BILL ANALYSIS Ó ----------------------------------------------------------------- |SENATE RULES COMMITTEE | SB 383| |Office of Senate Floor Analyses | | |1020 N Street, Suite 524 | | |(916) 651-1520 Fax: (916) | | |327-4478 | | ----------------------------------------------------------------- THIRD READING Bill No: SB 383 Author: Jackson (D) Amended: 5/24/13 Vote: 21 SENATE JUDICIARY COMMITTEE : 5-1, 5/7/13 AYES: Evans, Corbett, Jackson, Leno, Monning NOES: Anderson NO VOTE RECORDED: Walters SUBJECT : Credit cards: downloadable products: personal information SOURCE : Consumer Federation of California DIGEST : This bill authorizes a person or entity that accepts credit cards in an online transaction, as defined, to require a cardholder, as a condition to accepting a credit card as payment in full or in part for goods or services, to provide the billing ZIP Code and street address number associated with the credit card, if used solely for the prevention of fraud, theft, or identity theft. This bill authorizes the person or entity accepting the credit card to require a cardholder, as a condition to accepting a credit card as payment in full or in part, in an online transaction, to provide additional personal information, if it requires that information for the prevention of fraud, theft, or identity theft, and the additional personal information is used solely for the prevention of fraud, theft, or identity theft. This bill also requires the disposal of specified personal information after it is no longer needed and CONTINUED SB 383 Page 2 prohibits the information from being aggregated and shared with any other person or entity. Senate Floor Amendments of 5/24/13 , expand the scope of transactions covered by the bill's provisions to include all online credit card transactions. Amendments also expand the scope of personal identification information that merchants can collect as part of a transaction, and make minor technical changes. ANALYSIS : Existing law: 1.Provides that, among other rights, all people have an inalienable right to pursue and obtain privacy (Cal. Const., Art. I, Sec. 1). This privacy provision in the California Constitution "creates a legal and enforceable right of privacy for every Californian." (White v. Davis (1975) 13 Cal.3d 757, 775.) 2.Requires through the California Online Privacy Protection Act, that an operator of a commercial Internet Web site or online service that collects personally identifiable information about individual consumers residing in California who use or visit its commercial Internet Web site or online service to conspicuously post its privacy policy on its Internet Web site, or in the case of an operator of an online service, make that policy available to consumers in accordance with state law. (Bus. and Prof. Code Sec. 22575 (a).) 3.Prohibits through the Song Beverly Credit Card Act (act) (Civ. Code Sec. 1747 et. seq.) persons and entities that accept credit cards for the transaction of business from doing any of the following: A. Requesting or requiring the cardholder, as a condition of accepting the credit card as payment for goods or services, to write any personal identification information on the credit card transaction form. B. Requesting or requiring the cardholder, as a condition of accepting the credit card as payment for goods or services, to provide personal identification information, CONTINUED SB 383 Page 3 which the person or entity accepting the credit card, writes, causes to be written, or otherwise records upon the credit card transaction form. C. Utilizing, in any credit card transaction, a credit card form that contains preprinted spaces specifically designated for filling in any personal identification information of the cardholder. (Civ. Code Sec. 1747.08 (a).) 1.Defines "personal identification information" to mean information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder's address and telephone number. (Civ. Code Sec. 1747.08 (b).) 2.Provides that the above-described restrictions on the collection of the personal identification information of a credit card holder do not apply in the following instances: A. If the credit card is being used as a deposit to secure payment in the event of default, loss, damage, or other similar occurrence. B. Cash advance transactions. C. If the person, firm, partnership, association, or corporation accepting the credit card is contractually obligated to provide personal identification information in order to complete the credit card transaction or is obligated to collect and record the personal identification information by federal law, state law, or regulation. D. If the person, firm, partnership, association, or corporation accepting the credit card in a sales transaction at a retail motor fuel dispenser or retail motor fuel payment island automated cashier uses the ZIP Code information solely for prevention of fraud, theft, or identity theft. E. If the personal identification information is required for a special purpose incidental but related to the individual credit card transaction, including, but not limited to, information relating to shipping, delivery, CONTINUED SB 383 Page 4 servicing, or installation of the purchased merchandise, or for special orders. (Civ. Code Sec. 1747.08 (c).) 1.Does not prohibit any person or entity from requiring the cardholder, as a condition of accepting the credit card as payment in full or in part for goods or services, to provide reasonable forms of positive identification, which may include a driver's license or a California State identification card, or where one of these is not available, another form of photo identification, provided that none of the information contained thereon is written or recorded on the credit card transaction form or otherwise. (Civ. Code Sec. 1747.08 (d).) 2.Imposes a civil penalty not to exceed two hundred fifty dollars ($250) for the first violation of this section, and one thousand dollars ($1,000) for each subsequent violation. (Civ. Code Sec. 1747.08 (e).) This bill: 1.Permits a person or entity to require a cardholder, as a condition of accepting a credit card as payment in full or in part in an online transaction, to provide specified information, if used solely for the prevention of fraud, theft, or identity theft. 2.Requires the person or entity accepting the credit card to destroy or dispose of the ZIP Code and street address number information in a secure manner after it is no longer needed for the prevention of fraud, theft, or identity theft. 3.Prohibits the person or entity from aggregating the ZIP Code and street address number with any other personal identification information and also prohibits the person or entity from sharing the ZIP Code and street address number information with any other person, firm, partnership, association, or corporation. 4.Codifies the intent of the Legislature to apply the act to all credit card transactions without reference to the method, platform, or technology used to process or complete the transaction. 5.Finds and declares the intent of the Legislature to apply the CONTINUED SB 383 Page 5 provisions of the act to all credit card transactions, including online transactions involving a downloadable product. Background The act (Civ. Code Sec. 1747 et. seq.) broadly prohibits businesses and others from requesting or requiring a credit card holder to provide personal identification information during a credit card transaction, except in certain limited situations. Enacted in 1971, the act regulates the issuance of credit cards to consumers in the State of California, and specifies the rights and obligations of retailers and cardholders in their use. The act articulates "fair business practices for the protection of consumers," and "made major changes in the law dealing with credit card practices by prescribing procedures for billing, billing errors, dissemination of false credit information, issuance and unauthorized use of credit cards." (Pineda v. Williams-Sonoma Stores, Inc. (2011) 51 Cal.4th 524, 538-39) The Supreme Court revisited the act earlier this year in Apple Inc. v. Superior Court (2013) 56 Cal.4th 128. Despite its broad holding two years before in the Pineda case, the Court's decision in Apple presented a very narrow reading of the act's privacy related provisions. The Apple case involved a putative class action claim brought by a consumer of Apple Computer's iTunes music and video download service. The consumer claimed that Apple had violated the act by requiring iTunes consumers to provide their telephone number and address in order to complete online purchases paid for with a credit card. The Court rejected the consumer's claim, and held that the act did not apply to online transactions involving downloadable products. ["Upon careful consideration of the statute's text, structure, and purpose, we hold that Section 1747.08 does not apply to online purchases in which the product is downloaded electronically."].) Citing the legislative history of the 1990 amendments, the Court explained, "while it is clear that the Legislature enacted the act to protect consumer privacy, it is also clear that the Legislature did not intend to achieve privacy protection without regard to exposing consumers and retailers to undue risk of fraud." (Apple Inc., 56 Cal.4th 128, 139.) CONTINUED SB 383 Page 6 The Court interpreted the act's legislative history as "showing that the Legislature enacted the statute's privacy related prohibitions only after carefully considering and rejecting the possibility that the collection of personal identification information by brick-and-mortar retailers could serve a legitimate purpose such as fraud prevention." (Apple Inc., 56 Cal.4th at 139.) With the competing interests of consumer privacy and fraud prevention in mind, the Court found that: The safeguards against fraud that are provided in [the act] are not available to the online retailer selling an electronically downloadable product. Unlike a brick-and-mortar retailer, an online retailer cannot visually inspect the credit card, the signature on the back of the card, or the customer's photo identification. Thus, Section 1747.08(d) [concerning a retailer's ability to request to see reasonable forms of positive identification]-the key antifraud mechanism in the statutory scheme-has no practical application to online transactions involving electronically downloadable products. We cannot conclude that if the Legislature in 1990 had been prescient enough to anticipate online transactions involving electronically downloadable products, it would have intended the act's prohibitions to apply to such transactions despite the unavailability of Section 1747.08 (d)'s [fraud prevention] safeguards. The Supreme Court limited its holding in Apple to the particular facts in that case, stating "we have no occasion here to decide whether the prohibitions in the act apply to online transactions that do not involve electronically downloadable products or to any other transactions that do not involve in-person, face-to-face interaction between the customer and retailer." (Apple Inc., 56 Cal.4th at 143.) Nonetheless, the majority opinion expressly invited the Legislature to amend the law and apply it to online transactions of downloadable products if it so desired. ["The Legislature may believe these measures are inadequate and, if so, may enact additional protections. Or the Legislature may believe that existing laws, together with market forces reflecting consumer preferences, are sufficient. It is not our role to opine on this important policy issue."].) Prior Legislation CONTINUED SB 383 Page 7 AB 1219 (Perea, Chapter 690, Statutes of 2011), created an exception to existing law's prohibition against the collection of ZIP Codes during credit card sales transactions by specifically permitting the collection of ZIP Code information when a person or entity accepting a credit card in a sales transaction at a retail motor fuel dispenser or retail motor fuel payment island automated cashier uses the ZIP Code information solely for prevention of fraud, theft, or identity theft. AB 2021 (Fuentes, 2008), would have permitted, subject to certain limitations, a merchant to request or require personal information in connection with the use of a credit card for transactions conducted via the Internet, telephone, or e-mail for which the cardholder is not physically present, and the personal identification information is required for, and is used only for, fraud detection or prevention in connection with the transaction. This bill died in the Senate Judiciary Committee. AB 3013 (Pavley, 2004), would have prohibited a credit card issuer from printing more than the last eight digits of the credit card account number on each billing statement provided to a cardholder in this state, or printing a cardholder's account number on an endorsed cardholder's payment check. This bill died in the Assembly Banking and Finance Committee. AB 1477 (Areias, Chapter 1089, Statutes of 1991), prohibited a merchant which accepts credit cards from requesting or requiring personal identification information for purposes of notation as a condition of acceptance of the card. The bill clarified that the merchant may require reasonable forms of identification, including a driver's license, provided that no information contained thereon is recorded on the credit card transaction form or otherwise. AB 2920 (Areias, Chapter 999, Statutes of 1990), prohibited persons who accept credit cards in business transactions from requiring, as a condition of accepting a credit card, that the cardholder write or provide personal identification information for notation on the credit card transaction form or otherwise, subject to certain limitations. The bill made violators subject to a civil penalty of up to $250 for a first violation and $1,000 for subsequent violations. CONTINUED SB 383 Page 8 FISCAL EFFECT : Appropriation: No Fiscal Com.: No Local: No SUPPORT : (Verified 5/28/13) Consumer Federation of California (source) American Civil Liberties Union of California California Alliance for Retired Americans California Conference Board of the Amalgamated Transit Union California Conference of Machinists California Teamsters Public Affairs Council CALPIRG Consumer Action Consumer Attorneys of California Electronic Frontier Foundation Engineers and Scientists of California International Longshore and Warehouse Union Privacy Rights Clearinghouse PrivacyActivism Professionals and Technical Engineers United Food and Commercial Workers Western States Council UNITE-HERE Utility Workers Union of America OPPOSITION : (Verified 5/28/13) California Bankers Association California Chamber of Commerce California Credit Union League California Independent Bankers California Manufacturers and Technology Association California Retailers Association California Travel Association Direct Marketing Association First Data Internet Alliance Personal Insurance Federation of California State Privacy and Security Coalition TechAmerica TechNet ARGUMENTS IN SUPPORT : According to the author's office, The bill seeks to remedy the deficiency in law created by CONTINUED SB 383 Page 9 the Apple decision, which eliminated credit card privacy for downloadable product purchases based on the rationale of fraud prevention, but the court did not restrict the collection of personally identifiable information for cases involving fraud prevention, and it did not limit the use of information collected to fraud prevention. As a result, online merchants in these transactions may now collect personally identifiable information without limit, for any reason or for no reason at all, and may use the information for any purpose. SB 383 follows the rationale of the Apple ruling, and balances it with Song Beverly's overarching principle of protecting cardholders from unwarranted privacy invasions by creating a limited exception that allows merchants impacted by Apple to gather only that information that is needed for fraud prevention, and limits the use of the information for fraud prevention purposes only. Businesses should be entitled to collect only information concerning a credit card holder that is required for completion of the cardholder-initiated transaction, for other legal or compliance purposes. Without this legislation, online merchants are free to use information about cardholders to build customer profiles, and use this information for marketing, or for sale to third parties who may use this information for any purpose. A consumer's choice in downloadable product purchases may reveal intimate details about a consumer's interests, among these a consumer's medical interests, sexual orientation, investments, financial status, dating interests, political views and other forms of confidential information. ARGUMENTS IN OPPOSITION : Opponents write, "In the rush to 'modernize' Song-Beverly to apply directly to online commerce, SB 383 places over-reaching restrictions on operators of commercial Internet Web sites or Online Services. The need by these organizations to collect personally identifiable information to protect online consumers from fraud is of far greater importance than the sharing of this information. There must be safeguards in place for online operators to verify the identity of their consumers that far exceed what is CONTINUED SB 383 Page 10 proposed in this bill. The consequences to online commerce of getting this wrong are enormous, and thus we urge the Legislature to proceed with appropriate caution." "Unlike traditional retail settings, online commerce has no actual human interaction that can verify the physical presence of a card and identification. The ability to correctly provide personally identifiable information is a front-line defense against fraud. Today, many use online services to conduct transactions for a variety of purposes and placing restrictions on how online retailers can verify identity and fight fraudulent activity could lead to thousands of Californians becoming victims to fraud." AL:ej 5/28/13 Senate Floor Analyses SUPPORT/OPPOSITION: SEE ABOVE **** END **** CONTINUED