BILL ANALYSIS ��
-----------------------------------------------------------------
|SENATE RULES COMMITTEE | SB 383|
|Office of Senate Floor Analyses | |
|1020 N Street, Suite 524 | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
-----------------------------------------------------------------
THIRD READING
Bill No: SB 383
Author: Jackson (D)
Amended: 4/1/13
Vote: 21
SENATE JUDICIARY COMMITTEE : 5-1, 5/7/13
AYES: Evans, Corbett, Jackson, Leno, Monning
NOES: Anderson
NO VOTE RECORDED: Walters
SUBJECT : Credit cards: downloadable products: personal
information
SOURCE : Consumer Federation of California
DIGEST : This bill authorizes a person or entity that accepts
credit cards as part of an online transaction involving an
electronically downloadable product to require a cardholder, as
a condition of accepting a credit card as payment for goods or
services, to provide the billing ZIP Code and the numerical
portion of the street address associated with the credit card,
to be used solely for the prevention of fraud, theft, or
identity theft. This bill additionally requires the person or
entity to dispose of the ZIP Code and street address number
information in a secure manner after it is no longer needed for
the prevention of fraud, theft, or identity theft, and prohibits
the person or entity from aggregating the ZIP Code and street
address number information with any other personal
identification information, or from sharing the ZIP Code and
street address number information with any third party.
CONTINUED
�
SB 383
Page
2
ANALYSIS :
Existing law:
1.Provides that, among other rights, all people have an
inalienable right to pursue and obtain privacy (Cal. Const.,
art. I, Sec. 1). This privacy provision in the California
Constitution "creates a legal and enforceable right of privacy
for every Californian." (White v. Davis (1975) 13 Cal.3d 757,
775.)
2.Requires through the California Online Privacy Protection Act,
that an operator of a commercial Internet Web site or online
service that collects personally identifiable information
about individual consumers residing in California who use or
visit its commercial Internet Web site or online service to
conspicuously post its privacy policy on its Internet Web
site, or in the case of an operator of an online service, make
that policy available to consumers in accordance with state
law. (Bus. and Prof. Code Sec. 22575 (a).)
3.Prohibits through the Song Beverly Credit Card Act (Civ. Code
Sec. 1747 et. seq.) persons and entities that accept credit
cards for the transaction of business from doing any of the
following:
A. Requesting or requiring the cardholder, as a condition
of accepting the credit card as payment for goods or
services, to write any personal identification information
on the credit card transaction form.
B. Requesting or requiring the cardholder, as a condition
of accepting the credit card as payment for goods or
services, to provide personal identification information,
which the person or entity accepting the credit card,
writes, causes to be written, or otherwise records upon the
credit card transaction form.
C. Utilizing, in any credit card transaction, a credit card
form that contains preprinted spaces specifically
designated for filling in any personal identification
information of the cardholder. (Civ. Code Sec. 1747.08
(a).)
CONTINUED
�
SB 383
Page
3
1.Defines "personal identification information" to mean
information concerning the cardholder, other than information
set forth on the credit card, and including, but not limited
to, the cardholder's address and telephone number. (Civ. Code
Sec. 1747.08 (b).)
2.Provides that the above-described restrictions on the
collection of the personal identification information of a
credit card holder do not apply in the following instances:
A. If the credit card is being used as a deposit to secure
payment in the event of default, loss, damage, or other
similar occurrence.
B. Cash advance transactions.
C. If the person, firm, partnership, association, or
corporation accepting the credit card is contractually
obligated to provide personal identification information in
order to complete the credit card transaction or is
obligated to collect and record the personal identification
information by federal law, state law, or regulation.
D. If the person, firm, partnership, association, or
corporation accepting the credit card in a sales
transaction at a retail motor fuel dispenser or retail
motor fuel payment island automated cashier uses the ZIP
Code information solely for prevention of fraud, theft, or
identity theft.
E. If the personal identification information is required
for a special purpose incidental but related to the
individual credit card transaction, including, but not
limited to, information relating to shipping, delivery,
servicing, or installation of the purchased merchandise, or
for special orders. (Civ. Code Sec. 1747.08 (c).)
1.Does not prohibit any person or entity from requiring the
cardholder, as a condition of accepting the credit card as
payment in full or in part for goods or services, to provide
reasonable forms of positive identification, which may include
a driver's license or a California state identification card,
or where one of these is not available, another form of photo
CONTINUED
�
SB 383
Page
4
identification, provided that none of the information
contained thereon is written or recorded on the credit card
transaction form or otherwise. (Civ. Code Sec. 1747.08 (d).)
2.Imposes a civil penalty not to exceed two hundred fifty
dollars ($250) for the first violation of this section, and
one thousand dollars ($1,000) for each subsequent violation.
(Civ. Code Sec. 1747.08 (e).)
This bill:
1.Permits a person or entity to require a cardholder, as a
condition of accepting a credit card as payment in full or in
part in an online transaction involving an electronically
downloadable product, to provide the billing ZIP Code number
and numerical portion of the street address associated with
the credit card, if used solely for the prevention of fraud,
theft, or identity theft.
2.Requires the person or entity accepting the credit card to
destroy or dispose of the ZIP Code and street address number
information in a secure manner after it is no longer needed
for the prevention of fraud, theft, or identity theft.
3.Prohibits the person or entity from aggregating the ZIP Code
and street address number with any other personal
identification information and also prohibits the person or
entity from sharing the ZIP Code and street address number
information with any other person, firm, partnership,
association, or corporation.
4.Codifies the intent of the Legislature to apply the Song
Beverly Credit Card Act to all credit card transactions
without reference to the method, platform, or technology used
to process or complete the transaction.
5.Finds and declares the intent of the Legislature to apply the
provisions of the Song Beverly Credit Card Act to all credit
card transactions, including online transactions involving a
downloadable product.
6.Defines "online transaction involving an electronically
downloadable product" to mean a credit card transaction for a
product, service, subscription, or any other consideration, in
CONTINUED
�
SB 383
Page
5
which the product, service, subscription, or consideration is
provided by means of a download to the cardholder's computer,
telephone, or other electronic device.
Background
The Song Beverly Credit Card Act (Civ. Code Sec. 1747 et. seq.)
broadly prohibits businesses and others from requesting or
requiring a credit card holder to provide personal
identification information during a credit card transaction,
except in certain limited situations. Enacted in 1971, the act
regulates the issuance of credit cards to consumers in the State
of California, and specifies the rights and obligations of
retailers and cardholders in their use. The act articulates
"fair business practices for the protection of consumers," and
"made major changes in the law dealing with credit card
practices by prescribing procedures for billing, billing errors,
dissemination of false credit information, issuance and
unauthorized use of credit cards." (Pineda v. Williams-Sonoma
Stores, Inc. (2011) 51 Cal.4th 524, 538-39 [internal citations
and quotation marks omitted].)
The Supreme Court revisited the Song Beverly Credit Card Act
earlier this year in Apple Inc. v. Superior Court (2013) 56
Cal.4th 128. Despite its broad holding two years before in the
Pineda case, the Court's decision in Apple presented a very
narrow reading of the act's privacy related provisions. The
Apple case involved a putative class action claim brought by a
consumer of Apple Computer's iTunes music and video download
service. The consumer claimed that Apple had violated the act
by requiring iTunes consumers to provide their telephone number
and address in order to complete online purchases paid for with
a credit card. The Court rejected the consumer's claim, and
held that the act did not apply to online transactions involving
downloadable products. ["Upon careful consideration of the
statute's text, structure, and purpose, we hold that Section
1747.08 does not apply to online purchases in which the product
is downloaded electronically."].) Citing the legislative
history of the 1990 amendments, the Court explained, "[w]hile it
is clear that the Legislature enacted the [act] to protect
consumer privacy, it is also clear that the Legislature did not
intend to achieve privacy protection without regard to exposing
consumers and retailers to undue risk of fraud." (Apple Inc.,
56 Cal.4th 128, 139.)
CONTINUED
�
SB 383
Page
6
The Court interpreted the act's legislative history as
"show[ing] that the Legislature enacted the statute's privacy
related prohibitions only after carefully considering and
rejecting the possibility that the collection of personal
identification information by brick-and-mortar retailers could
serve a legitimate purpose such as fraud prevention." (Apple
Inc., 56 Cal.4th at 139.) With the competing interests of
consumer privacy and fraud prevention in mind, the Court found
that:
The safeguards against fraud that are provided in [the act]
are not available to the online retailer selling an
electronically downloadable product. Unlike a
brick-and-mortar retailer, an online retailer cannot
visually inspect the credit card, the signature on the back
of the card, or the customer's photo identification. Thus,
Section 1747.08(d) [concerning a retailer's ability to
request to see reasonable forms of positive
identification]-the key antifraud mechanism in the
statutory scheme-has no practical application to online
transactions involving electronically downloadable
products. We cannot conclude that if the Legislature in
1990 had been prescient enough to anticipate online
transactions involving electronically downloadable
products, it would have intended [the act's] prohibitions
to apply to such transactions despite the unavailability of
Section 1747.08 (d)'s [fraud prevention] safeguards.
The Supreme Court limited its holding in Apple to the particular
facts in that case, stating "[w]e have no occasion here to
decide whether [the prohibitions in the act] appl[y] to online
transactions that do not involve electronically downloadable
products or to any other transactions that do not involve
in-person, face-to-face interaction between the customer and
retailer." (Apple Inc., 56 Cal.4th at 143.) Nonetheless, the
majority opinion expressly invited the Legislature to amend the
law and apply it to online transactions of downloadable products
if it so desired. ["The Legislature may believe these measures
are inadequate and, if so, may enact additional protections. Or
the Legislature may believe that existing laws, together with
market forces reflecting consumer preferences, are sufficient.
It is not our role to opine on this important policy issue."].)
CONTINUED
�
SB 383
Page
7
Prior Legislation
AB 1219 (Perea, Chapter 690, Statutes of 2011), created an
exception to existing law's prohibition against the collection
of ZIP Codes during credit card sales transactions by
specifically permitting the collection of ZIP Code information
when a person or entity accepting a credit card in a sales
transaction at a retail motor fuel dispenser or retail motor
fuel payment island automated cashier uses the ZIP Code
information solely for prevention of fraud, theft, or identity
theft.
AB 2021 (Fuentes, 2008), would have permitted, subject to
certain limitations, a merchant to request or require personal
information in connection with the use of a credit card for
transactions conducted via the Internet, telephone, or e-mail
for which the cardholder is not physically present, and the
personal identification information is required for, and is used
only for, fraud detection or prevention in connection with the
transaction. This bill died in the Senate Judiciary Committee.
AB 3013 (Pavley, 2004), would have prohibited a credit card
issuer from printing more than the last eight digits of the
credit card account number on each billing statement provided to
a cardholder in this state, or printing a cardholder's account
number on an endorsed cardholder's payment check. This bill
died in the Assembly Banking and Finance Committee.
AB 1477 (Areias, Chapter 1089, Statutes of 1991), prohibited a
merchant which accepts credit cards from requesting or requiring
personal identification information for purposes of notation as
a condition of acceptance of the card. The bill clarified that
the merchant may require reasonable forms of identification,
including a driver's license, provided that no information
contained thereon is recorded on the credit card transaction
form or otherwise.
AB 2920 (Areias, Chapter 999, Statutes of 1990), prohibited
persons who accept credit cards in business transactions from
requiring, as a condition of accepting a credit card, that the
cardholder write or provide personal identification information
for notation on the credit card transaction form or otherwise,
subject to certain limitations. The bill made violators subject
to a civil penalty of up to $250 for a first violation and
CONTINUED
�
SB 383
Page
8
$1,000 for subsequent violations.
FISCAL EFFECT : Appropriation: No Fiscal Com.: No Local:
No
SUPPORT : (Verified 5/8/13)
Consumer Federation of California (source)
American Civil Liberties Union of California
California Alliance for Retired Americans
California Conference Board of the Amalgamated Transit Union
California Conference of Machinists
California Teamsters Public Affairs Council
CALPIRG
Consumer Action
Consumer Attorneys of California
Electronic Frontier Foundation
Engineers and Scientists of California
International Longshore and Warehouse Union
Privacy Rights Clearinghouse
PrivacyActivism
Professionals and Technical Engineers
United Food and Commercial Workers Western States Council
UNITE-HERE
Utility Workers Union of America
OPPOSITION : (Verified 5/8/13)
California Chamber of Commerce
California Manufacturers and Technology Association
California Retailers Association
California Travel Association
Direct Marketing Association
Internet Alliance
Personal Insurance Federation of California
State privacy and Security Coalition
TechAmerica
TechNet
ARGUMENTS IN SUPPORT : According to the author's office, the
bill seeks to remedy the deficiency in law created by the Apple
[decision], which eliminated credit card privacy for
downloadable product purchases based on the rationale of fraud
prevention, but the court did not restrict the collection of
CONTINUED
�
SB 383
Page
9
personally identifiable information for cases involving fraud
prevention, and it did not limit the use of information
collected to fraud prevention. As a result, online merchants in
these transactions may now collect personally identifiable
information without limit, for any reason or for no reason at
all, and may use the information for any purpose. SB 383
follows the rationale of the Apple ruling, and balances it with
Song Beverly's overarching principle of protecting cardholders
from unwarranted privacy invasions by creating a limited
exception that allows merchants impacted by Apple to gather only
that information that is needed for fraud prevention, and limits
the use of the information for fraud prevention purposes only.
Businesses should be entitled to collect only information
concerning a credit card holder that is required for completion
of the cardholder-initiated transaction, for other legal or
compliance purposes.
Without this legislation, online merchants are free to use
information about cardholders to build customer profiles, and
use this information for marketing, or for sale to third parties
who may use this information for any purpose. A consumer's
choice in downloadable product purchases may reveal intimate
details about a consumer's interests, among these a consumer's
medical interests, sexual orientation, investments, financial
status, dating interests, political views and other forms of
confidential information.
ARGUMENTS IN OPPOSITION : Opponents write, "In the rush to
'modernize' Song-Beverly to apply directly to online commerce,
SB 383 places over-reaching restrictions on operators of
commercial Internet Web sites or Online Services. The need by
these organizations to collect personally identifiable
information to protect online consumers from fraud is of far
greater importance than the sharing of this information. There
must be safeguards in place for online operators to verify the
identity of their consumers that far exceed what is proposed in
this bill. The consequences to online commerce of getting this
wrong are enormous, and thus we urge the Legislature to proceed
with appropriate caution.
Unlike traditional retail settings, online commerce has no
actual human interaction that can verify the physical presence
of a card and identification. The ability to correctly provide
CONTINUED
�
SB 383
Page
10
personally identifiable information is a front-line defense
against fraud. Today, many use online services to conduct
transactions for a variety of purposes and placing restrictions
on how online retailers can verify identity and fight fraudulent
activity could lead to thousands of Californians becoming
victims to fraud.
AL:ej 5/9/13 Senate Floor Analyses
SUPPORT/OPPOSITION: SEE ABOVE
**** END ****
CONTINUED