BILL ANALYSIS ��
-----------------------------------------------------------------
|SENATE RULES COMMITTEE | SB 383|
|Office of Senate Floor Analyses | |
|1020 N Street, Suite 524 | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
-----------------------------------------------------------------
THIRD READING
Bill No: SB 383
Author: Jackson (D)
Amended: 1/28/14
Vote: 21
SENATE JUDICIARY COMMITTEE : 5-1, 5/7/13
AYES: Evans, Corbett, Jackson, Leno, Monning
NOES: Anderson
NO VOTE RECORDED: Walters
SUBJECT : Credit cards: downloadable products: personal
information
SOURCE : Consumer Federation of California
DIGEST : This bill authorizes a person or entity that accepts
credit cards in an online transaction involving an electronic
downloadable product, as defined, to require a cardholder, as a
condition to accepting a credit card as payment in full or in
part, to provide the billing ZIP Code, street address number
associated with the credit card, and additional personal
information if used solely for the detection, investigation, or
prevention of fraud, theft, identity theft, or criminal activity
or for the enforcement of terms of sale. Requires the person or
entity accepting the credit card to destroy or dispose of the
ZIP Code, street address number, or additional personal
information in a secure manner after it is no longer needed for
the detection, investigation, or prevention of fraud, theft,
identity theft, or criminal activity, or for enforcement of
terms of sale.
CONTINUED
�
SB 383
Page
2
Senate Floor Amendments of 1/28/14 , limit the scope of the bill
to online transactions involving downloadable products, and
clarify that additional consumer data may be voluntarily
collected with a consumer's informed consent.
Senate Floor Amendments of 5/24/13 , expand the scope of
transactions covered by the bill's provisions to include all
online credit card transactions. Amendments also expand the
scope of personal identification information that merchants can
collect as part of a transaction, and make minor technical
changes.
ANALYSIS :
Existing law:
1.Provides that, among other rights, all people have an
inalienable right to pursue and obtain privacy (Cal. Const.,
Art. I, Sec. 1). This privacy provision in the California
Constitution "creates a legal and enforceable right of privacy
for every Californian." (White v. Davis (1975) 13 Cal.3d 757,
775.)
2.Requires through the California Online Privacy Protection Act,
that an operator of a commercial Internet Web site or online
service that collects personally identifiable information
about individual consumers residing in California who use or
visit its commercial Internet Web site or online service to
conspicuously post its privacy policy on its Internet Web
site, or in the case of an operator of an online service, make
that policy available to consumers in accordance with state
law. (Business and Professions Code Sec. 22575 (a).)
3.Prohibits through the Song Beverly Credit Card Act (the act)
(Civ. Code Sec. 1747 et. seq.) persons and entities that
accept credit cards for the transaction of business from doing
any of the following:
A. Requesting or requiring the cardholder, as a condition
of accepting the credit card as payment for goods or
services, to write any personal identification information
on the credit card transaction form.
CONTINUED
�
SB 383
Page
3
B. Requesting or requiring the cardholder, as a condition
of accepting the credit card as payment for goods or
services, to provide personal identification information,
which the person or entity accepting the credit card,
writes, causes to be written, or otherwise records upon the
credit card transaction form.
C. Utilizing, in any credit card transaction, a credit card
form that contains preprinted spaces specifically
designated for filling in any personal identification
information of the cardholder. (Civ. Code Sec. 1747.08
(a).)
1.Defines "personal identification information" to mean
information concerning the cardholder, other than information
set forth on the credit card, and including, but not limited
to, the cardholder's address and telephone number. (Civ. Code
Sec. 1747.08 (b).)
2.Provides that the above-described restrictions on the
collection of the personal identification information of a
credit card holder do not apply in the following instances:
A. If the credit card is being used as a deposit to secure
payment in the event of default, loss, damage, or other
similar occurrence.
B. Cash advance transactions.
C. If the person, firm, partnership, association, or
corporation accepting the credit card is contractually
obligated to provide personal identification information in
order to complete the credit card transaction or is
obligated to collect and record the personal identification
information by federal law, state law, or regulation.
D. If the person, firm, partnership, association, or
corporation accepting the credit card in a sales
transaction at a retail motor fuel dispenser or retail
motor fuel payment island automated cashier uses the ZIP
Code information solely for prevention of fraud, theft, or
identity theft.
E. If the personal identification information is required
CONTINUED
�
SB 383
Page
4
for a special purpose incidental but related to the
individual credit card transaction, including, but not
limited to, information relating to shipping, delivery,
servicing, or installation of the purchased merchandise, or
for special orders. (Civ. Code Sec. 1747.08 (c).)
1.Does not prohibit any person or entity from requiring the
cardholder, as a condition of accepting the credit card as
payment in full or in part for goods or services, to provide
reasonable forms of positive identification, which may include
a driver's license or a California State identification card,
or where one of these is not available, another form of photo
identification, provided that none of the information
contained thereon is written or recorded on the credit card
transaction form or otherwise. (Civ. Code Sec. 1747.08 (d).)
2.Imposes a civil penalty not to exceed $250 for the first
violation of this section, and $1,000 for each subsequent
violation. (Civ. Code Sec. 1747.08 (e).)
This bill:
1.Permits a person or entity to require a cardholder, as a
condition of accepting a credit card as payment in full or in
part in an online transaction involving an electronic
downloadable product, to provide the billing Zip Code, street
address number associated with the credit card, and additional
personal information, if used solely for the detection,
investigation, or prevention of fraud, theft, identity theft,
or criminal activity, or for enforcement of terms of sale.
2.Requires the person or entity accepting the credit card to
destroy or dispose of the ZIP Code, street address number, or
additional personal information in a secure manner after it is
no longer needed for the detection, investigation, or
prevention of fraud, theft, identity theft, or criminal
activity, or for enforcement of terms of sale.
3.Prohibits the person or entity from aggregating the ZIP Code,
street address number, or additional personal information with
any other personal identification information and also
prohibits the person or entity from sharing the ZIP Code,
street address number, or other personal information with any
other person, firm, partnership, association, or corporation
unless it is required to do so by state or federal law, or is
CONTINUED
�
SB 383
Page
5
contractually obligated to share the information with another
entity to verify the information, complete the transaction, or
for the detection, investigation, or prevention of fraud,
theft, identity theft, or criminal activity, or for
enforcement of terms of sale.
4.Defines "online transaction involving an electronic
downloadable product" as a credit card transaction for a
product, service, subscription, or any other consideration, in
which the product, service, subscription, or consideration is
provided by means of a download to a computer, telephone, or
other electronic device.
5.Provides that additional personal identifying information may
be collected from a cardholder as part of an online
transaction involving an electronic downloadable product as
long as the cardholder actively elects to provide the personal
information and is contemporaneously notified of the purpose
of the request and the intended use of the information, as
specified. Requires the cardholder be provided with an
additional opportunity to opt out of the collection of the
information before the online transaction involving an
electronic downloadable product is completed.
6.Finds and declares the intent of the Legislature to advance
privacy protections by limiting the scope of personally
identifiable information that may be required to be collected
for an online transaction involving an electronic downloadable
product.
Background
The act (Civ. Code Sec. 1747 et. seq.) broadly prohibits
businesses and others from requesting or requiring a credit card
holder to provide personal identification information during a
credit card transaction, except in certain limited situations.
Enacted in 1971, the act regulates the issuance of credit cards
to consumers in the State of California, and specifies the
rights and obligations of retailers and cardholders in their
use. The act articulates "fair business practices for the
protection of consumers," and "made major changes in the law
dealing with credit card practices by prescribing procedures for
billing, billing errors, dissemination of false credit
information, issuance and unauthorized use of credit cards."
CONTINUED
�
SB 383
Page
6
(Pineda v. Williams-Sonoma Stores, Inc. (2011) 51 Cal.4th 524,
538-39)
The Supreme Court revisited the act earlier this year in Apple
Inc. v. Superior Court (2013) 56 Cal.4th 128. Despite its broad
holding two years before in the Pineda case, the Court's
decision in Apple presented a very narrow reading of the act's
privacy related provisions. The Apple case involved a putative
class action claim brought by a consumer of Apple Computer's
iTunes music and video download service. The consumer claimed
that Apple had violated the act by requiring iTunes consumers to
provide their telephone number and address in order to complete
online purchases paid for with a credit card. The Court
rejected the consumer's claim, and held that the act did not
apply to online transactions involving downloadable products.
["Upon careful consideration of the statute's text, structure,
and purpose, we hold that Section 1747.08 does not apply to
online purchases in which the product is downloaded
electronically."] Citing the legislative history of the 1990
amendments, the Court explained, "While it is clear that the
Legislature enacted the act to protect consumer privacy, it is
also clear that the Legislature did not intend to achieve
privacy protection without regard to exposing consumers and
retailers to undue risk of fraud." (Apple Inc., 56 Cal.4th 128,
139.)
The Court interpreted the act's legislative history as "showing
that the Legislature enacted the statute's privacy related
prohibitions only after carefully considering and rejecting the
possibility that the collection of personal identification
information by brick-and-mortar retailers could serve a
legitimate purpose such as fraud prevention." (Apple Inc., 56
Cal.4th at 139.) With the competing interests of consumer
privacy and fraud prevention in mind, the Court found that:
The safeguards against fraud that are provided in [the act]
are not available to the online retailer selling an
electronically downloadable product. Unlike a
brick-and-mortar retailer, an online retailer cannot
visually inspect the credit card, the signature on the back
of the card, or the customer's photo identification. Thus,
Section 1747.08(d) [concerning a retailer's ability to
request to see reasonable forms of positive
identification]-the key antifraud mechanism in the
CONTINUED
�
SB 383
Page
7
statutory scheme-has no practical application to online
transactions involving electronically downloadable
products. We cannot conclude that if the Legislature in
1990 had been prescient enough to anticipate online
transactions involving electronically downloadable
products, it would have intended the act's prohibitions to
apply to such transactions despite the unavailability of
Section 1747.08 (d)'s [fraud prevention] safeguards.
The Supreme Court limited its holding in Apple to the particular
facts in that case, stating "We have no occasion here to decide
whether the prohibitions in the act apply to online transactions
that do not involve electronically downloadable products or to
any other transactions that do not involve in-person,
face-to-face interaction between the customer and retailer."
(Apple Inc., 56 Cal.4th at 143.) Nonetheless, the majority
opinion expressly invited the Legislature to amend the law and
apply it to online transactions of downloadable products if it
so desired. ["The Legislature may believe these measures are
inadequate and, if so, may enact additional protections. Or the
Legislature may believe that existing laws, together with market
forces reflecting consumer preferences, are sufficient. It is
not our role to opine on this important policy issue."]
FISCAL EFFECT : Appropriation: No Fiscal Com.: No Local:
No
SUPPORT : (Verified 1/29/14)
Consumer Federation of California (source)
American Civil Liberties Union of California
California Alliance for Retired Americans
California Conference Board of the Amalgamated Transit Union
California Conference of Machinists
California Teamsters Public Affairs Council
CALPIRG
Consumer Action
Consumer Attorneys of California
Consumer Watchdog
Electronic Frontier Foundation
Engineers and Scientists of California
International Longshore and Warehouse Union
Privacy Rights Clearinghouse
PrivacyActivism
CONTINUED
�
SB 383
Page
8
Professionals and Technical Engineers
United Food and Commercial Workers Western States Council
UNITE-HERE
Utility Workers Union of America
OPPOSITION : (Verified 1/29/14)
American Insurance Association
California Bankers Association
California Chamber of Commerce
California Credit Union League
California Independent Bankers
California Manufacturers and Technology Association
California Retailers Association
California Travel Association
CTIA-The Wireless Association
Direct Marketing Association
First Data
Internet Alliance
Internet Coalition
McDermott, Will & Emery, LLP
Personal Insurance Federation of California
State Privacy and Security Coalition
TechAmerica
TechNet
ARGUMENTS IN SUPPORT : According to the author's office,
The bill seeks to remedy the deficiency in law created by
the Apple decision, which eliminated credit card privacy
for downloadable product purchases based on the rationale
of fraud prevention, but the court did not restrict the
collection of personally identifiable information for cases
involving fraud prevention, and it did not limit the use of
information collected to fraud prevention. As a result,
online merchants in these transactions may now collect
personally identifiable information without limit, for any
reason or for no reason at all, and may use the information
for any purpose. SB 383 follows the rationale of the Apple
ruling, and balances it with Song Beverly's overarching
principle of protecting cardholders from unwarranted
privacy invasions by creating a limited exception that
allows merchants impacted by Apple to gather only that
information that is needed for fraud prevention, and limits
CONTINUED
�
SB 383
Page
9
the use of the information for fraud prevention purposes
only.
Businesses should be entitled to collect only information
concerning a credit card holder that is required for
completion of the cardholder-initiated transaction, for
other legal or compliance purposes.
Without this legislation, online merchants are free to use
information about cardholders to build customer profiles,
and use this information for marketing, or for sale to
third parties who may use this information for any purpose.
A consumer's choice in downloadable product purchases may
reveal intimate details about a consumer's interests, among
these a consumer's medical interests, sexual orientation,
investments, financial status, dating interests, political
views and other forms of confidential information.
ARGUMENTS IN OPPOSITION : Opponents write,
"In the rush to 'modernize' Song-Beverly to apply directly
to online commerce, SB 383 places over-reaching
restrictions on operators of commercial Internet Web sites
or Online Services. The need by these organizations to
collect personally identifiable information to protect
online consumers from fraud is of far greater importance
than the sharing of this information. There must be
safeguards in place for online operators to verify the
identity of their consumers that far exceed what is
proposed in this bill. The consequences to online commerce
of getting this wrong are enormous, and thus we urge the
Legislature to proceed with appropriate caution."
"Unlike traditional retail settings, online commerce has no
actual human interaction that can verify the physical
presence of a card and identification. The ability to
correctly provide personally identifiable information is a
front-line defense against fraud. Today, many use online
services to conduct transactions for a variety of purposes
and placing restrictions on how online retailers can verify
identity and fight fraudulent activity could lead to
thousands of Californians becoming victims to fraud."
CONTINUED
�
SB 383
Page
10
AL/JA:e 1/29/14 Senate Floor Analyses
SUPPORT/OPPOSITION: SEE ABOVE
**** END ****
CONTINUED