Court (2013) 56  
          Cal.4th 128.  Despite its broad holding two years before in the  
          Pineda case, the Court's decision in Apple presented a very  
          narrow reading of the act's privacy related provisions.  The  
          Apple case involved a putative class action claim brought by a  
          consumer of Apple Computer's iTunes music and video download  
          service.  The consumer claimed that Apple had violated the act  
          by requiring iTunes consumers to provide their telephone number  
          and address in order to complete online purchases paid for with  
          a credit card.  The Court rejected the consumer's claim, and  
          held that the act did not apply to online transactions involving  
          downloadable products.  (See id. at 133 ["Upon careful  
          consideration of the statute's text, structure, and purpose, we  
          hold that section 1747.08 does not apply to online purchases in  
          which the product is downloaded electronically."].)  Citing the  
          legislative history of the 1990 amendments, the Court explained,  
          "[w]hile it is clear that the Legislature enacted the [act] to  
          protect consumer privacy, it is also clear that the Legislature  
          did not intend to achieve privacy protection without regard to  
          exposing consumers and retailers to undue risk of fraud."   
          (Apple Inc., 56 Cal.4th 128, 139.)
                                                                      



          SB 383 (Jackson)
          Page 4 of ?




          The Court interpreted the act's legislative history as  
          "show[ing] that the Legislature enacted the statute's privacy  
          related prohibitions only after carefully considering and  
          rejecting the possibility that the collection of personal  
          identification information by brick-and-mortar retailers could  
          serve a legitimate purpose such as fraud prevention."  (Apple  
          Inc., 56 Cal.4th at 139.)  With the competing interests of  
          consumer privacy and fraud prevention in mind, the Court found  
          that:

               The safeguards against fraud that are provided in [the act]  
               are not available to the online retailer selling an  
               electronically downloadable product.  Unlike a  
               brick-and-mortar retailer, an online retailer cannot  
               visually inspect the credit card, the signature on the back  
               of the card, or the customer's photo identification.  Thus,  
               section 1747.08(d) [concerning a retailer's ability to  
               request to see reasonable forms of positive  
               identification]-the key antifraud mechanism in the  
               statutory scheme-has no practical application to online  
               transactions involving electronically downloadable  
               products.  We cannot conclude that if the Legislature in  
               1990 had been prescient enough to anticipate online  
               transactions involving electronically downloadable  
               products, it would have intended [the act's] prohibitions  
               to apply to such transactions despite the unavailability of  
               section 1747.08(d)'s [fraud prevention] safeguards.  (Id.  
               at 140-41.)

          The Supreme Court limited its holding in Apple to the particular  
          facts in that case, stating "[w]e have no occasion here to  
          decide whether [the prohibitions in the act] appl[y] to online  
          transactions that do not involve electronically downloadable  
          products or to any other transactions that do not involve  
          in-person, face-to-face interaction between the customer and  
          retailer."  (Apple Inc., 56 Cal.4th at 143.)  Nonetheless, the  
          majority opinion expressly invited the Legislature to amend the  
          law and apply it to online transactions of downloadable products  
          if it so desired.  (See id. at 133 ["The Legislature may believe  
          these measures are inadequate and, if so, may enact additional  
          protections.  Or the Legislature may believe that existing laws,  
          together with market forces reflecting consumer preferences, are  
          sufficient.  It is not our role to opine on this important  
          policy issue."].)

                                                                      



          SB 383 (Jackson)
          Page 5 of ?



          This bill would amend the Song Beverly Credit Card Act to apply  
          its consumer privacy protection provisions to all online credit  
          card transactions that involve a downloadable product, without  
          reference to the method, platform, or technology used to process  
          or to complete the transaction.  In order to address the need to  
          prevent credit card fraud, this bill would authorize a person or  
          entity that accepts credit cards in an online transaction to  
          require a cardholder to provide the billing ZIP Code and street  
          address number associated with the credit card solely for the  
          prevention of fraud, theft, or identity theft.  The bill would  
          require the person or entity collecting this information to  
          destroy or dispose of it in a secure manner after it is no  
          longer needed for the prevention of fraud, theft, or identity  
          theft.  The bill would also prohibit the person or entity from  
          aggregating the ZIP Code and street address number information  
          with any other personal identification information, or from  
          sharing the ZIP Code and street address number information with  
          any other person or entity.

                                CHANGES TO EXISTING LAW
           
           Existing law  provides that, among other rights, all people have  
          an inalienable right to pursue and obtain privacy.  (Cal.  
          Const., art. I, Sec. 1.)  This privacy provision in the  
          California Constitution "creates a legal and enforceable right  
          of privacy for every Californian."  (White v. Davis (1975) 13  
          Cal.3d 757, 775.)

           Existing law  , the California Online Privacy Protection Act (Bus.  
          and Prof. Code Sec. 22575 et. seq.), requires an operator of a  
          commercial Web site or online service that collects personally  
          identifiable information about individual consumers residing in  
          California who use or visit its commercial Web site or online  
          service to conspicuously post its privacy policy on its Web  
          site, or in the case of an operator of an online service, make  
          that policy available to consumers in accordance with state law.  
           (Bus. and Prof. Code Sec. 22575(a).)

           Existing law  , the Song Beverly Credit Card Act (Civ. Code Sec.  
          1747 et. seq.) prohibits persons and entities that accept credit  
          cards for the transaction of business from doing any of the  
          following:

             (1)Requesting or requiring the cardholder, as a condition of  
               accepting the credit card as payment for goods or services,  
               to write any personal identification information on the  
                                                                      



          SB 383 (Jackson)
          Page 6 of ?



               credit card transaction form.
             (2)Requesting or requiring the cardholder, as a condition of  
               accepting the credit card as payment for goods or services,  
               to provide personal identification information, which the  
               person or entity accepting the credit card writes, causes  
               to be written, or otherwise records upon the credit card  
               transaction form.
             (3)Utilizing, in any credit card transaction, a credit card  
               form that contains preprinted spaces specifically  
               designated for filling in any personal identification  
               information of the cardholder.  (Civ. Code Sec.  
               1747.08(a).)

           Existing law  defines "personal identification information" to  
          mean information concerning the cardholder, other than  
          information set forth on the credit card, and including, but not  
          limited to, the cardholder's address and telephone number.   
          (Civ. Code Sec. 1747.08(b).)

           Existing law  provides that the above-described restrictions on  
          the collection of the personal identification information of a  
          credit card holder do not apply in the following instances:

             (1)If the credit card is being used as a deposit to secure  
               payment in the event of default, loss, damage, or other  
               similar occurrence.
             (2)Cash advance transactions.
             (3)If the person, firm, partnership, association, or  
               corporation accepting the credit card is contractually  
               obligated to provide personal identification information in  
               order to complete the credit card transaction or is  
               obligated to collect and record the personal identification  
               information by federal law, state law, or regulation.
             (4)If the person, firm, partnership, association, or  
               corporation accepting the credit card in a sales  
               transaction at a retail motor fuel dispenser or retail  
               motor fuel payment island automated cashier uses the ZIP  
               Code information solely for prevention of fraud, theft, or  
               identity theft.
             (5)If the personal identification information is required for  
               a special purpose incidental but related to the individual  
               credit card transaction, including, but not limited to,  
               information relating to shipping, delivery, servicing, or  
               installation of the purchased merchandise, or for special  
               orders.  (Civ. Code Sec. 1747.08(c).)

                                                                      



          SB 383 (Jackson)
          Page 7 of ?



           Existing law  does not prohibit any person or entity from  
          requiring the cardholder, as a condition of accepting the credit  
          card as payment in full or in part for goods or services, to  
          provide reasonable forms of positive identification, which may  
          include a driver's license or a California state identification  
          card, or where one of these is not available, another form of  
          photo identification, provided that none of the information  
          contained thereon is written or recorded on the credit card  
          transaction form or otherwise.  (Civ. Code Sec. 1747.08(d).)

           Existing law  imposes a civil penalty not to exceed two hundred  
          fifty dollars ($250) for the first violation of this section,  
          and one thousand dollars ($1,000) for each subsequent violation.  
           (Civ. Code Sec. 1747.08(e).)

           This bill  would permit a person or entity to require a  
          cardholder, as a condition of accepting a credit card as payment  
          in full or in part in an online transaction involving an  
          electronically downloadable product, to provide the billing ZIP  
          Code number and numerical portion of the street address  
          associated with the credit card, if used solely for the  
          prevention of fraud, theft, or identity theft. 

           This bill  would require the person or entity accepting the  
          credit card to destroy or dispose of the ZIP Code and street  
          address number information in a secure manner after it is no  
          longer needed for the prevention of fraud, theft, or identity  
          theft. 

           This bill  would prohibit the person or entity from aggregating  
          the ZIP Code and street address number with any other personal  
          identification information and would also prohibit the person or  
          entity from sharing the ZIP Code and street address number  
          information with any other person, firm, partnership,  
          association, or corporation.

           This bill  would codify the intent of the Legislature to apply  
          the Song Beverly Credit Card Act to all credit card transactions  
          without reference to the method, platform, or technology used to  
          process or complete the transaction.

           This bill  would find and declare the intent of the Legislature  
          to apply the provisions of the Song Beverly Credit Card Act to  
          all credit card transactions, including online transactions  
          involving a downloadable product.

                                                                      



          SB 383 (Jackson)
          Page 8 of ?



           This bill  would define "online transaction involving an  
          electronically downloadable product" to mean a credit card  
          transaction for a product, service, subscription, or any other  
          consideration, in which the product, service, subscription, or  
          consideration is provided by means of a download to the  
          cardholder's computer, telephone, or other electronic device.

                                        COMMENT
           
          1.  Stated need for the bill  
          
          The author writes:
          
               The bill seeks to remedy the deficiency in law created by  
               the Apple [decision], which eliminated credit card privacy  
               for downloadable product purchases based on the rationale  
               of fraud prevention, but the court did not restrict the  
               collection of personally identifiable information for cases  
               involving fraud prevention, and it did not limit the use of  
               information collected to fraud prevention.  As a result,  
               online merchants in these transactions may now collect  
               personally identifiable information without limit, for any  
               reason or for no reason at all, and may use the information  
               for any purpose.  SB 383 follows the rationale of the Apple  
               ruling, and balances it with Song Beverly's overarching  
               principle of protecting cardholders from unwarranted  
               privacy invasions by creating a limited exception that  
               allows merchants impacted by Apple to gather only that  
               information that is needed for fraud prevention, and limits  
               the use of the information for fraud prevention purposes  
               only.

               Businesses should be entitled to collect only information  
               concerning a credit card holder that is required for  
               completion of the cardholder-initiated transaction, for  
               other legal or compliance purposes. 

               Without this legislation, online merchants are free to use  
               information about cardholders to build customer profiles,  
               and use this information for marketing, or for sale to  
               third parties who may use this information for any purpose.  
                [A] [c]onsumer's choice in downloadable product purchases  
               may reveal intimate details about a consumer['s] interests,  
               among these a consumer's medical interests, sexual  
               orientation, investments, financial status, dating  
               interests, political views and other forms of confidential  
                                                                      



          SB 383 (Jackson)
          Page 9 of ?



               information.

          2.  Balancing right to privacy against need to combat credit card  
            fraud  

          California has long held that preserving individual privacy is a  
          matter of utmost importance in public policy.  Section 1,  
          article I of the California Constitution declares that "[a]ll  
          people are by nature free and independent and have inalienable  
          rights," and "[a]mong these are . . . pursuing and obtaining . .  
          . privacy."  The right to privacy in online commerce is no less  
          important.  Over thirty years ago, the Legislature recognized  
          that "[t]he right to privacy is being threatened by the  
          indiscriminate collection, maintenance, and dissemination of  
          personal information and the lack of effective laws and legal  
          remedies," and that "[t]he increasing use of computers and other  
          sophisticated information technology has greatly magnified the  
          potential risk to individual privacy that can occur from the  
          maintenance of personal information."  (Civ. Code Sec. 1798.1  
          [Legislative declarations and findings concerning the  
          Information Practices Act of 1977].)  "In order to protect the  
          privacy of individuals," the Legislature has declared it  
          "necessary that the maintenance and dissemination of personal  
          information be subject to strict limits."  (Id.)  This bill  
          furthers the fundamental public policy interest of protecting  
          the privacy of California's consumers by extending the  
          prohibitions of the Song Beverly Credit Card Act to merchants  
          engaged in online commerce.

          Statutes like Song Beverly were enacted with the express intent  
          of limiting the collection of personal identifying information  
          and giving California consumers more control over how their  
          information is shared in the marketplace.  As the Consumer  
          Federation of California -- the sponsor of this bill -- points  
          out, allowing the unfettered gathering of consumer information  
          during the course of a credit card transaction "gives . . .  
          merchants an open door to collecting personal data that is not  
          required for any transactional or security purpose."  They  
          state:

               Many merchants are eager to aggregate every bit of data on  
               consumers . . . Gathering data, and linking it to a credit  
               card holder's zip code, address or email address makes it  
               possible for a merchant . . . to construct a comprehensive  
               dossier on a consumer, which may include information  
               regarding a consumer's   . . . medical conditions, sexual  
                                                                      



          SB 383 (Jackson)
          Page 10 of ?



               orientation, financial and investment activities, political  
                                                                             or religious views, as well as shopping and purchasing  
               activities.

          By prohibiting the collection of data not germane to a credit  
          card transaction, Song Beverly protects California consumers  
          from unwanted invasions of their privacy, from unwelcome  
          marketing, and from having their personal information sold to  
          strangers without their permission.  This bill extends Song  
          Beverly's existing privacy protections into the realm of online  
          commerce.

          Consumer privacy protections are particularly crucial in the  
          digital age, where the collection and retention of personal  
          identification information by companies in large databases has  
          made it possible for individuals to unlawfully obtain millions  
          of records during a single breach of a company's computer  
          system.  One of the most egregious breaches involving credit  
          card information in history occurred in 2007, when TJX Companies  
          Inc., the owner of a number of retail brands including T.J.Maxx,  
          Marshalls and Bob's Stores, disclosed that "45.6 million credit  
          and debit card numbers were stolen from one of its systems over  
          a period of more than 18 months by an unknown number of  
          intruders."  (Jaikumar Vijayan, TJX data breach: At 45.6M card  
          numbers, it's the biggest ever  
           [as of May 2,  
          2013].)  In addition to the stolen credit card numbers, the  
          individuals responsible for this particular breach also stole  
          "personal data provided in connection with the return of  
          merchandise without receipts by about 451,000 individuals."   
          (Id.)

          The Supreme Court's ruling in Apple clarifies that the existing  
          provisions of Song Beverly do not prohibit online retailers  
          selling downloadable products from amassing similarly large  
          databases of personal identification information collected in  
          the course of a credit card transaction.  While the Apple  
          court's decision might seem limited in scope, the Court noted  
          how large this affected market actually is when it stated that  
          "[t]oday, retail e-commerce sales in the United States approach  
          $200 billion a year, and it has been estimated that iTunes alone  
          will generate as much as $13 billion in revenue for Apple in  
          2013 through the sale of apps, music, movies, and e-books."   
          (Apple Inc. v. Superior Court, 56 Cal.4th at 150 [internal  
          citations omitted].)  If online retailers were indiscriminately  
                                                                      



          SB 383 (Jackson)
          Page 11 of ?



          allowed to gather personal identifying information as part of  
          credit card transactions involving downloadable products,  
          similarly large databases could be assembled, the breach of  
          which could compromise the personal information of countless  
          Californians.

          However, just as breaches of computer databases containing  
          personal information place consumers at risk, so does online  
          fraud and identity theft.  According to statistics compiled by  
          the Internet Crime Complaint Center, which is a partnership  
          between the Federal Bureau of Investigation and the National  
          White Collar Crime Center, in 2010 California residents  
          submitted almost 35,000 complaints of internet fraud.  (See  
          California IC3 2010 Internet Crime Report <  
          http://www.ic3.gov/media/annualreport  
          /2010/California%202010%20Report.pdf> [as of May 2, 2013].)  Of  
          these complaints, which represent just a fraction of the total  
          number of instances of internet fraud that occurred in the state  
          in 2010, "[t]he top dollar loss complaint involved identity  
          theft and totaled $249,120.00 while the reported loss throughout  
          the state exceeded $46,300,000.00."  (Id.)

          The potential impact to California businesses from online credit  
          card fraud is equally staggering.  The latest data from FICO, a  
          company that uses mathematics to predict consumer behavior and  
          identify and minimize the impact of fraud, suggests that  
          nationwide 20 states saw an increase in credit card fraud in  
          2012.  (See FICO Labs: California, Florida and Northeast Were  
          Hotspots for ATM Fraud in 2012 < http:// www.fico.com  
          /en/Company/News/Pages/03-19-2013-Hotspots-for-ATM-Fraud-in-2012. 
          aspx> [as of May 2, 2013].)  Globally, losses from credit card  
          fraud amount to $7.6 billion, and "fraud in the United States  
          accounted for 47 percent of global fraud losses [in 2010] -- up  
          from about 46.5 percent in 2009 and 44 percent in the middle of  
          the last decade."  (See Ross Kerber, U.S. Banks Losing Ground in  
          Combating Credit, Debit Card Fraud: Report <  
          http://www.huffingtonpost.com/2011/10/04/credit-debit-card-fraud- 
          more-common-banks-lose-ground-hackers_n_994690.html> [as of May  
          2, 2013].)

          SB 383 would strike a balance between the need to safeguard  
          consumer privacy while also protecting retailers and consumers  
          against fraud in online transactions.  Just as existing  
          provisions of Song Beverly restrict a business from collecting  
          unnecessary personal information from consumers making in-person  
          purchases with a credit card while allowing access to the  
                                                                      



          SB 383 (Jackson)
          Page 12 of ?



          information in order to combat fraud, this bill would restrict  
          online retailers selling downloadable products from collecting  
          unnecessary personal information in the digital marketplace, but  
          would still leave them with the tools necessary to detect and  
          prevent online fraud, theft, and identity theft.

          3.   Business practices and technical requirements  

          Staff notes that merchants have contacted the author's office  
          and expressed technical concerns that the provisions in this  
          bill might interfere with standard industry procedures and  
          technical requirements concerning the processing of credit card  
          transactions.  They suggest that it is not uncommon for a  
          merchant to contract with a third party for the processing of  
          credit card transactions and identity verification.  Limitations  
          imposed in this bill on sharing personal identification  
          information gathered as part of an online credit card  
          transaction may operate to preclude the processing of certain  
          transactions using third parties that would otherwise be lawful  
          if the transaction were processed in an identical fashion solely  
          by the first party merchant or entity who accepts the credit  
          card as payment.  The author should continue to work with  
          industry to ensure that this bill does not unintentionally  
          restrict the ability of merchants to process credit card  
          transactions through the use of third parties.




          4.   Scope of online commerce affected
           
          As stated in the findings and declarations section of this bill,  
          it is the intent of the author to "apply the provisions of the  
          Song-Beverly Credit Card Act of 1971 to all credit card  
          transactions, including online transactions involving a  
          downloadable product."  (See SB 383, pg. 3, lines 9-12).   
          However, the operative provisions of the bill appear to only  
          reach a subclass of online transactions that involve a  
          downloadable product.  (See SB 383, pg. 7, lines 33-34 [". . .  
          may require a cardholder, as a condition to accepting a credit  
          card as payment in full or in part in an online transaction  
          involving an electronically downloadable product . . ."].)  The  
          author should work with the bill sponsor to clarify the intended  
          scope of online commerce affected by this bill.


                                                                      



          SB 383 (Jackson)
          Page 13 of ?



           Support  :  American Civil Liberties Union of California;  
          California Alliance for Retired Americans; California Conference  
          Board of the Amalgamated Transit Union; California Conference of  
          Machinists; CALPIRG; California Teamsters Public Affairs  
          Council; Consumer Action; Electronic Frontier Foundation;  
          Engineers and Scientists of California; International Longshore  
          and Warehouse Union; PrivacyActivism; Privacy Rights  
          Clearinghouse; Professionals and Technical Engineers; United  
          Food and Commercial Workers Western States Council; Utility  
          Workers Union of America; UNITE-HERE

           Opposition  :  None Known

                                        HISTORY
           
           Source  :  Consumer Federation of California

           Related Pending Legislation  :  AB 844 (Dickinson, 2013) would  
          expand existing privacy protections concerning credit card  
          transactions, including provisions of the Song Beverly Credit  
          Card Act, to transactions involving a debit card.  This bill  
          would also permit the operator of a commercial Internet Web site  
          or online service that collects personal identifiable  
          information to require a credit cardholder or debit cardholder  
          to provide the cardholder's ZIP Code to complete an  
          Internet-based credit card or debit card transaction, subject to  
          certain restrictions, if used solely for the prevention of  
          fraud, theft, or identity theft.  This bill was passed out of  
          the Assembly Banking and Finance Committee on April 22, 2013, by  
          a vote of 8-3, and was passed out of the Assembly Judiciary  
          Committee on April 30, 2013, by a vote of 7-3.  The amendments  
          and renumbering of Civil Code Sections 1747.02 and 1747.08  
          called for in AB 844 may conflict with similar provisions in  
          this bill (SB 383).

           Prior Legislation  :

          AB 1219 (Perea, Chapter 690, Statutes of 2011) created an  
          exception to existing law's prohibition against the collection  
          of ZIP Codes during credit card sales transactions by  
          specifically permitting the collection of ZIP Code information  
          when a person or entity accepting a credit card in a sales  
          transaction at a retail motor fuel dispenser or retail motor  
          fuel payment island automated cashier uses the ZIP Code  
          information solely for prevention of fraud, theft, or identity  
          theft.
                                                                      



          SB 383 (Jackson)
          Page 14 of ?




          AB 521 (Koretz, Chapter 294, Statutes of 2001) extended  
          provisions of the Song Beverly Credit Card Act to the issuance  
          of student credit cards, defined as a credit card that is  
          provided to a student at a public or private college or  
          university solely based on his or her enrollment in the  
          university, or is provided to a student who would not otherwise  
          qualify for that credit card on the basis of his or her income.

          AB 2021 (Fuentes, 2008) would have permitted, subject to certain  
          limitations, a merchant to request or require personal  
          information in connection with the use of a credit card for  
          transactions conducted via the Internet, telephone, or e-mail  
          for which the cardholder is not physically present, and the  
          personal identification information is required for, and is used  
          only for, fraud detection or prevention in connection with the  
          transaction.  This bill died in the Senate Judiciary Committee.

          AB 3013 (Pavley, 2004) would have prohibited a credit card  
          issuer from printing more than the last 8 digits of the credit  
          card account number on each billing statement provided to a  
          cardholder in this state, or printing a cardholder's account  
          number on an endorsed cardholder's payment check.  This bill  
          died in the Assembly Banking and Finance Committee.

          AB 1477 (Areias, Chapter 1089, Statutes of 1991) prohibited a  
          merchant which accepts credit cards from requesting or requiring  
          personal identification information for purposes of notation as  
          a condition of acceptance of the card.  The bill clarified that  
          the merchant may require reasonable forms of identification,  
          including a driver's license, provided that no information  
          contained thereon is recorded on the credit card transaction  
          form or otherwise.

          AB 2920 (Areias, Chapter 999, Statutes of 1990) prohibited  
          persons who accept credit cards in business transactions from  
          requiring, as a condition of accepting a credit card, that the  
          cardholder write or provide personal identification information  
          for notation on the credit card transaction form or otherwise,  
          subject to certain limitations.  The bill made violators subject  
          to a civil penalty of up to $250 for a first violation and  
          $1,000 for subsequent violations.

                                   **************
                                          

                                                                      



          SB 383 (Jackson)
          Page 15 of ?