BILL ANALYSIS                                                                                                                                                                                                    



                                                                            



           ----------------------------------------------------------------- 
          |SENATE RULES COMMITTEE            |                        SB 383|
          |Office of Senate Floor Analyses   |                              |
          |1020 N Street, Suite 524          |                              |
          |(916) 651-1520         Fax: (916) |                              |
          |327-4478                          |                              |
           ----------------------------------------------------------------- 
           
                                           
                                    THIRD READING


          Bill No:  SB 383
          Author:   Jackson (D)
          Amended:  1/28/14
          Vote:     21


           SENATE JUDICIARY COMMITTEE  :  5-1, 5/7/13
          AYES:  Evans, Corbett, Jackson, Leno, Monning
          NOES:  Anderson
          NO VOTE RECORDED:  Walters


           SUBJECT  :    Credit cards:  downloadable products:  personal  
          information

           SOURCE  :     Consumer Federation of California


          DIGEST  :    This bill authorizes a person or entity that accepts  
          credit cards in an online transaction involving an electronic  
          downloadable product, as defined, to require a cardholder, as a  
          condition to accepting a credit card as payment in full or in  
          part, to provide the billing ZIP Code, street address number  
          associated with the credit card, and additional personal  
          information if used solely for the detection, investigation, or  
          prevention of fraud, theft, identity theft, or criminal activity  
          or for the enforcement of terms of sale.  Requires the person or  
          entity accepting the credit card to destroy or dispose of the  
          ZIP Code, street address number, or additional personal  
          information in a secure manner after it is no longer needed for  
          the detection, investigation, or prevention of fraud, theft,  
          identity theft, or criminal activity, or for enforcement of  
          terms of sale.
                                                                CONTINUED





                                                                     SB 383
                                                                     Page  
          2


           Senate Floor Amendments of 1/28/14  , limit the scope of the bill  
          to online transactions involving downloadable products, and  
          clarify that additional consumer data may be voluntarily  
          collected with a consumer's informed consent.

           Senate Floor Amendments of 5/24/13  , expand the scope of  
          transactions covered by the bill's provisions to include all  
          online credit card transactions.  Amendments also expand the  
          scope of personal identification information that merchants can  
          collect as part of a transaction, and make minor technical  
          changes.

           ANALYSIS  :    

          Existing law:

          1.Provides that, among other rights, all people have an  
            inalienable right to pursue and obtain privacy (Cal. Const.,  
            Art. I, Sec. 1).  This privacy provision in the California  
            Constitution "creates a legal and enforceable right of privacy  
            for every Californian."  (White v. Davis (1975) 13 Cal.3d 757,  
            775.)

          2.Requires through the California Online Privacy Protection Act,  
            that an operator of a commercial Internet Web site or online  
            service that collects personally identifiable information  
            about individual consumers residing in California who use or  
            visit its commercial Internet Web site or online service to  
            conspicuously post its privacy policy on its Internet Web  
            site, or in the case of an operator of an online service, make  
            that policy available to consumers in accordance with state  
            law.  (Business and Professions Code Sec. 22575 (a).)

          3.Prohibits through the Song Beverly Credit Card Act (the act)  
            (Civ. Code Sec. 1747 et. seq.) persons and entities that  
            accept credit cards for the transaction of business from doing  
            any of the following:

             A.   Requesting or requiring the cardholder, as a condition  
               of accepting the credit card as payment for goods or  
               services, to write any personal identification information  
               on the credit card transaction form.


                                                                CONTINUED





                                                                     SB 383
                                                                     Page  
          3

             B.   Requesting or requiring the cardholder, as a condition  
               of accepting the credit card as payment for goods or  
               services, to provide personal identification information,  
               which the person or entity accepting the credit card,  
               writes, causes to be written, or otherwise records upon the  
               credit card transaction form.

             C.   Utilizing, in any credit card transaction, a credit card  
               form that contains preprinted spaces specifically  
               designated for filling in any personal identification  
               information of the cardholder.  (Civ. Code Sec. 1747.08  
               (a).)

          1.Defines "personal identification information" to mean  
            information concerning the cardholder, other than information  
            set forth on the credit card, and including, but not limited  
            to, the cardholder's address and telephone number.  (Civ. Code  
            Sec. 1747.08 (b).)

          2.Provides that the above-described restrictions on the  
            collection of the personal identification information of a  
            credit card holder do not apply in the following instances:

             A.   If the credit card is being used as a deposit to secure  
               payment in the event of default, loss, damage, or other  
               similar occurrence.

             B.   Cash advance transactions.

             C.   If the person, firm, partnership, association, or  
               corporation accepting the credit card is contractually  
               obligated to provide personal identification information in  
               order to complete the credit card transaction or is  
               obligated to collect and record the personal identification  
               information by federal law, state law, or regulation.

             D.   If the person, firm, partnership, association, or  
               corporation accepting the credit card in a sales  
               transaction at a retail motor fuel dispenser or retail  
               motor fuel payment island automated cashier uses the ZIP  
               Code information solely for prevention of fraud, theft, or  
               identity theft.

             E.   If the personal identification information is required  

                                                                CONTINUED





                                                                     SB 383
                                                                     Page  
          4

               for a special purpose incidental but related to the  
               individual credit card transaction, including, but not  
               limited to, information relating to shipping, delivery,  
               servicing, or installation of the purchased merchandise, or  
               for special orders.  (Civ. Code Sec. 1747.08 (c).)

          1.Does not prohibit any person or entity from requiring the  
            cardholder, as a condition of accepting the credit card as  
            payment in full or in part for goods or services, to provide  
            reasonable forms of positive identification, which may include  
            a driver's license or a California State identification card,  
            or where one of these is not available, another form of photo  
            identification, provided that none of the information  
            contained thereon is written or recorded on the credit card  
            transaction form or otherwise.  (Civ. Code Sec. 1747.08 (d).)

          2.Imposes a civil penalty not to exceed $250 for the first  
            violation of this section, and $1,000 for each subsequent  
            violation.  (Civ. Code Sec. 1747.08 (e).)
          This bill:

          1.Permits a person or entity to require a cardholder, as a  
            condition of accepting a credit card as payment in full or in  
            part in an online transaction involving an electronic  
            downloadable product, to provide the billing Zip Code, street  
            address number associated with the credit card, and additional  
            personal information, if used solely for the detection,  
            investigation, or prevention of fraud, theft, identity theft,  
            or criminal activity, or for enforcement of terms of sale.

          2.Requires the person or entity accepting the credit card to  
            destroy or dispose of the ZIP Code, street address number, or  
            additional personal information in a secure manner after it is  
            no longer needed for the detection, investigation, or  
            prevention of fraud, theft, identity theft, or criminal  
            activity, or for enforcement of terms of sale.

          3.Prohibits the person or entity from aggregating the ZIP Code,  
            street address number, or additional personal information with  
            any other personal identification information and also  
            prohibits the person or entity from sharing the ZIP Code,  
            street address number, or other personal information with any  
            other person, firm, partnership, association, or corporation  
            unless it is required to do so by state or federal law, or is  

                                                                CONTINUED





                                                                     SB 383
                                                                     Page  
          5

            contractually obligated to share the information with another  
            entity to verify the information, complete the transaction, or  
            for the detection, investigation, or prevention of fraud,  
            theft, identity theft, or criminal activity, or for  
            enforcement of terms of sale.

          4.Defines "online transaction involving an electronic  
            downloadable product" as a credit card transaction for a  
            product, service, subscription, or any other consideration, in  
            which the product, service, subscription, or consideration is  
            provided by means of a download to a computer, telephone, or  
            other electronic device.

          5.Provides that additional personal identifying information may  
            be collected from a cardholder as part of an online  
            transaction involving an electronic downloadable product as  
            long as the cardholder actively elects to provide the personal  
            information and is contemporaneously notified of the purpose  
            of the request and the intended use of the information, as  
            specified.  Requires the cardholder be provided with an  
            additional opportunity to opt out of the collection of the  
            information before the online transaction involving an  
            electronic downloadable product is completed.

          6.Finds and declares the intent of the Legislature to advance  
            privacy protections by limiting the scope of personally  
            identifiable information that may be required to be collected  
            for an online transaction involving an electronic downloadable  
            product.

           Background
           
          The act (Civ. Code Sec. 1747 et. seq.) broadly prohibits  
          businesses and others from requesting or requiring a credit card  
          holder to provide personal identification information during a  
          credit card transaction, except in certain limited situations.   
          Enacted in 1971, the act regulates the issuance of credit cards  
          to consumers in the State of California, and specifies the  
          rights and obligations of retailers and cardholders in their  
          use.  The act articulates "fair business practices for the  
          protection of consumers," and "made major changes in the law  
          dealing with credit card practices by prescribing procedures for  
          billing, billing errors, dissemination of false credit  
          information, issuance and unauthorized use of credit cards."   

                                                                CONTINUED





                                                                     SB 383
                                                                     Page  
          6

          (Pineda v. Williams-Sonoma Stores, Inc. (2011) 51 Cal.4th 524,  
          538-39)

          The Supreme Court revisited the act earlier this year in Apple  
          Inc. v. Superior Court (2013) 56 Cal.4th 128.  Despite its broad  
          holding two years before in the Pineda case, the Court's  
          decision in Apple presented a very narrow reading of the act's  
          privacy related provisions.  The Apple case involved a putative  
          class action claim brought by a consumer of Apple Computer's  
          iTunes music and video download service.  The consumer claimed  
          that Apple had violated the act by requiring iTunes consumers to  
          provide their telephone number and address in order to complete  
          online purchases paid for with a credit card.  The Court  
          rejected the consumer's claim, and held that the act did not  
          apply to online transactions involving downloadable products.   
          ["Upon careful consideration of the statute's text, structure,  
          and purpose, we hold that Section 1747.08 does not apply to  
          online purchases in which the product is downloaded  
          electronically."]  Citing the legislative history of the 1990  
          amendments, the Court explained, "While it is clear that the  
          Legislature enacted the act to protect consumer privacy, it is  
          also clear that the Legislature did not intend to achieve  
          privacy protection without regard to exposing consumers and  
          retailers to undue risk of fraud."  (Apple Inc., 56 Cal.4th 128,  
          139.)

          The Court interpreted the act's legislative history as "showing  
          that the Legislature enacted the statute's privacy related  
          prohibitions only after carefully considering and rejecting the  
          possibility that the collection of personal identification  
          information by brick-and-mortar retailers could serve a  
          legitimate purpose such as fraud prevention."  (Apple Inc., 56  
          Cal.4th at 139.)  With the competing interests of consumer  
          privacy and fraud prevention in mind, the Court found that:

               The safeguards against fraud that are provided in [the act]  
               are not available to the online retailer selling an  
               electronically downloadable product.  Unlike a  
               brick-and-mortar retailer, an online retailer cannot  
               visually inspect the credit card, the signature on the back  
               of the card, or the customer's photo identification.  Thus,  
               Section 1747.08(d) [concerning a retailer's ability to  
               request to see reasonable forms of positive  
               identification]-the key antifraud mechanism in the  

                                                                CONTINUED





                                                                     SB 383
                                                                     Page  
          7

               statutory scheme-has no practical application to online  
               transactions involving electronically downloadable  
               products.  We cannot conclude that if the Legislature in  
               1990 had been prescient enough to anticipate online  
               transactions involving electronically downloadable  
               products, it would have intended the act's prohibitions to  
               apply to such transactions despite the unavailability of  
               Section 1747.08 (d)'s [fraud prevention] safeguards.

          The Supreme Court limited its holding in Apple to the particular  
          facts in that case, stating "We have no occasion here to decide  
          whether the prohibitions in the act apply to online transactions  
          that do not involve electronically downloadable products or to  
          any other transactions that do not involve in-person,  
          face-to-face interaction between the customer and retailer."   
          (Apple Inc., 56 Cal.4th at 143.)  Nonetheless, the majority  
          opinion expressly invited the Legislature to amend the law and  
          apply it to online transactions of downloadable products if it  
          so desired.  ["The Legislature may believe these measures are  
          inadequate and, if so, may enact additional protections.  Or the  
          Legislature may believe that existing laws, together with market  
          forces reflecting consumer preferences, are sufficient.  It is  
          not our role to opine on this important policy issue."]

           FISCAL EFFECT  :    Appropriation:  No   Fiscal Com.:  No   Local:  
           No

           SUPPORT  :   (Verified  1/29/14)

          Consumer Federation of California (source)
          American Civil Liberties Union of California
          California Alliance for Retired Americans
          California Conference Board of the Amalgamated Transit Union
          California Conference of Machinists
          California Teamsters Public Affairs Council
          CALPIRG
          Consumer Action
          Consumer Attorneys of California
          Consumer Watchdog
          Electronic Frontier Foundation
          Engineers and Scientists of California
          International Longshore and Warehouse Union
          Privacy Rights Clearinghouse
          PrivacyActivism

                                                                CONTINUED





                                                                     SB 383
                                                                     Page  
          8

          Professionals and Technical Engineers
          United Food and Commercial Workers Western States Council
          UNITE-HERE
          Utility Workers Union of America

           OPPOSITION  :    (Verified  1/29/14)

          American Insurance Association
          California Bankers Association
          California Chamber of Commerce
          California Credit Union League
          California Independent Bankers
          California Manufacturers and Technology Association
          California Retailers Association
          California Travel Association
          CTIA-The Wireless Association
          Direct Marketing Association
          First Data
          Internet Alliance
          Internet Coalition
          McDermott, Will & Emery, LLP
          Personal Insurance Federation of California
          State Privacy and Security Coalition
          TechAmerica
          TechNet

           ARGUMENTS IN SUPPORT  :    According to the author's office,

               The bill seeks to remedy the deficiency in law created by  
               the Apple decision, which eliminated credit card privacy  
               for downloadable product purchases based on the rationale  
               of fraud prevention, but the court did not restrict the  
               collection of personally identifiable information for cases  
               involving fraud prevention, and it did not limit the use of  
               information collected to fraud prevention.  As a result,  
               online merchants in these transactions may now collect  
               personally identifiable information without limit, for any  
               reason or for no reason at all, and may use the information  
               for any purpose.  SB 383 follows the rationale of the Apple  
               ruling, and balances it with Song Beverly's overarching  
               principle of protecting cardholders from unwarranted  
               privacy invasions by creating a limited exception that  
               allows merchants impacted by Apple to gather only that  
               information that is needed for fraud prevention, and limits  

                                                                CONTINUED





                                                                     SB 383
                                                                     Page  
          9

               the use of the information for fraud prevention purposes  
               only.

               Businesses should be entitled to collect only information  
               concerning a credit card holder that is required for  
               completion of the cardholder-initiated transaction, for  
               other legal or compliance purposes.

               Without this legislation, online merchants are free to use  
               information about cardholders to build customer profiles,  
               and use this information for marketing, or for sale to  
               third parties who may use this information for any purpose.  
                A consumer's choice in downloadable product purchases may  
               reveal intimate details about a consumer's interests, among  
               these a consumer's medical interests, sexual orientation,  
               investments, financial status, dating interests, political  
               views and other forms of confidential information.

           ARGUMENTS IN OPPOSITION  :    Opponents write,

               "In the rush to 'modernize' Song-Beverly to apply directly  
               to online commerce, SB 383 places over-reaching  
               restrictions on operators of commercial Internet Web sites  
               or Online Services.  The need by these organizations to  
               collect personally identifiable information to protect  
               online consumers from fraud is of far greater importance  
               than the sharing of this information.  There must be  
               safeguards in place for online operators to verify the  
               identity of their consumers that far exceed what is  
               proposed in this bill.  The consequences to online commerce  
               of getting this wrong are enormous, and thus we urge the  
               Legislature to proceed with appropriate caution."

               "Unlike traditional retail settings, online commerce has no  
               actual human interaction that can verify the physical  
               presence of a card and identification.  The ability to  
               correctly provide personally identifiable information is a  
               front-line defense against fraud.  Today, many use online  
               services to conduct transactions for a variety of purposes  
               and placing restrictions on how online retailers can verify  
               identity and fight fraudulent activity could lead to  
               thousands of Californians becoming victims to fraud."  
           


                                                                CONTINUED





                                                                     SB 383
                                                                     Page  
          10

          AL/JA:e  1/29/14   Senate Floor Analyses 

                           SUPPORT/OPPOSITION:  SEE ABOVE

                                   ****  END  ****








































                                                                CONTINUED