BILL ANALYSIS                                                                                                                                                                                                    



                                                                            



           ----------------------------------------------------------------- 
          |SENATE RULES COMMITTEE            |                        SB 383|
          |Office of Senate Floor Analyses   |                              |
          |1020 N Street, Suite 524          |                              |
          |(916) 651-1520         Fax: (916) |                              |
          |327-4478                          |                              |
           ----------------------------------------------------------------- 
           
                                           
                                    THIRD READING


          Bill No:  SB 383
          Author:   Jackson (D)
          Amended:  4/1/13
          Vote:     21


           SENATE JUDICIARY COMMITTEE  :  5-1, 5/7/13
          AYES:  Evans, Corbett, Jackson, Leno, Monning
          NOES:  Anderson
          NO VOTE RECORDED:  Walters


           SUBJECT  :    Credit cards:  downloadable products:  personal  
          information

           SOURCE  :     Consumer Federation of California


           DIGEST  :    This bill authorizes a person or entity that accepts  
          credit cards as part of an online transaction involving an  
          electronically downloadable product to require a cardholder, as  
          a condition of accepting a credit card as payment for goods or  
          services, to provide the billing ZIP Code and the numerical  
          portion of the street address associated with the credit card,  
          to be used solely for the prevention of fraud, theft, or  
          identity theft.  This bill additionally requires the person or  
          entity to dispose of the ZIP Code and street address number  
          information in a secure manner after it is no longer needed for  
          the prevention of fraud, theft, or identity theft, and prohibits  
          the person or entity from aggregating the ZIP Code and street  
          address number information with any other personal  
          identification information, or from sharing the ZIP Code and  
          street address number information with any third party.
                                                                CONTINUED





                                                                     SB 383
                                                                     Page  
          2

           
          ANALYSIS  :    

          Existing law:

          1.Provides that, among other rights, all people have an  
            inalienable right to pursue and obtain privacy (Cal. Const.,  
            art. I, Sec. 1).  This privacy provision in the California  
            Constitution "creates a legal and enforceable right of privacy  
            for every Californian."  (White v. Davis (1975) 13 Cal.3d 757,  
            775.)

          2.Requires through the California Online Privacy Protection Act,  
            that an operator of a commercial Internet Web site or online  
            service that collects personally identifiable information  
            about individual consumers residing in California who use or  
            visit its commercial Internet Web site or online service to  
            conspicuously post its privacy policy on its Internet Web  
            site, or in the case of an operator of an online service, make  
            that policy available to consumers in accordance with state  
            law.  (Bus. and Prof. Code Sec. 22575 (a).)

          3.Prohibits through the Song Beverly Credit Card Act (Civ. Code  
            Sec. 1747 et. seq.) persons and entities that accept credit  
            cards for the transaction of business from doing any of the  
            following:

             A.   Requesting or requiring the cardholder, as a condition  
               of accepting the credit card as payment for goods or  
               services, to write any personal identification information  
               on the credit card transaction form.

             B.   Requesting or requiring the cardholder, as a condition  
               of accepting the credit card as payment for goods or  
               services, to provide personal identification information,  
               which the person or entity accepting the credit card,  
               writes, causes to be written, or otherwise records upon the  
               credit card transaction form.

             C.   Utilizing, in any credit card transaction, a credit card  
               form that contains preprinted spaces specifically  
               designated for filling in any personal identification  
               information of the cardholder.  (Civ. Code Sec. 1747.08  
               (a).)

                                                                CONTINUED





                                                                     SB 383
                                                                     Page  
          3


          1.Defines "personal identification information" to mean  
            information concerning the cardholder, other than information  
            set forth on the credit card, and including, but not limited  
            to, the cardholder's address and telephone number.  (Civ. Code  
            Sec. 1747.08 (b).)

          2.Provides that the above-described restrictions on the  
            collection of the personal identification information of a  
            credit card holder do not apply in the following instances:

             A.   If the credit card is being used as a deposit to secure  
               payment in the event of default, loss, damage, or other  
               similar occurrence.

             B.   Cash advance transactions.

             C.   If the person, firm, partnership, association, or  
               corporation accepting the credit card is contractually  
               obligated to provide personal identification information in  
               order to complete the credit card transaction or is  
               obligated to collect and record the personal identification  
               information by federal law, state law, or regulation.

             D.   If the person, firm, partnership, association, or  
               corporation accepting the credit card in a sales  
               transaction at a retail motor fuel dispenser or retail  
               motor fuel payment island automated cashier uses the ZIP  
               Code information solely for prevention of fraud, theft, or  
               identity theft.

             E.   If the personal identification information is required  
               for a special purpose incidental but related to the  
               individual credit card transaction, including, but not  
               limited to, information relating to shipping, delivery,  
               servicing, or installation of the purchased merchandise, or  
               for special orders.  (Civ. Code Sec. 1747.08 (c).)

          1.Does not prohibit any person or entity from requiring the  
            cardholder, as a condition of accepting the credit card as  
            payment in full or in part for goods or services, to provide  
            reasonable forms of positive identification, which may include  
            a driver's license or a California state identification card,  
            or where one of these is not available, another form of photo  

                                                                CONTINUED





                                                                     SB 383
                                                                     Page  
          4

            identification, provided that none of the information  
            contained thereon is written or recorded on the credit card  
            transaction form or otherwise.  (Civ. Code Sec. 1747.08 (d).)

          2.Imposes a civil penalty not to exceed two hundred fifty  
            dollars ($250) for the first violation of this section, and  
            one thousand dollars ($1,000) for each subsequent violation.   
            (Civ. Code Sec. 1747.08 (e).)

          This bill:

          1.Permits a person or entity to require a cardholder, as a  
            condition of accepting a credit card as payment in full or in  
            part in an online transaction involving an electronically  
            downloadable product, to provide the billing ZIP Code number  
            and numerical portion of the street address associated with  
            the credit card, if used solely for the prevention of fraud,  
            theft, or identity theft.

          2.Requires the person or entity accepting the credit card to  
            destroy or dispose of the ZIP Code and street address number  
            information in a secure manner after it is no longer needed  
            for the prevention of fraud, theft, or identity theft.

          3.Prohibits the person or entity from aggregating the ZIP Code  
            and street address number with any other personal  
            identification information and also prohibits the person or  
            entity from sharing the ZIP Code and street address number  
            information with any other person, firm, partnership,  
            association, or corporation.

          4.Codifies the intent of the Legislature to apply the Song  
            Beverly Credit Card Act to all credit card transactions  
            without reference to the method, platform, or technology used  
            to process or complete the transaction.

          5.Finds and declares the intent of the Legislature to apply the  
            provisions of the Song Beverly Credit Card Act to all credit  
            card transactions, including online transactions involving a  
            downloadable product.

          6.Defines "online transaction involving an electronically  
            downloadable product" to mean a credit card transaction for a  
            product, service, subscription, or any other consideration, in  

                                                                CONTINUED





                                                                     SB 383
                                                                     Page  
          5

            which the product, service, subscription, or consideration is  
            provided by means of a download to the cardholder's computer,  
            telephone, or other electronic device.

           Background
           
          The Song Beverly Credit Card Act (Civ. Code Sec. 1747 et. seq.)  
          broadly prohibits businesses and others from requesting or  
          requiring a credit card holder to provide personal  
          identification information during a credit card transaction,  
          except in certain limited situations.  Enacted in 1971, the act  
          regulates the issuance of credit cards to consumers in the State  
          of California, and specifies the rights and obligations of  
          retailers and cardholders in their use.  The act articulates  
          "fair business practices for the protection of consumers," and  
          "made major changes in the law dealing with credit card  
          practices by prescribing procedures for billing, billing errors,  
          dissemination of false credit information, issuance and  
          unauthorized use of credit cards."  (Pineda v. Williams-Sonoma  
          Stores, Inc. (2011) 51 Cal.4th 524, 538-39 [internal citations  
          and quotation marks omitted].)

          The Supreme Court revisited the Song Beverly Credit Card Act  
          earlier this year in Apple Inc. v. Superior Court (2013) 56  
          Cal.4th 128.  Despite its broad holding two years before in the  
          Pineda case, the Court's decision in Apple presented a very  
          narrow reading of the act's privacy related provisions.  The  
          Apple case involved a putative class action claim brought by a  
          consumer of Apple Computer's iTunes music and video download  
          service.  The consumer claimed that Apple had violated the act  
          by requiring iTunes consumers to provide their telephone number  
          and address in order to complete online purchases paid for with  
          a credit card.  The Court rejected the consumer's claim, and  
          held that the act did not apply to online transactions involving  
          downloadable products.  ["Upon careful consideration of the  
          statute's text, structure, and purpose, we hold that Section  
          1747.08 does not apply to online purchases in which the product  
          is downloaded electronically."].)  Citing the legislative  
          history of the 1990 amendments, the Court explained, "[w]hile it  
          is clear that the Legislature enacted the [act] to protect  
          consumer privacy, it is also clear that the Legislature did not  
          intend to achieve privacy protection without regard to exposing  
          consumers and retailers to undue risk of fraud."  (Apple Inc.,  
          56 Cal.4th 128, 139.)

                                                                CONTINUED





                                                                     SB 383
                                                                     Page  
          6


          The Court interpreted the act's legislative history as  
          "show[ing] that the Legislature enacted the statute's privacy  
          related prohibitions only after carefully considering and  
          rejecting the possibility that the collection of personal  
          identification information by brick-and-mortar retailers could  
          serve a legitimate purpose such as fraud prevention."  (Apple  
          Inc., 56 Cal.4th at 139.)  With the competing interests of  
          consumer privacy and fraud prevention in mind, the Court found  
          that:

               The safeguards against fraud that are provided in [the act]  
               are not available to the online retailer selling an  
               electronically downloadable product.  Unlike a  
               brick-and-mortar retailer, an online retailer cannot  
               visually inspect the credit card, the signature on the back  
               of the card, or the customer's photo identification.  Thus,  
               Section 1747.08(d) [concerning a retailer's ability to  
               request to see reasonable forms of positive  
               identification]-the key antifraud mechanism in the  
               statutory scheme-has no practical application to online  
               transactions involving electronically downloadable  
               products.  We cannot conclude that if the Legislature in  
               1990 had been prescient enough to anticipate online  
               transactions involving electronically downloadable  
               products, it would have intended [the act's] prohibitions  
               to apply to such transactions despite the unavailability of  
               Section 1747.08 (d)'s [fraud prevention] safeguards.

          The Supreme Court limited its holding in Apple to the particular  
          facts in that case, stating "[w]e have no occasion here to  
          decide whether [the prohibitions in the act] appl[y] to online  
          transactions that do not involve electronically downloadable  
          products or to any other transactions that do not involve  
          in-person, face-to-face interaction between the customer and  
          retailer."  (Apple Inc., 56 Cal.4th at 143.)  Nonetheless, the  
          majority opinion expressly invited the Legislature to amend the  
          law and apply it to online transactions of downloadable products  
          if it so desired.  ["The Legislature may believe these measures  
          are inadequate and, if so, may enact additional protections.  Or  
          the Legislature may believe that existing laws, together with  
          market forces reflecting consumer preferences, are sufficient.   
          It is not our role to opine on this important policy issue."].)


                                                                CONTINUED





                                                                     SB 383
                                                                     Page  
          7

           Prior Legislation
           
          AB 1219 (Perea, Chapter 690, Statutes of 2011), created an  
          exception to existing law's prohibition against the collection  
          of ZIP Codes during credit card sales transactions by  
          specifically permitting the collection of ZIP Code information  
          when a person or entity accepting a credit card in a sales  
          transaction at a retail motor fuel dispenser or retail motor  
          fuel payment island automated cashier uses the ZIP Code  
          information solely for prevention of fraud, theft, or identity  
          theft.

          AB 2021 (Fuentes, 2008), would have permitted, subject to  
          certain limitations, a merchant to request or require personal  
          information in connection with the use of a credit card for  
          transactions conducted via the Internet, telephone, or e-mail  
          for which the cardholder is not physically present, and the  
          personal identification information is required for, and is used  
          only for, fraud detection or prevention in connection with the  
          transaction.  This bill died in the Senate Judiciary Committee.

          AB 3013 (Pavley, 2004), would have prohibited a credit card  
          issuer from printing more than the last eight digits of the  
          credit card account number on each billing statement provided to  
          a cardholder in this state, or printing a cardholder's account  
          number on an endorsed cardholder's payment check.  This bill  
          died in the Assembly Banking and Finance Committee.

          AB 1477 (Areias, Chapter 1089, Statutes of 1991), prohibited a  
          merchant which accepts credit cards from requesting or requiring  
          personal identification information for purposes of notation as  
          a condition of acceptance of the card.  The bill clarified that  
          the merchant may require reasonable forms of identification,  
          including a driver's license, provided that no information  
          contained thereon is recorded on the credit card transaction  
          form or otherwise.

          AB 2920 (Areias, Chapter 999, Statutes of 1990), prohibited  
          persons who accept credit cards in business transactions from  
          requiring, as a condition of accepting a credit card, that the  
          cardholder write or provide personal identification information  
          for notation on the credit card transaction form or otherwise,  
          subject to certain limitations.  The bill made violators subject  
          to a civil penalty of up to $250 for a first violation and  

                                                                CONTINUED





                                                                     SB 383
                                                                     Page  
          8

          $1,000 for subsequent violations.

           FISCAL EFFECT  :    Appropriation:  No   Fiscal Com.:  No   Local:  
           No

           SUPPORT  :   (Verified  5/8/13)

          Consumer Federation of California (source)
          American Civil Liberties Union of California
          California Alliance for Retired Americans
          California Conference Board of the Amalgamated Transit Union
          California Conference of Machinists
          California Teamsters Public Affairs Council
          CALPIRG
          Consumer Action
          Consumer Attorneys of California
          Electronic Frontier Foundation
          Engineers and Scientists of California
          International Longshore and Warehouse Union
          Privacy Rights Clearinghouse
          PrivacyActivism
          Professionals and Technical Engineers
          United Food and Commercial Workers Western States Council
          UNITE-HERE
          Utility Workers Union of America

           OPPOSITION  :    (Verified  5/8/13)

          California Chamber of Commerce
          California Manufacturers and Technology Association
          California Retailers Association
          California Travel Association
          Direct Marketing Association
          Internet Alliance
          Personal Insurance Federation of California
          State privacy and Security Coalition
          TechAmerica
          TechNet

           ARGUMENTS IN SUPPORT  :    According to the author's office, the  
          bill seeks to remedy the deficiency in law created by the Apple  
          [decision], which eliminated credit card privacy for  
          downloadable product purchases based on the rationale of fraud  
          prevention, but the court did not restrict the collection of  

                                                                CONTINUED





                                                                     SB 383
                                                                     Page  
          9

          personally identifiable information for cases involving fraud  
          prevention, and it did not limit the use of information  
          collected to fraud prevention.  As a result, online merchants in  
          these transactions may now collect personally identifiable  
          information without limit, for any reason or for no reason at  
          all, and may use the information for any purpose.  SB 383  
          follows the rationale of the Apple ruling, and balances it with  
          Song Beverly's overarching principle of protecting cardholders  
          from unwarranted privacy invasions by creating a limited  
          exception that allows merchants impacted by Apple to gather only  
          that information that is needed for fraud prevention, and limits  
          the use of the information for fraud prevention purposes only.

          Businesses should be entitled to collect only information  
          concerning a credit card holder that is required for completion  
          of the cardholder-initiated transaction, for other legal or  
          compliance purposes.

          Without this legislation, online merchants are free to use  
          information about cardholders to build customer profiles, and  
          use this information for marketing, or for sale to third parties  
          who may use this information for any purpose.  A consumer's  
          choice in downloadable product purchases may reveal intimate  
          details about a consumer's interests, among these a consumer's  
          medical interests, sexual orientation, investments, financial  
          status, dating interests, political views and other forms of  
          confidential information.

           ARGUMENTS IN OPPOSITION  :    Opponents write, "In the rush to  
          'modernize' Song-Beverly to apply directly to online commerce,  
          SB 383 places over-reaching restrictions on operators of  
          commercial Internet Web sites or Online Services.  The need by  
          these organizations to collect personally identifiable  
          information to protect online consumers from fraud is of far  
          greater importance than the sharing of this information.  There  
          must be safeguards in place for online operators to verify the  
          identity of their consumers that far exceed what is proposed in  
          this bill.  The consequences to online commerce of getting this  
          wrong are enormous, and thus we urge the Legislature to proceed  
          with appropriate caution.

          Unlike traditional retail settings, online commerce has no  
          actual human interaction that can verify the physical presence  
          of a card and identification.  The ability to correctly provide  

                                                                CONTINUED





                                                                     SB 383
                                                                     Page  
          10

          personally identifiable information is a front-line defense  
          against fraud.  Today, many use online services to conduct  
          transactions for a variety of purposes and placing restrictions  
          on how online retailers can verify identity and fight fraudulent  
          activity could lead to thousands of Californians becoming  
          victims to fraud.  
           

          AL:ej  5/9/13   Senate Floor Analyses 

                           SUPPORT/OPPOSITION:  SEE ABOVE

                                   ****  END  ****
































                                                                CONTINUED