BILL ANALYSIS ��
-----------------------------------------------------------------
|SENATE RULES COMMITTEE | SB 383|
|Office of Senate Floor Analyses | |
|1020 N Street, Suite 524 | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
-----------------------------------------------------------------
THIRD READING
Bill No: SB 383
Author: Jackson (D)
Amended: 5/24/13
Vote: 21
SENATE JUDICIARY COMMITTEE : 5-1, 5/7/13
AYES: Evans, Corbett, Jackson, Leno, Monning
NOES: Anderson
NO VOTE RECORDED: Walters
SUBJECT : Credit cards: downloadable products: personal
information
SOURCE : Consumer Federation of California
DIGEST : This bill authorizes a person or entity that accepts
credit cards in an online transaction, as defined, to require a
cardholder, as a condition to accepting a credit card as payment
in full or in part for goods or services, to provide the billing
ZIP Code and street address number associated with the credit
card, if used solely for the prevention of fraud, theft, or
identity theft. This bill authorizes the person or entity
accepting the credit card to require a cardholder, as a
condition to accepting a credit card as payment in full or in
part, in an online transaction, to provide additional personal
information, if it requires that information for the prevention
of fraud, theft, or identity theft, and the additional personal
information is used solely for the prevention of fraud, theft,
or identity theft. This bill also requires the disposal of
specified personal information after it is no longer needed and
CONTINUED
�
SB 383
Page
2
prohibits the information from being aggregated and shared with
any other person or entity.
Senate Floor Amendments of 5/24/13 , expand the scope of
transactions covered by the bill's provisions to include all
online credit card transactions. Amendments also expand the
scope of personal identification information that merchants can
collect as part of a transaction, and make minor technical
changes.
ANALYSIS :
Existing law:
1.Provides that, among other rights, all people have an
inalienable right to pursue and obtain privacy (Cal. Const.,
Art. I, Sec. 1). This privacy provision in the California
Constitution "creates a legal and enforceable right of privacy
for every Californian." (White v. Davis (1975) 13 Cal.3d 757,
775.)
2.Requires through the California Online Privacy Protection Act,
that an operator of a commercial Internet Web site or online
service that collects personally identifiable information
about individual consumers residing in California who use or
visit its commercial Internet Web site or online service to
conspicuously post its privacy policy on its Internet Web
site, or in the case of an operator of an online service, make
that policy available to consumers in accordance with state
law. (Bus. and Prof. Code Sec. 22575 (a).)
3.Prohibits through the Song Beverly Credit Card Act (act) (Civ.
Code Sec. 1747 et. seq.) persons and entities that accept
credit cards for the transaction of business from doing any of
the following:
A. Requesting or requiring the cardholder, as a condition
of accepting the credit card as payment for goods or
services, to write any personal identification information
on the credit card transaction form.
B. Requesting or requiring the cardholder, as a condition
of accepting the credit card as payment for goods or
services, to provide personal identification information,
CONTINUED
�
SB 383
Page
3
which the person or entity accepting the credit card,
writes, causes to be written, or otherwise records upon the
credit card transaction form.
C. Utilizing, in any credit card transaction, a credit card
form that contains preprinted spaces specifically
designated for filling in any personal identification
information of the cardholder. (Civ. Code Sec. 1747.08
(a).)
1.Defines "personal identification information" to mean
information concerning the cardholder, other than information
set forth on the credit card, and including, but not limited
to, the cardholder's address and telephone number. (Civ. Code
Sec. 1747.08 (b).)
2.Provides that the above-described restrictions on the
collection of the personal identification information of a
credit card holder do not apply in the following instances:
A. If the credit card is being used as a deposit to secure
payment in the event of default, loss, damage, or other
similar occurrence.
B. Cash advance transactions.
C. If the person, firm, partnership, association, or
corporation accepting the credit card is contractually
obligated to provide personal identification information in
order to complete the credit card transaction or is
obligated to collect and record the personal identification
information by federal law, state law, or regulation.
D. If the person, firm, partnership, association, or
corporation accepting the credit card in a sales
transaction at a retail motor fuel dispenser or retail
motor fuel payment island automated cashier uses the ZIP
Code information solely for prevention of fraud, theft, or
identity theft.
E. If the personal identification information is required
for a special purpose incidental but related to the
individual credit card transaction, including, but not
limited to, information relating to shipping, delivery,
CONTINUED
�
SB 383
Page
4
servicing, or installation of the purchased merchandise, or
for special orders. (Civ. Code Sec. 1747.08 (c).)
1.Does not prohibit any person or entity from requiring the
cardholder, as a condition of accepting the credit card as
payment in full or in part for goods or services, to provide
reasonable forms of positive identification, which may include
a driver's license or a California State identification card,
or where one of these is not available, another form of photo
identification, provided that none of the information
contained thereon is written or recorded on the credit card
transaction form or otherwise. (Civ. Code Sec. 1747.08 (d).)
2.Imposes a civil penalty not to exceed two hundred fifty
dollars ($250) for the first violation of this section, and
one thousand dollars ($1,000) for each subsequent violation.
(Civ. Code Sec. 1747.08 (e).)
This bill:
1.Permits a person or entity to require a cardholder, as a
condition of accepting a credit card as payment in full or in
part in an online transaction, to provide specified
information, if used solely for the prevention of fraud,
theft, or identity theft.
2.Requires the person or entity accepting the credit card to
destroy or dispose of the ZIP Code and street address number
information in a secure manner after it is no longer needed
for the prevention of fraud, theft, or identity theft.
3.Prohibits the person or entity from aggregating the ZIP Code
and street address number with any other personal
identification information and also prohibits the person or
entity from sharing the ZIP Code and street address number
information with any other person, firm, partnership,
association, or corporation.
4.Codifies the intent of the Legislature to apply the act to all
credit card transactions without reference to the method,
platform, or technology used to process or complete the
transaction.
5.Finds and declares the intent of the Legislature to apply the
CONTINUED
�
SB 383
Page
5
provisions of the act to all credit card transactions,
including online transactions involving a downloadable
product.
Background
The act (Civ. Code Sec. 1747 et. seq.) broadly prohibits
businesses and others from requesting or requiring a credit card
holder to provide personal identification information during a
credit card transaction, except in certain limited situations.
Enacted in 1971, the act regulates the issuance of credit cards
to consumers in the State of California, and specifies the
rights and obligations of retailers and cardholders in their
use. The act articulates "fair business practices for the
protection of consumers," and "made major changes in the law
dealing with credit card practices by prescribing procedures for
billing, billing errors, dissemination of false credit
information, issuance and unauthorized use of credit cards."
(Pineda v. Williams-Sonoma Stores, Inc. (2011) 51 Cal.4th 524,
538-39)
The Supreme Court revisited the act earlier this year in Apple
Inc. v. Superior Court (2013) 56 Cal.4th 128. Despite its broad
holding two years before in the Pineda case, the Court's
decision in Apple presented a very narrow reading of the act's
privacy related provisions. The Apple case involved a putative
class action claim brought by a consumer of Apple Computer's
iTunes music and video download service. The consumer claimed
that Apple had violated the act by requiring iTunes consumers to
provide their telephone number and address in order to complete
online purchases paid for with a credit card. The Court
rejected the consumer's claim, and held that the act did not
apply to online transactions involving downloadable products.
["Upon careful consideration of the statute's text, structure,
and purpose, we hold that Section 1747.08 does not apply to
online purchases in which the product is downloaded
electronically."].) Citing the legislative history of the 1990
amendments, the Court explained, "while it is clear that the
Legislature enacted the act to protect consumer privacy, it is
also clear that the Legislature did not intend to achieve
privacy protection without regard to exposing consumers and
retailers to undue risk of fraud." (Apple Inc., 56 Cal.4th 128,
139.)
CONTINUED
�
SB 383
Page
6
The Court interpreted the act's legislative history as "showing
that the Legislature enacted the statute's privacy related
prohibitions only after carefully considering and rejecting the
possibility that the collection of personal identification
information by brick-and-mortar retailers could serve a
legitimate purpose such as fraud prevention." (Apple Inc., 56
Cal.4th at 139.) With the competing interests of consumer
privacy and fraud prevention in mind, the Court found that:
The safeguards against fraud that are provided in [the act]
are not available to the online retailer selling an
electronically downloadable product. Unlike a
brick-and-mortar retailer, an online retailer cannot
visually inspect the credit card, the signature on the back
of the card, or the customer's photo identification. Thus,
Section 1747.08(d) [concerning a retailer's ability to
request to see reasonable forms of positive
identification]-the key antifraud mechanism in the
statutory scheme-has no practical application to online
transactions involving electronically downloadable
products. We cannot conclude that if the Legislature in
1990 had been prescient enough to anticipate online
transactions involving electronically downloadable
products, it would have intended the act's prohibitions to
apply to such transactions despite the unavailability of
Section 1747.08 (d)'s [fraud prevention] safeguards.
The Supreme Court limited its holding in Apple to the particular
facts in that case, stating "we have no occasion here to decide
whether the prohibitions in the act apply to online transactions
that do not involve electronically downloadable products or to
any other transactions that do not involve in-person,
face-to-face interaction between the customer and retailer."
(Apple Inc., 56 Cal.4th at 143.) Nonetheless, the majority
opinion expressly invited the Legislature to amend the law and
apply it to online transactions of downloadable products if it
so desired. ["The Legislature may believe these measures are
inadequate and, if so, may enact additional protections. Or the
Legislature may believe that existing laws, together with market
forces reflecting consumer preferences, are sufficient. It is
not our role to opine on this important policy issue."].)
Prior Legislation
CONTINUED
�
SB 383
Page
7
AB 1219 (Perea, Chapter 690, Statutes of 2011), created an
exception to existing law's prohibition against the collection
of ZIP Codes during credit card sales transactions by
specifically permitting the collection of ZIP Code information
when a person or entity accepting a credit card in a sales
transaction at a retail motor fuel dispenser or retail motor
fuel payment island automated cashier uses the ZIP Code
information solely for prevention of fraud, theft, or identity
theft.
AB 2021 (Fuentes, 2008), would have permitted, subject to
certain limitations, a merchant to request or require personal
information in connection with the use of a credit card for
transactions conducted via the Internet, telephone, or e-mail
for which the cardholder is not physically present, and the
personal identification information is required for, and is used
only for, fraud detection or prevention in connection with the
transaction. This bill died in the Senate Judiciary Committee.
AB 3013 (Pavley, 2004), would have prohibited a credit card
issuer from printing more than the last eight digits of the
credit card account number on each billing statement provided to
a cardholder in this state, or printing a cardholder's account
number on an endorsed cardholder's payment check. This bill
died in the Assembly Banking and Finance Committee.
AB 1477 (Areias, Chapter 1089, Statutes of 1991), prohibited a
merchant which accepts credit cards from requesting or requiring
personal identification information for purposes of notation as
a condition of acceptance of the card. The bill clarified that
the merchant may require reasonable forms of identification,
including a driver's license, provided that no information
contained thereon is recorded on the credit card transaction
form or otherwise.
AB 2920 (Areias, Chapter 999, Statutes of 1990), prohibited
persons who accept credit cards in business transactions from
requiring, as a condition of accepting a credit card, that the
cardholder write or provide personal identification information
for notation on the credit card transaction form or otherwise,
subject to certain limitations. The bill made violators subject
to a civil penalty of up to $250 for a first violation and
$1,000 for subsequent violations.
CONTINUED
�
SB 383
Page
8
FISCAL EFFECT : Appropriation: No Fiscal Com.: No Local:
No
SUPPORT : (Verified 5/28/13)
Consumer Federation of California (source)
American Civil Liberties Union of California
California Alliance for Retired Americans
California Conference Board of the Amalgamated Transit Union
California Conference of Machinists
California Teamsters Public Affairs Council
CALPIRG
Consumer Action
Consumer Attorneys of California
Electronic Frontier Foundation
Engineers and Scientists of California
International Longshore and Warehouse Union
Privacy Rights Clearinghouse
PrivacyActivism
Professionals and Technical Engineers
United Food and Commercial Workers Western States Council
UNITE-HERE
Utility Workers Union of America
OPPOSITION : (Verified 5/28/13)
California Chamber of Commerce
California Manufacturers and Technology Association
California Retailers Association
California Travel Association
Direct Marketing Association
Internet Alliance
Personal Insurance Federation of California
State Privacy and Security Coalition
TechAmerica
TechNet
ARGUMENTS IN SUPPORT : According to the author's office,
The bill seeks to remedy the deficiency in law created by
the Apple decision, which eliminated credit card privacy
for downloadable product purchases based on the rationale
CONTINUED
�
SB 383
Page
9
of fraud prevention, but the court did not restrict the
collection of personally identifiable information for cases
involving fraud prevention, and it did not limit the use of
information collected to fraud prevention. As a result,
online merchants in these transactions may now collect
personally identifiable information without limit, for any
reason or for no reason at all, and may use the information
for any purpose. SB 383 follows the rationale of the Apple
ruling, and balances it with Song Beverly's overarching
principle of protecting cardholders from unwarranted
privacy invasions by creating a limited exception that
allows merchants impacted by Apple to gather only that
information that is needed for fraud prevention, and limits
the use of the information for fraud prevention purposes
only.
Businesses should be entitled to collect only information
concerning a credit card holder that is required for
completion of the cardholder-initiated transaction, for
other legal or compliance purposes.
Without this legislation, online merchants are free to use
information about cardholders to build customer profiles,
and use this information for marketing, or for sale to
third parties who may use this information for any purpose.
A consumer's choice in downloadable product purchases may
reveal intimate details about a consumer's interests, among
these a consumer's medical interests, sexual orientation,
investments, financial status, dating interests, political
views and other forms of confidential information.
ARGUMENTS IN OPPOSITION : Opponents write,
"In the rush to 'modernize' Song-Beverly to apply directly
to online commerce, SB 383 places over-reaching
restrictions on operators of commercial Internet Web sites
or Online Services. The need by these organizations to
collect personally identifiable information to protect
online consumers from fraud is of far greater importance
than the sharing of this information. There must be
safeguards in place for online operators to verify the
identity of their consumers that far exceed what is
proposed in this bill. The consequences to online commerce
of getting this wrong are enormous, and thus we urge the
CONTINUED
�
SB 383
Page
10
Legislature to proceed with appropriate caution."
"Unlike traditional retail settings, online commerce has no
actual human interaction that can verify the physical
presence of a card and identification. The ability to
correctly provide personally identifiable information is a
front-line defense against fraud. Today, many use online
services to conduct transactions for a variety of purposes
and placing restrictions on how online retailers can verify
identity and fight fraudulent activity could lead to
thousands of Californians becoming victims to fraud."
AL:ej 5/28/13 Senate Floor Analyses
SUPPORT/OPPOSITION: SEE ABOVE
**** END ****
CONTINUED