BILL ANALYSIS                                                                                                                                                                                                    



                                                                            



           ----------------------------------------------------------------- 
          |SENATE RULES COMMITTEE            |                        SB 383|
          |Office of Senate Floor Analyses   |                              |
          |1020 N Street, Suite 524          |                              |
          |(916) 651-1520         Fax: (916) |                              |
          |327-4478                          |                              |
           ----------------------------------------------------------------- 
           
                                           
                                    THIRD READING


          Bill No:  SB 383
          Author:   Jackson (D)
          Amended:  5/24/13
          Vote:     21


           SENATE JUDICIARY COMMITTEE  :  5-1, 5/7/13
          AYES:  Evans, Corbett, Jackson, Leno, Monning
          NOES:  Anderson
          NO VOTE RECORDED:  Walters


           SUBJECT  :    Credit cards:  downloadable products:  personal  
          information

           SOURCE  :     Consumer Federation of California


          DIGEST  :    This bill authorizes a person or entity that accepts  
          credit cards in an online transaction, as defined, to require a  
          cardholder, as a condition to accepting a credit card as payment  
          in full or in part for goods or services, to provide the billing  
          ZIP Code and street address number associated with the credit  
          card, if used solely for the prevention of fraud, theft, or  
          identity theft.  This bill authorizes the person or entity  
          accepting the credit card to require a cardholder, as a  
          condition to accepting a credit card as payment in full or in  
          part, in an online transaction, to provide additional personal  
          information, if it requires that information for the prevention  
          of fraud, theft, or identity theft, and the additional personal  
          information is used solely for the prevention of fraud, theft,  
          or identity theft.  This bill also requires the disposal of  
          specified personal information after it is no longer needed and  
                                                                CONTINUED





                                                                     SB 383
                                                                     Page  
          2

          prohibits the information from being aggregated and shared with  
          any other person or entity.

           Senate Floor Amendments of 5/24/13  , expand the scope of  
          transactions covered by the bill's provisions to include all  
          online credit card transactions.  Amendments also expand the  
          scope of personal identification information that merchants can  
          collect as part of a transaction, and make minor technical  
          changes.
           
          ANALYSIS  :    

          Existing law:

          1.Provides that, among other rights, all people have an  
            inalienable right to pursue and obtain privacy (Cal. Const.,  
            Art. I, Sec. 1).  This privacy provision in the California  
            Constitution "creates a legal and enforceable right of privacy  
            for every Californian."  (White v. Davis (1975) 13 Cal.3d 757,  
            775.)

          2.Requires through the California Online Privacy Protection Act,  
            that an operator of a commercial Internet Web site or online  
            service that collects personally identifiable information  
            about individual consumers residing in California who use or  
            visit its commercial Internet Web site or online service to  
            conspicuously post its privacy policy on its Internet Web  
            site, or in the case of an operator of an online service, make  
            that policy available to consumers in accordance with state  
            law.  (Bus. and Prof. Code Sec. 22575 (a).)

          3.Prohibits through the Song Beverly Credit Card Act (act) (Civ.  
            Code Sec. 1747 et. seq.) persons and entities that accept  
            credit cards for the transaction of business from doing any of  
            the following:

             A.   Requesting or requiring the cardholder, as a condition  
               of accepting the credit card as payment for goods or  
               services, to write any personal identification information  
               on the credit card transaction form.

             B.   Requesting or requiring the cardholder, as a condition  
               of accepting the credit card as payment for goods or  
               services, to provide personal identification information,  

                                                                CONTINUED





                                                                     SB 383
                                                                     Page  
          3

               which the person or entity accepting the credit card,  
               writes, causes to be written, or otherwise records upon the  
               credit card transaction form.

             C.   Utilizing, in any credit card transaction, a credit card  
               form that contains preprinted spaces specifically  
               designated for filling in any personal identification  
               information of the cardholder.  (Civ. Code Sec. 1747.08  
               (a).)

          1.Defines "personal identification information" to mean  
            information concerning the cardholder, other than information  
            set forth on the credit card, and including, but not limited  
            to, the cardholder's address and telephone number.  (Civ. Code  
            Sec. 1747.08 (b).)

          2.Provides that the above-described restrictions on the  
            collection of the personal identification information of a  
            credit card holder do not apply in the following instances:

             A.   If the credit card is being used as a deposit to secure  
               payment in the event of default, loss, damage, or other  
               similar occurrence.

             B.   Cash advance transactions.

             C.   If the person, firm, partnership, association, or  
               corporation accepting the credit card is contractually  
               obligated to provide personal identification information in  
               order to complete the credit card transaction or is  
               obligated to collect and record the personal identification  
               information by federal law, state law, or regulation.

             D.   If the person, firm, partnership, association, or  
               corporation accepting the credit card in a sales  
               transaction at a retail motor fuel dispenser or retail  
               motor fuel payment island automated cashier uses the ZIP  
               Code information solely for prevention of fraud, theft, or  
               identity theft.

             E.   If the personal identification information is required  
               for a special purpose incidental but related to the  
               individual credit card transaction, including, but not  
               limited to, information relating to shipping, delivery,  

                                                                CONTINUED





                                                                     SB 383
                                                                     Page  
          4

               servicing, or installation of the purchased merchandise, or  
               for special orders.  (Civ. Code Sec. 1747.08 (c).)

          1.Does not prohibit any person or entity from requiring the  
            cardholder, as a condition of accepting the credit card as  
            payment in full or in part for goods or services, to provide  
            reasonable forms of positive identification, which may include  
            a driver's license or a California State identification card,  
            or where one of these is not available, another form of photo  
            identification, provided that none of the information  
            contained thereon is written or recorded on the credit card  
            transaction form or otherwise.  (Civ. Code Sec. 1747.08 (d).)

          2.Imposes a civil penalty not to exceed two hundred fifty  
            dollars ($250) for the first violation of this section, and  
            one thousand dollars ($1,000) for each subsequent violation.   
            (Civ. Code Sec. 1747.08 (e).)

          This bill:

          1.Permits a person or entity to require a cardholder, as a  
            condition of accepting a credit card as payment in full or in  
            part in an online transaction, to provide specified  
            information, if used solely for the prevention of fraud,  
            theft, or identity theft.

          2.Requires the person or entity accepting the credit card to  
            destroy or dispose of the ZIP Code and street address number  
            information in a secure manner after it is no longer needed  
            for the prevention of fraud, theft, or identity theft.

          3.Prohibits the person or entity from aggregating the ZIP Code  
            and street address number with any other personal  
            identification information and also prohibits the person or  
            entity from sharing the ZIP Code and street address number  
            information with any other person, firm, partnership,  
            association, or corporation.

          4.Codifies the intent of the Legislature to apply the act to all  
            credit card transactions without reference to the method,  
            platform, or technology used to process or complete the  
            transaction.

          5.Finds and declares the intent of the Legislature to apply the  

                                                                CONTINUED





                                                                     SB 383
                                                                     Page  
          5

            provisions of the act to all credit card transactions,  
            including online transactions involving a downloadable  
            product.

           Background
           
          The act (Civ. Code Sec. 1747 et. seq.) broadly prohibits  
          businesses and others from requesting or requiring a credit card  
          holder to provide personal identification information during a  
          credit card transaction, except in certain limited situations.   
          Enacted in 1971, the act regulates the issuance of credit cards  
          to consumers in the State of California, and specifies the  
          rights and obligations of retailers and cardholders in their  
          use.  The act articulates "fair business practices for the  
          protection of consumers," and "made major changes in the law  
          dealing with credit card practices by prescribing procedures for  
          billing, billing errors, dissemination of false credit  
          information, issuance and unauthorized use of credit cards."   
          (Pineda v. Williams-Sonoma Stores, Inc. (2011) 51 Cal.4th 524,  
          538-39)

          The Supreme Court revisited the act earlier this year in Apple  
          Inc. v. Superior Court (2013) 56 Cal.4th 128.  Despite its broad  
          holding two years before in the Pineda case, the Court's  
          decision in Apple presented a very narrow reading of the act's  
          privacy related provisions.  The Apple case involved a putative  
          class action claim brought by a consumer of Apple Computer's  
          iTunes music and video download service.  The consumer claimed  
          that Apple had violated the act by requiring iTunes consumers to  
          provide their telephone number and address in order to complete  
          online purchases paid for with a credit card.  The Court  
          rejected the consumer's claim, and held that the act did not  
          apply to online transactions involving downloadable products.   
          ["Upon careful consideration of the statute's text, structure,  
          and purpose, we hold that Section 1747.08 does not apply to  
          online purchases in which the product is downloaded  
          electronically."].)  Citing the legislative history of the 1990  
          amendments, the Court explained, "while it is clear that the  
          Legislature enacted the act to protect consumer privacy, it is  
          also clear that the Legislature did not intend to achieve  
          privacy protection without regard to exposing consumers and  
          retailers to undue risk of fraud."  (Apple Inc., 56 Cal.4th 128,  
          139.)


                                                                CONTINUED





                                                                     SB 383
                                                                     Page  
          6

          The Court interpreted the act's legislative history as "showing  
          that the Legislature enacted the statute's privacy related  
          prohibitions only after carefully considering and rejecting the  
          possibility that the collection of personal identification  
          information by brick-and-mortar retailers could serve a  
          legitimate purpose such as fraud prevention."  (Apple Inc., 56  
          Cal.4th at 139.)  With the competing interests of consumer  
          privacy and fraud prevention in mind, the Court found that:

               The safeguards against fraud that are provided in [the act]  
               are not available to the online retailer selling an  
               electronically downloadable product.  Unlike a  
               brick-and-mortar retailer, an online retailer cannot  
               visually inspect the credit card, the signature on the back  
               of the card, or the customer's photo identification.  Thus,  
               Section 1747.08(d) [concerning a retailer's ability to  
               request to see reasonable forms of positive  
               identification]-the key antifraud mechanism in the  
               statutory scheme-has no practical application to online  
               transactions involving electronically downloadable  
               products.  We cannot conclude that if the Legislature in  
               1990 had been prescient enough to anticipate online  
               transactions involving electronically downloadable  
               products, it would have intended the act's prohibitions to  
               apply to such transactions despite the unavailability of  
               Section 1747.08 (d)'s [fraud prevention] safeguards.

          The Supreme Court limited its holding in Apple to the particular  
          facts in that case, stating "we have no occasion here to decide  
          whether the prohibitions in the act apply to online transactions  
          that do not involve electronically downloadable products or to  
          any other transactions that do not involve in-person,  
          face-to-face interaction between the customer and retailer."   
          (Apple Inc., 56 Cal.4th at 143.)  Nonetheless, the majority  
          opinion expressly invited the Legislature to amend the law and  
          apply it to online transactions of downloadable products if it  
          so desired.  ["The Legislature may believe these measures are  
          inadequate and, if so, may enact additional protections.  Or the  
          Legislature may believe that existing laws, together with market  
          forces reflecting consumer preferences, are sufficient.  It is  
          not our role to opine on this important policy issue."].)

           Prior Legislation
           

                                                                CONTINUED





                                                                     SB 383
                                                                     Page  
          7

          AB 1219 (Perea, Chapter 690, Statutes of 2011), created an  
          exception to existing law's prohibition against the collection  
          of ZIP Codes during credit card sales transactions by  
          specifically permitting the collection of ZIP Code information  
          when a person or entity accepting a credit card in a sales  
          transaction at a retail motor fuel dispenser or retail motor  
          fuel payment island automated cashier uses the ZIP Code  
          information solely for prevention of fraud, theft, or identity  
          theft.

          AB 2021 (Fuentes, 2008), would have permitted, subject to  
          certain limitations, a merchant to request or require personal  
          information in connection with the use of a credit card for  
          transactions conducted via the Internet, telephone, or e-mail  
          for which the cardholder is not physically present, and the  
          personal identification information is required for, and is used  
          only for, fraud detection or prevention in connection with the  
          transaction.  This bill died in the Senate Judiciary Committee.

          AB 3013 (Pavley, 2004), would have prohibited a credit card  
          issuer from printing more than the last eight digits of the  
          credit card account number on each billing statement provided to  
          a cardholder in this state, or printing a cardholder's account  
          number on an endorsed cardholder's payment check.  This bill  
          died in the Assembly Banking and Finance Committee.

          AB 1477 (Areias, Chapter 1089, Statutes of 1991), prohibited a  
          merchant which accepts credit cards from requesting or requiring  
          personal identification information for purposes of notation as  
          a condition of acceptance of the card.  The bill clarified that  
          the merchant may require reasonable forms of identification,  
          including a driver's license, provided that no information  
          contained thereon is recorded on the credit card transaction  
          form or otherwise.

          AB 2920 (Areias, Chapter 999, Statutes of 1990), prohibited  
          persons who accept credit cards in business transactions from  
          requiring, as a condition of accepting a credit card, that the  
          cardholder write or provide personal identification information  
          for notation on the credit card transaction form or otherwise,  
          subject to certain limitations.  The bill made violators subject  
          to a civil penalty of up to $250 for a first violation and  
          $1,000 for subsequent violations.


                                                                CONTINUED





                                                                     SB 383
                                                                     Page  
          8

           FISCAL EFFECT  :    Appropriation:  No   Fiscal Com.:  No   Local:  
           No

           SUPPORT  :   (Verified  5/28/13)

          Consumer Federation of California (source)
          American Civil Liberties Union of California
          California Alliance for Retired Americans
          California Conference Board of the Amalgamated Transit Union
          California Conference of Machinists
          California Teamsters Public Affairs Council
          CALPIRG
          Consumer Action
          Consumer Attorneys of California
          Electronic Frontier Foundation
          Engineers and Scientists of California
          International Longshore and Warehouse Union
          Privacy Rights Clearinghouse
          PrivacyActivism
          Professionals and Technical Engineers
          United Food and Commercial Workers Western States Council
          UNITE-HERE
          Utility Workers Union of America

           OPPOSITION  :    (Verified  5/28/13)

          California Bankers Association
          California Chamber of Commerce
          California Credit Union League
          California Independent Bankers
          California Manufacturers and Technology Association
          California Retailers Association
          California Travel Association
          Direct Marketing Association
          First Data
          Internet Alliance
          Personal Insurance Federation of California
          State Privacy and Security Coalition
          TechAmerica
          TechNet

           ARGUMENTS IN SUPPORT  :    According to the author's office,

               The bill seeks to remedy the deficiency in law created by  

                                                                CONTINUED





                                                                     SB 383
                                                                     Page  
          9

               the Apple decision, which eliminated credit card privacy  
               for downloadable product purchases based on the rationale  
               of fraud prevention, but the court did not restrict the  
               collection of personally identifiable information for cases  
               involving fraud prevention, and it did not limit the use of  
               information collected to fraud prevention.  As a result,  
               online merchants in these transactions may now collect  
               personally identifiable information without limit, for any  
               reason or for no reason at all, and may use the information  
               for any purpose.  SB 383 follows the rationale of the Apple  
               ruling, and balances it with Song Beverly's overarching  
               principle of protecting cardholders from unwarranted  
               privacy invasions by creating a limited exception that  
               allows merchants impacted by Apple to gather only that  
               information that is needed for fraud prevention, and limits  
               the use of the information for fraud prevention purposes  
               only.

               Businesses should be entitled to collect only information  
               concerning a credit card holder that is required for  
               completion of the cardholder-initiated transaction, for  
               other legal or compliance purposes.

               Without this legislation, online merchants are free to use  
               information about cardholders to build customer profiles,  
               and use this information for marketing, or for sale to  
               third parties who may use this information for any purpose.  
                A consumer's choice in downloadable product purchases may  
               reveal intimate details about a consumer's interests, among  
               these a consumer's medical interests, sexual orientation,  
               investments, financial status, dating interests, political  
               views and other forms of confidential information.

           ARGUMENTS IN OPPOSITION  :    Opponents write,

               "In the rush to 'modernize' Song-Beverly to apply directly  
               to online commerce, SB 383 places over-reaching  
               restrictions on operators of commercial Internet Web sites  
               or Online Services.  The need by these organizations to  
               collect personally identifiable information to protect  
               online consumers from fraud is of far greater importance  
               than the sharing of this information.  There must be  
               safeguards in place for online operators to verify the  
               identity of their consumers that far exceed what is  

                                                                CONTINUED





                                                                     SB 383
                                                                     Page  
          10

               proposed in this bill.  The consequences to online commerce  
               of getting this wrong are enormous, and thus we urge the  
               Legislature to proceed with appropriate caution."

               "Unlike traditional retail settings, online commerce has no  
               actual human interaction that can verify the physical  
               presence of a card and identification.  The ability to  
               correctly provide personally identifiable information is a  
               front-line defense against fraud.  Today, many use online  
               services to conduct transactions for a variety of purposes  
               and placing restrictions on how online retailers can verify  
               identity and fight fraudulent activity could lead to  
               thousands of Californians becoming victims to fraud."  
           

          AL:ej  5/28/13   Senate Floor Analyses 

                           SUPPORT/OPPOSITION:  SEE ABOVE

                                   ****  END  ****

























                                                                CONTINUED