BILL ANALYSIS                                                                                                                                                                                                    



                                                                  SB 383
                                                                  Page  1

          Date of Hearing:   June 23, 2014

                      ASSEMBLY COMMITTEE ON BANKING AND FINANCE
                               Roger Dickinson, Chair
                    SB 383 (Jackson) - As Amended:  June 15, 2014

           SENATE VOTE  :   21-13
           
          SUBJECT  :   Credit Cards: personal information. 

           SUMMARY  :   Expands the Song-Beverly Credit Card Act to online  
          transactions involving an electronic downloadable product.   
          Specifically,  this bill  :

          1)Permits a person or entity to require a cardholder, as a  
            condition of accepting a credit card as payment in full or in  
            part in an online transaction involving an electronic  
            downloadable product, to provide personal identification  
            information (PII) if used solely for the detection,  
            investigation, or prevention of fraud, theft, identity theft,  
            or criminal activity, or for enforcement of terms of sale.  

          2)Requires the person or entity accepting the credit card for an  
            online transaction involving an electronic downloadable  
            product to destroy or dispose of the PII in a secure manner  
            after it is no longer needed for the detection, investigation,  
            or prevention of fraud, theft, identity theft, or criminal  
            activity, or for enforcement of terms of sale.

          3)Prohibits the person or entity from aggregating the PII with  
            any other PII and also prohibits the person or entity from  
            sharing PII with any other person, firm, partnership,  
            association, or corporation unless it is required to do so by  
            state or federal law, or is contractually obligated to share  
            the information with another entity to verify the information,  
            complete the transaction, or for the detection, investigation,  
            or prevention of fraud, theft, identity theft, or criminal  
            activity, or for enforcement of terms of sale.

          4)Allows a person or entity that provides an electronic  
            downloadable product to require a consumer to establish an  
            account as a condition for the purchase of an electronic  
            downloadable product.  In addition, requires a consumer to  
            provide PII to establish, maintain, or update that account.  









                                                                  SB 383
                                                                  Page  2

             a)   Limits the PII collected for the purpose of establishing  
               maintaining or updating the account or to process a credit  
               card transaction.  

          5)Allows a cardholder to provide PII by opting in to the  
            collection and use of that information if he or she is  
            notified of the following at the same time the cardholder is  
            completing a transaction or establishing an account:

               i)     That providing the information is not required to  
                 complete the transaction;

               ii)    The purpose of the request; and, 

               iii)   The intended use of the information. 

             a)   Requires the person or entity to provide the cardholder  
               with an opportunity to opt out of the collection of the  
               information before the online transaction involving an  
               electronic downloadable product is completed. 

          6)Defines an "online transaction involving an electronic  
            downloadable product" as a credit card transaction for a  
            product, service, subscription, or any other consideration, in  
            which the product, service, subscription, or consideration is  
            provided by means of a download to a computer, telephone, or  
            other electronic device.

          7)Makes various findings and declarations. 

           EXISTING LAW  

          1)Requires through the California Online Privacy Protection Act,  
            that an operator of a commercial Internet Web site or online  
            service that collects PII about individual consumers residing  
            in California who use or visit its commercial Internet Web  
            site or online service to conspicuously post its privacy  
            policy on its Internet Web site, or in the case of an operator  
            of an online service, make that policy available to consumers  
            in accordance with state law.  [Business and Professions Code  
            Sec. 22575 (a).]

          2)Provides that under the Song-Beverly Credit Card Act of 1971  
            (Credit Card Act) (Civil Code Section 1747 et seq), no person,  
            firm, partnership, association or corporation that accepts  








                                                                  SB 383
                                                                  Page  3

            credit cards shall do any of the following:

             a)   Require, or request, as condition of accepting the  
               credit card, the cardholder to write any PII upon the  
               credit card transaction form or other document. [Section  
               1747.08a(1)]

             b)   Require, or request, as a condition of  accepting the  
               credit card, the cardholder to provide PII which the entity  
               accepting the card would then write or record upon the  
               credit transaction form or otherwise. [Section 1747.08a(2)]

             c)   Utilize in any credit card transaction, a credit card  
               form that contains preprinted spaces for PII of the  
               cardholder. [Section 1747.08a(3)]

          1)Specifies that the prohibitions in a, b and c do not apply  
            under the following circumstances:

             a)   If the credit card is being used as a deposit to secure  
               payment in the event of default, loss, damage, or other  
               similar occurrence. [Section 1747.08(1)]

             b)   Cash advance transactions. [Section 1747.08(2)]

             c)   If the entity requesting the information is  
               contractually obligated to provide the personal information  
               in order to complete the transaction, or is obligated to  
               collect and record the PII by federal law or regulation.   
               [Section 1747.08(3)]

             d)   If the entity accepting the credit card in a sales  
               transaction at a retail motor fuel dispenser or retail  
               motor fuel payment island automated cashier uses the ZIP  
               Code information solely for the prevention of fraud, theft,  
               or identity theft.  [Section 1747.08 (3)]

             e)   If PII is required for a special purpose incidental but  
               related to the individual credit card transaction,  
               including but not limited to, information relating to  
               shipping, delivery, servicing, or installation of the  
               purchased merchandise, or for special orders. [Section  
               1747.08(4)]

          2)Clarifies that the prohibitions on collecting PII relating to  








                                                                  SB 383
                                                                  Page  4

            the credit card transaction does not prohibit a requirement  
            that the cardholder provide reasonable forms of positive  
            identification, including a driver's license or California  
            State identification card, or another form of identification.   
            [Section 1747.08(4)d]

          3)Specifies that if the cardholder pays for the transaction with  
            a credit card number and does not make the credit card  
            available upon request to verify the number, the cardholder's  
            driver's license number or identification card number may be  
            recorded on the credit card transaction form.  [1747.08(4)d].

          4)Defines "personal identification information" (PII) as  
            information concerning the cardholder, other than information  
            set forth on the credit card, and including but not limited  
            to, the cardholder's address and telephone number.  [Section  
            1747.08(3)b]

           FISCAL EFFECT :   None.

           COMMENTS  :   

          SB 383 is in response to a court decision from February 4, 2013,  
          Apple v Superior Court of Los Angeles County (Krescent) S199384  
          (February 04, 2013).  In Apple, the California Supreme Court  
          opined that the state's statutory protection against the  
          collection of PII when making credit card purchases does not  
          apply to online retailers of electronically downloadable  
          products.  The Apple decision highlights the need for California  
          privacy laws to be updated from the "brick and mortar" world to  
          the online world.

          The underlying statute, the Song Beverly Credit Card Act passed  
          in 1990, generally prohibits businesses from requesting or  
          requiring consumers to provide unnecessary PII during a credit  
          card transaction.  However, the court found, in essence, that  
          the statute and its anti-fraud provisions had been designed for  
          "brick and mortar" transactions that pre-dated the Internet era  
          and the explosion of e-commerce, and that online retailers of  
          electronically downloadable products were therefore outside of  
          the intended scope of the law. 

          The Court also recognized the problem of new technologies  
          outpacing existing laws, and the majority opinion explicitly  
          invited the state Legislature to revisit the matter, and update  








                                                                  SB 383
                                                                  Page  5

          its consumer protection laws accordingly should it so desire.   
          The worry surrounding the court case decision encompasses the  
          concern of online retailers having the unlimited ability to ask  
          consumers for any amount of personal information when making an  
          online transaction.  It is presumed that due to the court's  
          decision online merchants selling digital goods no longer need  
          to worry about the Act.  

          Need for the bill

          According to the Author, "Consumer privacy protections are  
          particularly crucial in the digital age, where the collection  
          and retention of personal information has made it possible for  
          individuals to unlawfully obtain millions of records during a  
          single breach of a company's computer systems.  SB 383 states  
          the intent of the legislature to re-establish privacy  
          protections for online credit card transactions involved  
          downloadable products.  Specifically, this bill closes a  
          loophole in the Song Beverly Credit Card Act, which was created  
          after a State Supreme Court ruling that found that these  
          protections do not apply to certain online transactions.  
           
           Background

          Song-Beverly Credit Card Act of 1971: Under state law, a person  
          who accepts a credit card for payment shall not record the  
          consumer's PII on the credit card transaction form, except as  
          specified. Originally enacted in 1971, the Act regulates the  
          issuance and use of credit cards and the respective rights and  
          responsibilities of cardholders and retailers. Section 1747.08  
          of the Act, in particular, seeks to protect a consumer's privacy  
          and to address "the misuse of personal identification  
          information for, inter alia, marketing purposes."  Specifically,  
          the Act prohibits a retailer from requesting, as a condition of  
          acceptance of a credit card, that the cardholder provide the  
          retailer with PII, which is defined to mean any information  
          about the cardholder that does not appear on the card,  
          including, but not limited to, the cardholder's name and  
          address. 

          Existing law carves out reasonable exceptions to this general  
          rule, including where the business is contractually or legally  
          required to collect the information, or where the business needs  
          the information to perform some "special purpose," such as  
          shipping, installing, or servicing a purchased item. A business  








                                                                  SB 383
                                                                  Page  6

          that accepts credit cards is also permitted to require the  
          cardholder, as a condition to accepting the card as payment, to  
          provide reasonable forms of identification, such as a driver's  
          license. AB 1219 (2012 legislative year),  created another  
          limited exception: in order to prevent fraud, a business that  
          sells fuel may ask the purchaser to provide a zip code in order  
          to process a fuel purchase at an automated fuel dispenser  
          island.  A person or business that violates the Act is subject  
          to civil penalties, which may be assessed in a civil action by  
          an affected cardholder, or in an action brought by the Attorney  
          General or a district or city attorney. 

          "Personal Identification Information" Under Song-Beverly-Pineda:  
          In 2011 the California Supreme Court confronted the question of  
          what constitutes "personal identification information" under the  
          Act and, more specifically, whether a person's zip code - with  
          nothing else - constitutes an "address." (Pineda v. Williams-  
          Sonoma Stores, Inc. (2011) 51 Cal. 4th. 524.) In Pineda, a  
          customer sued a retailer claiming that it had violated the  
          provisions of the Song-Beverly Act when a store clerk asked the  
          customer for a zip code during the credit card transaction, and  
          then recorded that zip code along with the customer's name and  
          credit card number. The customer subsequently learned that the  
          retailer used this information to do a "reverse search" to  
          locate the customer's home address. The retailer then kept the  
          customer's information in a data base that it used for marketing  
          purposes. The customer filed the matter as a putative class  
          action, alleging invasion of privacy, unfair competition, and  
          violation of the Act. Both the trial court and the Court of  
          Appeal sided with the retailer, finding that a zip code, without  
          any other component of the address, was too general to be  
          considered "personal identification information." However the  
          California Supreme Court reversed, holding, unanimously, that  
          the word "address" in the statute means either a complete  
          address or any portion of an address, and that a zip code is  
          "readily understood to be part of an address." 

          The Recent Apple Case - Online Businesses Held Not to Be Covered  
          by Song-Beverly: A bare majority of four justices held that it  
          did not apply to online businesses. The majority opinion  
          conceded that the statute does not make any express exception  
          for online business transactions - applying as it does to any  
          person, firm, etc. that accepts credit cards.  However, the  
          court concluded that both the legislative history and the  
          overall statutory framework strongly suggest that the statute  








                                                                  SB 383
                                                                  Page  7

          was only meant to apply to in-person transactions at brick and  
          mortar businesses; online purchasers were not contemplated, as  
          it was crafted prior to the explosion of online commerce. 

          In support of this conclusion, the Court made the following  
          points: 

           When the statute was originally enacted in 1971 the Internet  
            did not exist, and even at the time of the most recent  
            amendment - 1991 - online commercial sales were virtually  
            non-existent and certainly not widespread, suggesting that the  
            original intent of the legislature concerned in-person brick  
            and mortar transactions. 

           In order to prevent fraud, the statute permits a business to  
            require the customer to present a form of identification, such  
            as a driver's license or other photo ID, so long as none of  
            the information is written down or recorded. This provision,  
            the court reasoned, showed that the overall framework did not  
            contemplate online transactions, for an online business would  
            not be able to request a photo ID for purposes of fraud  
            prevention. 

          Capp v. Nordstrom No. 13-660-MCE-AC, 2013 WL 5739102 (E.D. Cal.  
          Oct. 21, 2013)

          In a recent case, once again surrounded around California's Song  
          Beverly Credit Card Act, Capp v. Nordstrom, the District Court  
          for the Eastern District of California clarified one more point  
          about the Song-Beverly Act: requests for customers' email  
          addresses are prohibited requests for PII.

          In the Nordstrom case, Plaintiff Robert Capp, as the  
          representative of a putative class, asserted a Song-Beverly  
          claim against retailer Nordstrom, Inc.   Mr. Capp made a  
          purchase at a Nordstrom store and paid for the purchase with his  
          credit card.  After Mr. Capp swiped his card, the Nordstrom  
          cashier asked Mr. Capp to enter his email address so that he  
          could receive his receipt by email.  Mr. Capp stated that he  
          believed that "he was required to provide his email address  
          information in order to complete the transaction and receive his  
          receipt."  Mr. Capp completed the transaction, and received a  
          receipt by email.  According to the complaint, Mr. Capp began  
          receiving unsolicited promotional emails from Nordstrom on an  
          almost daily basis, and claimed that he saw an increase in email  








                                                                  SB 383
                                                                  Page  8

          traffic from other retailers, leading him to believe that  
          Nordstrom shared his email address to others without his  
          permission.  Mr. Capp sued, claiming that Nordstrom's request  
          for his email address constituted a violation of the  
          Song-Beverly Act.
          Nordstrom moved to dismiss the claims arguing that an email  
          address does not qualify as "personal identification  
          information" under the Song-Beverly Act.  In deciding this issue  
          of first impression, the court relied on Pineda v.  
          Williams-Sonoma Stores, Inc.  The court stated: "Defendant's  
          alleged conduct in this case-acquiring Plaintiff's email address  
          for one reason, sending him a receipt, and then using the  
          address for another reason, to send promotional emails and to  
          resell that information to other companies-directly implicates  
          the purposes of the statute as articulated by the California  
          Supreme Court in Pineda." Ultimately, the court held that a  
          customer's email address is "personal identification  
          information" under the Song-Beverly Act. 




          California's Right to Privacy

          The California Constitution expressly protects an individual's  
          right to privacy. Added to the California Constitution in 1972  
          when voters adopted Proposition 11, the California privacy  
          provision protects an individual's right to privacy from both  
          governmental and private actors. 

          The California Supreme Court has held that the privacy provision  
          in the California Constitution "creates a legal and enforceable  
          right of privacy for every Californian." (White v. Davis (1975)  
          13 Cal. 3d 757, 775.) Despite this express protection, however,  
          just what is included in the state's constitutional right of  
          privacy has necessarily been developed in a body of case law.  
          These cases tend to be very fact-specific. As a general rule,  
          however, in order to maintain a claim for infringement of one's  
          right of privacy under the California Constitution, the  
          plaintiff must (1) identify a legally protected privacy  
          interest; (2) establish that he or she had a "reasonable  
          expectation of privacy" under the circumstances; and (3) that  
          the defendant's conduct constituted a "serious" invasion of  
          privacy. If a plaintiff establishes all three of these elements,  
          the defendant may still show the invasion of privacy was  








                                                                  SB 383
                                                                  Page  9

          justified if it furthers a legitimate and competing interest.  
          Specifically, the California Supreme Court has held that an  
          "invasion of a privacy interest is not a violation of the state  
          constitutional right to privacy if the invasion is justified by  
          a competing interest." 

          Related Legislation 
           
           AB 844 permits the operator of a commercial Internet Web site or  
          online service that collects PII to request a credit cardholder  
          or debit cardholder to provide only the billing ZIP Code to  
          complete the online credit card or debit card transaction.   
          Pending in the Senate Banking and Financial Institutions  
          Committee. 
           
           Previous Legislation

          AB 1219 (Perea, Chapter 690, Statutes of 2011) provided  
          clarification for those instances when an entity that accepts  
          credit cards may not request certain types of PII to complete  
          the transaction.   Created an express exemption from the  
          prohibition against the collection and retention of zip code  
          information when the zip code is used solely for prevention of  
          fraud, theft, or identify theft in a sales transaction at a  
          retail motor fuel dispenser or retail motor fuel payment island  
          automated cashier.

          Arguments in Support 

          According to the Consumer Federation of California, SB 383  
          provides consumers with modest privacy protection when making an  
          online transaction involving a downloadable product.  This bill  
          allow a business to gather any personally identifiable  
          information from a customer, who is making an online transaction  
          for a downloadable product, as long as that information is only  
          used for the detection, investigation, or prevention of fraud,  
          identity theft or other criminal activity, or to enforce the  
          terms of the transaction.  SB 383 also clarifies that a business  
          may request the consumer to voluntarily opt-in to information  
          gathering for other purposes, as long as business explains the  
          intended use for that personally identifiable information.   

          According to the Consumer Attorneys of California, "instead of  
          permitting limited data collection for fraud prevention, as the  
          legislature did when enacted the gas station amendment, the  








                                                                  SB 383
                                                                  Page  10

          Court voided Son Beverly in its entirety for certain online  
          transactions.  Under this ruling, online merchants may demand  
          personal information without limit from credit card holders and  
          use information gathered for marketing, creation of customer  
          dossiers, for sale to third parties, or other purposes.  SB 383  
          strikes a balance between consumer privacy and crime prevention.  


          Arguments in Opposition

          According to the Los Angeles Area Chamber of Commerce, "While we  
          appreciate that SB 383 attempts to address consumer privacy  
          concerns, it only creates complex and confusing regulations that  
          hinder Internet-based shopping and services.  For example, in  
          order to comply with SB 383, California based businesses would  
          potentially have to create a two-tiered online system, one  
          tailored to California customers and other tailored to  
          non-California customers.  California customers would need to  
          enter more personal information before completing their  
          purchase.  The creation of an unequal payment and service  
          systems means added costs and inefficiencies to businesses  
          because of the need to adopt their online system to gather the  
          additional California customer's information and subsequently  
          dispose of that information after a given date, as proposed in  
          the bill."

          According to the California Newspaper Publishers Association,  
          "SB 383 would impose a signification burden if not outright  
          prohibition on the use of personal information that rewards  
          customer loyalty by making it convenient for readers and  
                                                                         subscribers to access downloadable content about their  
          communities.  Newspapers, in order to survive in today's hyper  
          competitive media market, legitimately use personal information  
          as the lifeblood to obtain and retain subscribers.  Keeping the  
          personal information of customers on file also allows readers to  
          readily access and purchase single stories about important  
          events they want as keepsakes and photographs of their kids who  
          are featured in an issue.  This will further harm newspapers and  
          in some cases where a newspaper is already struggling, could be  
          the death blow that puts them out of business."

          Questions

          1)While the Apple court case only pertained to downloadable  
            products, the court stated as a whole that the Song-Beverly  








                                                                  SB 383
                                                                  Page  11

            Credit Card Act was out of touch with the internet era.  This  
            measure takes a piecemeal approach because it only pertains to  
            online downloadable products, should the legislature consider  
            taking a bigger approach and apply the same protections to all  
            online transactions similar to AB 844?  Splitting up an online  
            shopping experience for a consumer based on whether they  
            purchase a downloadable product or physical item may cause  
            more confusion for the consumer and the online retailer.  

          2)This measure attempts to update credit card privacy  
            protections over the internet but does not address the issue  
            of online purchases made by a debit card.  Will this measure  
            steer online retailers to set up a new platform for debit  
            cards?  

          3)The measure may open the door for online retailers who sell  
            downloadable products to ask for any information if they use  
            the information solely for fraud, theft, identity theft, or  
            criminal activity, or enforcement of terms of sale.  What does  
            enforcement of terms of sale mean and is this provision a  
            potential loophole because who make these determinations?

          4)Since the Court's ruling in the Apple case, have online  
            retailers who sell downloadable products changed their  
            behavior?  Are online retailers who sell downloadable products  
            collecting more information than is necessary to complete the  
            transaction since the court ruling?

          Recommended Amendments & Double Referral

          This measure is double-referred to the Assembly Judiciary  
          Committee.  Should this measure pass out of the Assembly Banking  
          & Finance Committee, it will be heard in the Assembly Judiciary  
          Committee on Tuesday, June 24 at 9am.  Due to this timeframe,  
          amendments will be adopted in the Assembly Judiciary Committee. 

          The author has proposed author's amendments that will be taken  
          in the Assembly Judiciary Committee.  These amends attempt to  
          clarify the author's intent of the measure as related to the  
          credit card holder setting up an account when purchasing a  
          downloadable product.  

           REGISTERED SUPPORT / OPPOSITION  :

           Support 








                                                                 SB 383
                                                                  Page  12

           
          Consumer Federation of California (Sponsor)
          UFCW Western States Council (Sponsor)
          American Civil Liberties Union of California (ACLU)
          California Conference Board of the Amalgamated Transit Union
          California Conference of Machinists
          California Alliance for Retired Americans
          California Public Interest Research Group (CALPIRG)
          California Teamsters Public Affairs Council
          CALPIRG
          Christ Our Redeemer (COR)
          Christ Our Redeemer AME Church of Irvine
          Consumer Action
          Consumer Attorneys of California
          Consumer Watchdog
          Ecumenical Center for Black Church Studies
          Engineers and Scientists of CA
          International Longshore & Warehouse Union
          Jesse Miranda Center for Hispanic Leadership
          Los Angeles Latino Chamber of Commerce
          National Asian American Coalition (NAAC)
          National Hispanic Christian Leadership Conference
          Orange County Interdenominational Alliance
          Privacy Activism
          Privacy Rights Clearinghouse
          Professional and Technical Engineers
          United Food & Commercial Workers Western States Council
          UNITE-HERE
          Utility Workers Union of America


           
            Opposition 
           
          California Bankers Association (CBA)
          California Chamber of Commerce
          California Credit Union League (CCLU)
          California Independent Bankers (CIB)
          California Retailers Association (CRA)
          CTIA - The Wireless Association
          Direct Marketing Association
          Internet Coalition
          Los Angeles Area Chamber of Commerce
          Motion Pictures Association of America
          State Privacy and Security Coalition








                                                                  SB 383
                                                                  Page  13

          TechAmerica
          TechNet

           Analysis Prepared by  :    Kathleen O'Malley / B. & F. / (916)  
          319-3081