BILL ANALYSIS ��
AB 1219
Page 1
Date of Hearing: May 10, 2011
ASSEMBLY COMMITTEE ON JUDICIARY
Mike Feuer, Chair
AB 1219 (Perea) - As Amended: May 4, 2011
SUBJECT : Credit Card Transactions: Personal Information
KEY ISSUES :
1)Should the statute that prohibits a retailer from collecting a
person's personal information as a condition of accepting a
credit card be amended, so as to expressly permit a business
to request personal information if it is needed solely for
purpose of preventing fraud and identity theft?
2)Should the above-referenced statute be limited to instances in
which a cardholder "physically presents" the card, thereby
removing from itS provisions the growing number of remote and
on-line transactions?
FISCAL EFFECT : As currently in print this bill is keyed
non-fiscal.
SYNOPSIS
The author originally introduced this bill in response to a
California Supreme Court decision holding that a zip code is
"personal identification information" with the meaning of the
Song-Beverly Credit Card Act and that its holding applied
retroactively to uses of the zip code prior to the ruling. In
short, a retailer who believed that a zip code was not included
within the meaning of "personal identification information," and
perhaps even relying on prior courts finding the same, could be
liable for civil penalties for information collected prior to
the Supreme Court decision. The California Retailers
Association, the sponsor of this bill, claims that about 150
lawsuits have been filed against retailers in the wake of the
Supreme Court decision, including against gas stations that
collect zip codes for fraud prevention purposes. However, while
the court ruling may have been the catalyst, in its current form
the bill does not directly address the decision. Instead, the
bill currently in print would amend the Song-Beverly Credit Card
Act in a manner that would restrict its application to instances
in which a card is "physically presented" to a retailer,
�
AB 1219
Page 2
apparently with the intent of allowing retailers to collect
personal information for fraud prevention purposes where the
card is not physically presented, as in an on-line or other
electronic transaction. The bill in print would also expressly
state that a retailer may collect personal identification
information for purposes of preventing fraud, theft, and
identity theft. However, as noted in the analysis, the current
version of the bill sweeps too broadly in effectively removing
on-line and telephonic transactions from the scope of the
existing law's protection; and the provision that authorizes the
collection of information for purposes of fraud and theft
prevention does not adequately limit the use and retention of
information collected. Therefore, the Committee analysis
recommends a number of amendments so that the bill does not,
unintentionally, undermine the important consumer protections of
the Song-Beverly Act.
SUMMARY : Amends existing law to expressly permit a retailer who
accepts credit cards to request, or require as a condition of
acceptance, a cardholder to provide personal identification
information, so long as the request is solely for the purpose of
preventing fraud, theft, and identity theft. Specifically, this
bill :
1)Provides that if a cardholder physically presents a credit
card to an employee, authorized agent, or representative of a
person, firm, partnership, association, or corporation as
payment, and the credit card has a properly functioning
magnetic stripe or other electronically readable device, the
person, firm, partnership, association, or corporation shall
not do any of the following:
a) Request, or require as a condition to accepting the
credit card as payment in full or in part for goods and
services, the cardholder to write any personal
identification information upon the credit card form or
otherwise.
b) Request, or require as a condition to accepting the
credit card as payment in full or in part for goods and
serves, the cardholder to provide personal identification
information, which the person, firm, partnership,
association, or corporation accepting the credit card
writes, causes to be written, or otherwise records upon the
credit card transaction form or otherwise.
�
AB 1219
Page 3
c) Utilize, in any credit card transaction, a credit card
form which contains preprinted spaces specifically
designated for filling in personal identification
information.
2)Provides that the above restrictions do not apply if the
person or entity uses the information solely for the
prevention of fraud, theft, or identity theft, or uses the
personal information for any of these purposes concurrently
with another permitted purpose, as specified.
3)Deletes a provision of existing law that permitted the person
or entity that accepts the credit card to request and record a
cardholder driver's license or identification number if the
cardholder does not make the credit card available upon
request.
4)States that the bill is intended to clarify existing law and,
declares generally, that these clarifying amendments protect
personal identification information while allowing and
recognizing legitimate business needs for a person or entity
that accepts credit cards.
EXISTING LAW :
1)Provides that no person or entity that accepts credit cards
for the transaction of business shall do any of the following:
a) Request, or require as a condition to accepting the
credit card as payment for goods or services, that the
cardholder write any personal identification information on
the credit card transaction form or otherwise.
b) Request, or require as a condition of accepting the
credit card as payment for goods or services, that the
cardholder provide personal identification information,
which the person or entity accepting the credit card
writes, causes to be written, or otherwise records upon the
credit card transaction form or otherwise.
c) Use a credit card form which contains preprinted spaces
for specifically designated for filling in any personal
identification information of the cardholder. (Civil Code
Section 1747.08 (a).)
�
AB 1219
Page 4
2)Provides that the above restrictions do not apply in the
following instances:
a) If the credit card is being used as deposit to secure
payment in the event of default, loss, damages, or similar
occurrence.
b) Cash advance transactions.
c) If the person or entity accepting the credit card is
contractually obligated to provide personal identification
information in order to complete the credit card
transaction or is obligated to collect the personal
identification information by a federal law or regulation.
d) If the personal identification information is required
for a special purpose incidental but related to the
individual credit card transaction, including, but not
limited to, information relating to shipping, delivery,
servicing, or installation of the purchased merchandise, or
for special orders. (Civil Code Section 1747.08 (c).)
3)Defines "personal identification information" to mean
information concerning the cardholder, other than information
set forth on the credit card, and including, but not limited
to, the cardholder's address and telephone number. (Civil
Code Section 1747.08 (b).)
4)Specifies that the above provisions do not prohibit a person
or business from requiring a cardholder, as a condition of
accepting the card, to provide reasonable forms of positive
identification, such as a driver's license or other photo
identification, provided that none of the information recorded
thereon is written or recorded on the credit card transaction
form or otherwise. Provides that if the cardholder does make
the credit card available upon request to verify the number,
the cardholder's driver's license or identification card
number may be recorded on the credit card transaction form or
otherwise. (Civil Code Section 1747.08 (d).)
5)Makes any person who violates this section subject to a civil
penalty not to exceed $250 for the first offense and not to
exceed $1000 for each subsequent violation, to be assessed and
collected in an action brought by the cardholder, or by the
�
AB 1219
Page 5
Attorney General, or by the district attorney or city attorney
of the county or city in which the violation occurred, and
permits the Attorney General, or any district attorney or city
attorney, to bring an action for injunctive relief, as
specified. (Civil Code Section 1747.08 (e)-(g).)
COMMENTS : Originally enacted in 1971, the Song-Beverly Credit
Card Act (Civil Code Section 1747.01 et seq.) regulates the
issuance and use of credit cards and the respective rights and
responsibilities of cardholders and retailers. Most notably for
purposes of this bill, the Act prohibits a retailer from
requesting, or requesting as a condition of acceptance of a
credit card, that the cardholder provide the retailer with
"personal identification information," which is defined to mean
any information about the cardholder that does not appear on the
card, including, but not limited to, the cardholder's name and
address. Existing law also carves out many exceptions to this
general rule, including where the business is contractually or
legally required to collect the information, or where the
business needs the information to perform some "special
purpose," such as shipping, installing, or servicing a purchased
item. A business that accepts credit cards is also permitted to
require the cardholder, as a condition to accepting the card as
payment, to provide reasonable forms of identification, such as
a driver's license. A person or business that violates these
provisions is subject to civil penalties, which may be assessed
in a civil action by an affected cardholder, or in an action
brought by the Attorney General or a district or city attorney.
Civil penalties may not exceed $250 for a first offense and
$1000 for each subsequent offense. The purpose of the Act is to
protect a consumer's privacy and to address the "the misuse of
personal identification information for, inter alia, marketing
purposes." (Absher v. Autozone, Inc. (2008) 164 Cal. App. 4th
332, 345.) The exemptions in the Act recognize instances in
which a business may have a legitimate interest in requiring
personal identification information.
The Pineda Decision : A recent opinion by the California Supreme
Court confronted the question of what constitutes "personal
identification information" under the Act and, more
specifically, whether a person's zip code - with nothing else -
constitutes an "address." (Pineda v. Williams- Sonoma Stores,
Inc. (2011) 51 Cal. 4th. 524.) In Pineda, a customer sued a
retailer claiming that it had violated the provisions of the
Song-Beverly Act when a store clerk asked the customer for a zip
�
AB 1219
Page 6
code during the credit card transaction, and then recorded that
zip code along with the customer's name and credit card number.
The customer subsequently learned that the retailer used this
information to do a "reverse search" to locate the customer's
home address. The retailer then kept the customer's information
in a data base that it used for marketing purposes. The
customer filed the matter as a putative class action, alleging
invasion of privacy, unfair competition, and violation of the
Song-Beverly Act. Both the trial court and the Court of Appeal
sided with the retailer, finding that a zip code, without any
other component of the address, was too general to be considered
"personal identification information." The California Supreme
Court reversed, holding, unanimously, that the word "address" in
the statute means either a complete address or any portion of an
address, and that a zip code is "readily understood to be part
of an address." (Id. at 531.)
In addition to finding that a zip code was "personal
identification information" within the meaning of the Act, the
Pineda court also expressly rejected the defendant's claim that
the opinion should only be applied prospectively. The defendant
argued that, since retailers may have reasonably assumed prior
to this decision that a zip code was not personal identification
information - an assumption shared, after all, by prior courts -
that it would be unfair to hold retailers liable for information
collected before the Pineda decision. The Court, however, was
"not persuaded," noting that the statute provided
constitutionally adequate notice of the prohibited activity,
including express reference to an address as an example of
personal identification information.
Proponents of this bill were especially troubled by the prospect
that the Pineda ruling applied retrospectively, claiming that it
was not self-evident prior to Pineda that a zip code, with
nothing more, constituted an "address." The author and sponsor
contend that, in the wake of the Pineda decision, about 150
lawsuits have been filed against businesses that collected zip
codes prior to the decision. Although this bill does not now,
and never has, purported to overturn the ruling in Pineda or
restrict its retrospective application, the author and sponsor
do hope to ensure that when a business has a legitimate reason
for requiring a zip code, the law should expressly recognize its
ability to do so.
Proponents arguably overstate the implications of the Pineda
�
AB 1219
Page 7
decision . Although the Court did indeed hold that its
interpretation of the statute applied retroactively, the Court
only held that a zip code is an address within the meaning of
the statute. Whether or not all of the 150 lawsuits cited by
the proponents are in fact a response to Pineda, is debatable,
but even as characterized by the proponents those suits could
easily be dismissed under existing law. For example, proponents
cite cases in which gas stations have been sued for requesting
zip codes, even though existing law already provides an
exemption where a business is contractually required to collect
the information, as is true with gas stations. Moreover, it is
the Committee's understanding that in the overwhelming majority
of cases, the gas retailer does not actually collect the
information; rather, the information goes directly from the gas
pump to the bank, which verifies that the zip code entered
corresponds with the address on the account. Similarly, many
proponents claim that the decision will permit suits against
on-line retailers who need to request the zip code, along with
the cardholder's name and complete address, in order to ship the
goods purchased. But, here again, existing law already provides
an exemption for shipping, delivery, installation, and servicing
of the purchased good. Nothing in the decision changed that.
Such lawsuits may be frivolous or ill-advised given the clear
language of the statute, but they cannot be fairly attributable
to the Pineda decision.
Existing Language Arguably Sweeps Too Broadly : Apparently to
ensure that retailers could collect zip codes in order to
prevent potential fraud when a card is swiped at an outside
pump, or ship goods when a product is purchased on-line, the
current language of the bill amends existing law to effectively
provide that the provision prohibiting the collection of
personal identification information to instances in which a
cardholder "physically presents" a credit card to a retailer or
merchant (page 2, line 4 of the bill in print.) This change to
existing law, if allowed to stand, would effectively remove
on-line and telephonic transaction from the protection of the
existing statute. According to the sponsor, this was not the
bill's intent. Therefore, as noted in the proposed amendments
below, the Committee strongly recommends that this language come
out of the bill.
Retention Issue : This bill would also amend existing law to
allow a business to request or require that a cardholder provide
personal identification information if the business uses the
�
AB 1219
Page 8
information "solely for the prevention of fraud, theft, or
identity theft," or concurrently for another purpose authorized
by the statute (page 3, line 18-21 of the bill in print.)
However, this provision does not impose any limits on what the
retailer can do with that information once it is collected or
how long the information may be retained. Therefore, as noted
in the amendments listed below, the Committee strongly
recommends that a clause be added to this provision stating that
the information may only be recorded, stored, or retained to the
extent necessary to effectuate the authorized purpose and
thereafter deleted, discarded, or destroyed.
Additional Express Exemptions . In addition to providing an
express exemption for fraud or theft prevention, the author and
sponsor also seek exemptions in instances in which a cardholder
either does not have the card physically present or where the
card is not functioning properly. The bill currently includes
this provision in subdivision (a), along with the language
restricting the scope of the statute to an instance in which the
card is "physically presented." Because the Committee would
propose deleting all of the language added to subdivision (a)
and restoring the original language, the Committee suggests that
it would be more appropriate to include this provision in
subdivision (c), which creates exemptions to the general rule.
Specifically, there are two distinct instances which the author
seeks to address: (1) Where the holder of a "proprietary credit
card" (e.g. a Macy's card) does not have the card on his or her
person and the merchant that issued the card needs to look up
the account number; and (2) Where the card's magnetic stripe is
not functioning properly and the merchant wishes to write down
the needed information on a credit card form. As noted in the
amendments below, the Committee strongly recommends that these
authorizations be permitted but properly qualified so that the
information collected is only to the extent necessary to
effectuate the transaction.
Intent language is arguably too broad and possibly unnecessary:
Finally, in addition to the substantive amendments, this bill
adds intent language to state that this bill seeks to clarify
existing law. The intent language adds that these clarifying
amendments will protect personal identification information
while at the same time permitting businesses to use personal
identification information for legitimate business purposes.
However, the general language setting forth these purposes is
potentially broader than what the bill permits. Therefore, as
�
AB 1219
Page 9
noted in the amendments, the Committee strongly recommends that
the author delete this language and simply state that the bill
recognizes the need to collect information for "the purposes
authorized by this section."
Requesting Information after a Transaction has been Completed :
One issue which the author and stakeholders may wish to
consider, should the bill moves forward, concerns the extent to
which a retailer may "request" a customer's personal information
once the credit card transaction has been completed. Existing
law is somewhat ambiguous on this point, due in part to an
ambiguously placed comma. Specifically, existing law provides
that a retailer may not "request, or require as a condition to
accepting the credit card as payment in full or in part for
goods or services," that the cardholder must provide personal
information. Because of the comma separating "request" from "or
require as a condition," it is not entirely clear whether the
"conditioning" language was meant to apply to both the
"requesting" and the "requiring" of the information, or if it
only applies to the "requiring." In other words, the language
could arguably be read to mean that while a retailer may not
"require" the information "as a condition" of accepting the
card, it may not "request" the information at all. The sponsors
have informed the Committee that this language leaves it unclear
as to whether a retailer could request personal information
after the transaction has been completed, when there would be no
implication that the request is in any way related to the
retailer's willingness to accept the credit card. For example,
retailers not infrequently ask customers if they would like to
write their name and address on a mailing list to receive a
catalog or information about upcoming or time-limited offers.
Such requests would not appear to frustrate the spirit of the
Song-Beverly Act, so long as the request was made after the
transaction. Because this issue was raised too late in the
process to consider all of the possible implications of
re-crafting this language, this issue is not addressed as a
recommended committee amendment below; rather, it is something
that the author and stakeholders may wish to discuss should the
bill move forward.
PROPOSED COMMITTEE AMENDMENTS : For the reasons discussed above,
the Committee strongly recommends that the author agree to take
the following amendments in this Committee.
Amendment 1
�
AB 1219
Page 10
On page 2 line 3 delete "if a" and lines 4 through 7, inclusive,
an on line 8 delete "readable device, the" and on line 8 before
"person" insert: no
Amendment 2
On page 3 line 13 delete "(1)"
Amendment 3
On page 3 line 18, after "personal" insert: identification
Amendment 4
On page 3 line 21, after "(4)" insert:
, provided that the personal identification information is only
recorded, stored, or retained to the extent necessary to
effectuate the authorized use or purpose and is thereafter
deleted, discarded, or destroyed.
Amendment 5
On page 3, after line 28 insert:
(5) If personal identification information is requested to
verify that a person has a proprietary credit card account with
the person, firm, partnership, association or corporation and
that person does not produce the proprietary credit card at the
time of the transaction. For purposes of this paragraph a
"proprietary credit card" means a credit card issued by the
person, firm, partnership, association, or corporation.
(6) If in a face-to-face transaction the credit card does
not have a properly functioning magnetic stripe or is otherwise
not electronically readable, the person, firm, partnership,
association or corporation may record only the cardholder's
name, credit card account number and expiration date; and
provided further that the personal identification information
�
AB 1219
Page 11
that is required is used only to complete the transaction, or
for a purpose authorized by this section, and is thereafter
deleted, discarded or destroyed.
Amendment 6
On page 5 line 7 after "information" insert: for the purposes
authorized by this section.
Amendment 7
On page 5 line 7 delete "to appropriately process and complete,"
and delete lines 8 through 10, inclusive, and on line 11 delete
"Commission"
ARGUMENTS IN SUPPORT : The California Retailers Association
(CRA), the sponsor of this bill, argues that "AB 1219 makes
several important changes to Song Beverly, which are necessary
in light of the California Supreme Court's decision in the
Pineda v. Williams-Sonoma Stores, Inc. case." CRA claims that
since the Pineda case was handed down, "over 150 class action
suits have been filed against retailers in California." CRA
claims that many of these retailers were collecting information
"for legitimate reasons that should be allowable under law,"
including cases in which on-line retailers needed the zip code
for delivery purposes or for reducing "the likelihood of fraud
or identity theft." CRA writes that the purpose of the bill is
to continue protecting personal identification information while
at the same time "recognizing the legitimate business need for a
retailer to use �personal identification information] to
appropriately process and complete all components of a customer
transaction."
The Western States Petroleum Association (WSPA) argues that this
legislation will "clarify existing law that the use of zip code
data for the purpose of fraud prevention is appropriate and not
a violation of law." WSPA notes that class action suits have
been filed against WSPA members who requested zip codes for
credit card transactions at gas pumps. WSPA writes that this
information is collected to help prevent fraud and theft. WSPA
adds that the information is never used for marketing purposes
and "may only be retained for a limited duration incidental to
reconciliation with the issuing bank." Without specific
language expressly exempting fraud prevention, WSPA contends,
its member companies "may face years of costly litigation."
�
AB 1219
Page 12
ARGUMENTS IN OPPOSITION : Privacy Rights Clearinghouse (PRC)
argues that "AB 1219 would make two major changes to Song
Beverly that would essentially gut the existing statute."
First, PRC argues that amending existing law to require a
cardholder to "physically present" the card to an "employee,
agent, or representative" of the business would make the statute
obsolete. PRC argues that limiting the statute to instances in
which the card is physically presented would mean that "Song
Beverly would no longer cover the vast majority of retail
transactions, because typically consumers swipe a card at a
point-of-sale terminal without actually presenting the card to a
store employee." Second, PRC argues that the proposed amendment
to permit the use of personal identification information for
prevention of fraud, theft, or identity theft would mean that so
long as the merchant claimed to collect the information for some
purpose related to fraud, it could use the information, once
collected, for other purposes. PRC proposes that this language
should be narrowed to state that the retailer may request the
information "solely" for purposes of fraud or theft prevention
and that the retailer should not record or maintain the
information except as needed for the authorized purpose.
Because the concerns raised by PRC appear to be addressed by the
recommended Committee amendments, it is not clear whether the
PRC would remove its opposition if the author agrees to take
those amendments.
Expressions of Concern : The Consumer Attorneys of California
(CAOC) originally opposed this bill for substantially the same
reasons articulated by PRC. However, CAOC has notified the
Committee that it wishes to remain neutral on the bill so long
as the author agrees to continue working with the Committee and
opponents to amend the bill along the lines recommended in this
analysis. CAOC particularly wishes to see the author restrict
the use and retention of the information in a manner consistent
with the authorized purpose for collecting the information.
REGISTERED SUPPORT / OPPOSITION :
Support
California Retailers Association (sponsor)
California Chamber of Commerce
California Business Properties Association
California Grocers Association
�
AB 1219
Page 13
California Independent Oil Marketers Association
California Restaurant Association
Civil Justice Association of California
Direct Marketing Association
First Data
International Council of Shopping Centers
Western States Petroleum Association
Opposition
Privacy Rights Clearinghouse
Analysis Prepared by : Thomas Clark / JUD. / (916) 319-2334