BILL ANALYSIS ��
SB 383
Page 1
Date of Hearing: June 23, 2014
ASSEMBLY COMMITTEE ON BANKING AND FINANCE
Roger Dickinson, Chair
SB 383 (Jackson) - As Amended: June 15, 2014
SENATE VOTE : 21-13
SUBJECT : Credit Cards: personal information.
SUMMARY : Expands the Song-Beverly Credit Card Act to online
transactions involving an electronic downloadable product.
Specifically, this bill :
1)Permits a person or entity to require a cardholder, as a
condition of accepting a credit card as payment in full or in
part in an online transaction involving an electronic
downloadable product, to provide personal identification
information (PII) if used solely for the detection,
investigation, or prevention of fraud, theft, identity theft,
or criminal activity, or for enforcement of terms of sale.
2)Requires the person or entity accepting the credit card for an
online transaction involving an electronic downloadable
product to destroy or dispose of the PII in a secure manner
after it is no longer needed for the detection, investigation,
or prevention of fraud, theft, identity theft, or criminal
activity, or for enforcement of terms of sale.
3)Prohibits the person or entity from aggregating the PII with
any other PII and also prohibits the person or entity from
sharing PII with any other person, firm, partnership,
association, or corporation unless it is required to do so by
state or federal law, or is contractually obligated to share
the information with another entity to verify the information,
complete the transaction, or for the detection, investigation,
or prevention of fraud, theft, identity theft, or criminal
activity, or for enforcement of terms of sale.
4)Allows a person or entity that provides an electronic
downloadable product to require a consumer to establish an
account as a condition for the purchase of an electronic
downloadable product. In addition, requires a consumer to
provide PII to establish, maintain, or update that account.
�
SB 383
Page 2
a) Limits the PII collected for the purpose of establishing
maintaining or updating the account or to process a credit
card transaction.
5)Allows a cardholder to provide PII by opting in to the
collection and use of that information if he or she is
notified of the following at the same time the cardholder is
completing a transaction or establishing an account:
i) That providing the information is not required to
complete the transaction;
ii) The purpose of the request; and,
iii) The intended use of the information.
a) Requires the person or entity to provide the cardholder
with an opportunity to opt out of the collection of the
information before the online transaction involving an
electronic downloadable product is completed.
6)Defines an "online transaction involving an electronic
downloadable product" as a credit card transaction for a
product, service, subscription, or any other consideration, in
which the product, service, subscription, or consideration is
provided by means of a download to a computer, telephone, or
other electronic device.
7)Makes various findings and declarations.
EXISTING LAW
1)Requires through the California Online Privacy Protection Act,
that an operator of a commercial Internet Web site or online
service that collects PII about individual consumers residing
in California who use or visit its commercial Internet Web
site or online service to conspicuously post its privacy
policy on its Internet Web site, or in the case of an operator
of an online service, make that policy available to consumers
in accordance with state law. [Business and Professions Code
Sec. 22575 (a).]
2)Provides that under the Song-Beverly Credit Card Act of 1971
(Credit Card Act) (Civil Code Section 1747 et seq), no person,
firm, partnership, association or corporation that accepts
�
SB 383
Page 3
credit cards shall do any of the following:
a) Require, or request, as condition of accepting the
credit card, the cardholder to write any PII upon the
credit card transaction form or other document. [Section
1747.08a(1)]
b) Require, or request, as a condition of accepting the
credit card, the cardholder to provide PII which the entity
accepting the card would then write or record upon the
credit transaction form or otherwise. [Section 1747.08a(2)]
c) Utilize in any credit card transaction, a credit card
form that contains preprinted spaces for PII of the
cardholder. [Section 1747.08a(3)]
1)Specifies that the prohibitions in a, b and c do not apply
under the following circumstances:
a) If the credit card is being used as a deposit to secure
payment in the event of default, loss, damage, or other
similar occurrence. [Section 1747.08(1)]
b) Cash advance transactions. [Section 1747.08(2)]
c) If the entity requesting the information is
contractually obligated to provide the personal information
in order to complete the transaction, or is obligated to
collect and record the PII by federal law or regulation.
[Section 1747.08(3)]
d) If the entity accepting the credit card in a sales
transaction at a retail motor fuel dispenser or retail
motor fuel payment island automated cashier uses the ZIP
Code information solely for the prevention of fraud, theft,
or identity theft. [Section 1747.08 (3)]
e) If PII is required for a special purpose incidental but
related to the individual credit card transaction,
including but not limited to, information relating to
shipping, delivery, servicing, or installation of the
purchased merchandise, or for special orders. [Section
1747.08(4)]
2)Clarifies that the prohibitions on collecting PII relating to
�
SB 383
Page 4
the credit card transaction does not prohibit a requirement
that the cardholder provide reasonable forms of positive
identification, including a driver's license or California
State identification card, or another form of identification.
[Section 1747.08(4)d]
3)Specifies that if the cardholder pays for the transaction with
a credit card number and does not make the credit card
available upon request to verify the number, the cardholder's
driver's license number or identification card number may be
recorded on the credit card transaction form. [1747.08(4)d].
4)Defines "personal identification information" (PII) as
information concerning the cardholder, other than information
set forth on the credit card, and including but not limited
to, the cardholder's address and telephone number. [Section
1747.08(3)b]
FISCAL EFFECT : None.
COMMENTS :
SB 383 is in response to a court decision from February 4, 2013,
Apple v Superior Court of Los Angeles County (Krescent) S199384
(February 04, 2013). In Apple, the California Supreme Court
opined that the state's statutory protection against the
collection of PII when making credit card purchases does not
apply to online retailers of electronically downloadable
products. The Apple decision highlights the need for California
privacy laws to be updated from the "brick and mortar" world to
the online world.
The underlying statute, the Song Beverly Credit Card Act passed
in 1990, generally prohibits businesses from requesting or
requiring consumers to provide unnecessary PII during a credit
card transaction. However, the court found, in essence, that
the statute and its anti-fraud provisions had been designed for
"brick and mortar" transactions that pre-dated the Internet era
and the explosion of e-commerce, and that online retailers of
electronically downloadable products were therefore outside of
the intended scope of the law.
The Court also recognized the problem of new technologies
outpacing existing laws, and the majority opinion explicitly
invited the state Legislature to revisit the matter, and update
�
SB 383
Page 5
its consumer protection laws accordingly should it so desire.
The worry surrounding the court case decision encompasses the
concern of online retailers having the unlimited ability to ask
consumers for any amount of personal information when making an
online transaction. It is presumed that due to the court's
decision online merchants selling digital goods no longer need
to worry about the Act.
Need for the bill
According to the Author, "Consumer privacy protections are
particularly crucial in the digital age, where the collection
and retention of personal information has made it possible for
individuals to unlawfully obtain millions of records during a
single breach of a company's computer systems. SB 383 states
the intent of the legislature to re-establish privacy
protections for online credit card transactions involved
downloadable products. Specifically, this bill closes a
loophole in the Song Beverly Credit Card Act, which was created
after a State Supreme Court ruling that found that these
protections do not apply to certain online transactions.
Background
Song-Beverly Credit Card Act of 1971: Under state law, a person
who accepts a credit card for payment shall not record the
consumer's PII on the credit card transaction form, except as
specified. Originally enacted in 1971, the Act regulates the
issuance and use of credit cards and the respective rights and
responsibilities of cardholders and retailers. Section 1747.08
of the Act, in particular, seeks to protect a consumer's privacy
and to address "the misuse of personal identification
information for, inter alia, marketing purposes." Specifically,
the Act prohibits a retailer from requesting, as a condition of
acceptance of a credit card, that the cardholder provide the
retailer with PII, which is defined to mean any information
about the cardholder that does not appear on the card,
including, but not limited to, the cardholder's name and
address.
Existing law carves out reasonable exceptions to this general
rule, including where the business is contractually or legally
required to collect the information, or where the business needs
the information to perform some "special purpose," such as
shipping, installing, or servicing a purchased item. A business
�
SB 383
Page 6
that accepts credit cards is also permitted to require the
cardholder, as a condition to accepting the card as payment, to
provide reasonable forms of identification, such as a driver's
license. AB 1219 (2012 legislative year), created another
limited exception: in order to prevent fraud, a business that
sells fuel may ask the purchaser to provide a zip code in order
to process a fuel purchase at an automated fuel dispenser
island. A person or business that violates the Act is subject
to civil penalties, which may be assessed in a civil action by
an affected cardholder, or in an action brought by the Attorney
General or a district or city attorney.
"Personal Identification Information" Under Song-Beverly-Pineda:
In 2011 the California Supreme Court confronted the question of
what constitutes "personal identification information" under the
Act and, more specifically, whether a person's zip code - with
nothing else - constitutes an "address." (Pineda v. Williams-
Sonoma Stores, Inc. (2011) 51 Cal. 4th. 524.) In Pineda, a
customer sued a retailer claiming that it had violated the
provisions of the Song-Beverly Act when a store clerk asked the
customer for a zip code during the credit card transaction, and
then recorded that zip code along with the customer's name and
credit card number. The customer subsequently learned that the
retailer used this information to do a "reverse search" to
locate the customer's home address. The retailer then kept the
customer's information in a data base that it used for marketing
purposes. The customer filed the matter as a putative class
action, alleging invasion of privacy, unfair competition, and
violation of the Act. Both the trial court and the Court of
Appeal sided with the retailer, finding that a zip code, without
any other component of the address, was too general to be
considered "personal identification information." However the
California Supreme Court reversed, holding, unanimously, that
the word "address" in the statute means either a complete
address or any portion of an address, and that a zip code is
"readily understood to be part of an address."
The Recent Apple Case - Online Businesses Held Not to Be Covered
by Song-Beverly: A bare majority of four justices held that it
did not apply to online businesses. The majority opinion
conceded that the statute does not make any express exception
for online business transactions - applying as it does to any
person, firm, etc. that accepts credit cards. However, the
court concluded that both the legislative history and the
overall statutory framework strongly suggest that the statute
�
SB 383
Page 7
was only meant to apply to in-person transactions at brick and
mortar businesses; online purchasers were not contemplated, as
it was crafted prior to the explosion of online commerce.
In support of this conclusion, the Court made the following
points:
When the statute was originally enacted in 1971 the Internet
did not exist, and even at the time of the most recent
amendment - 1991 - online commercial sales were virtually
non-existent and certainly not widespread, suggesting that the
original intent of the legislature concerned in-person brick
and mortar transactions.
In order to prevent fraud, the statute permits a business to
require the customer to present a form of identification, such
as a driver's license or other photo ID, so long as none of
the information is written down or recorded. This provision,
the court reasoned, showed that the overall framework did not
contemplate online transactions, for an online business would
not be able to request a photo ID for purposes of fraud
prevention.
Capp v. Nordstrom No. 13-660-MCE-AC, 2013 WL 5739102 (E.D. Cal.
Oct. 21, 2013)
In a recent case, once again surrounded around California's Song
Beverly Credit Card Act, Capp v. Nordstrom, the District Court
for the Eastern District of California clarified one more point
about the Song-Beverly Act: requests for customers' email
addresses are prohibited requests for PII.
In the Nordstrom case, Plaintiff Robert Capp, as the
representative of a putative class, asserted a Song-Beverly
claim against retailer Nordstrom, Inc. Mr. Capp made a
purchase at a Nordstrom store and paid for the purchase with his
credit card. After Mr. Capp swiped his card, the Nordstrom
cashier asked Mr. Capp to enter his email address so that he
could receive his receipt by email. Mr. Capp stated that he
believed that "he was required to provide his email address
information in order to complete the transaction and receive his
receipt." Mr. Capp completed the transaction, and received a
receipt by email. According to the complaint, Mr. Capp began
receiving unsolicited promotional emails from Nordstrom on an
almost daily basis, and claimed that he saw an increase in email
�
SB 383
Page 8
traffic from other retailers, leading him to believe that
Nordstrom shared his email address to others without his
permission. Mr. Capp sued, claiming that Nordstrom's request
for his email address constituted a violation of the
Song-Beverly Act.
Nordstrom moved to dismiss the claims arguing that an email
address does not qualify as "personal identification
information" under the Song-Beverly Act. In deciding this issue
of first impression, the court relied on Pineda v.
Williams-Sonoma Stores, Inc. The court stated: "Defendant's
alleged conduct in this case-acquiring Plaintiff's email address
for one reason, sending him a receipt, and then using the
address for another reason, to send promotional emails and to
resell that information to other companies-directly implicates
the purposes of the statute as articulated by the California
Supreme Court in Pineda." Ultimately, the court held that a
customer's email address is "personal identification
information" under the Song-Beverly Act.
California's Right to Privacy
The California Constitution expressly protects an individual's
right to privacy. Added to the California Constitution in 1972
when voters adopted Proposition 11, the California privacy
provision protects an individual's right to privacy from both
governmental and private actors.
The California Supreme Court has held that the privacy provision
in the California Constitution "creates a legal and enforceable
right of privacy for every Californian." (White v. Davis (1975)
13 Cal. 3d 757, 775.) Despite this express protection, however,
just what is included in the state's constitutional right of
privacy has necessarily been developed in a body of case law.
These cases tend to be very fact-specific. As a general rule,
however, in order to maintain a claim for infringement of one's
right of privacy under the California Constitution, the
plaintiff must (1) identify a legally protected privacy
interest; (2) establish that he or she had a "reasonable
expectation of privacy" under the circumstances; and (3) that
the defendant's conduct constituted a "serious" invasion of
privacy. If a plaintiff establishes all three of these elements,
the defendant may still show the invasion of privacy was
�
SB 383
Page 9
justified if it furthers a legitimate and competing interest.
Specifically, the California Supreme Court has held that an
"invasion of a privacy interest is not a violation of the state
constitutional right to privacy if the invasion is justified by
a competing interest."
Related Legislation
AB 844 permits the operator of a commercial Internet Web site or
online service that collects PII to request a credit cardholder
or debit cardholder to provide only the billing ZIP Code to
complete the online credit card or debit card transaction.
Pending in the Senate Banking and Financial Institutions
Committee.
Previous Legislation
AB 1219 (Perea, Chapter 690, Statutes of 2011) provided
clarification for those instances when an entity that accepts
credit cards may not request certain types of PII to complete
the transaction. Created an express exemption from the
prohibition against the collection and retention of zip code
information when the zip code is used solely for prevention of
fraud, theft, or identify theft in a sales transaction at a
retail motor fuel dispenser or retail motor fuel payment island
automated cashier.
Arguments in Support
According to the Consumer Federation of California, SB 383
provides consumers with modest privacy protection when making an
online transaction involving a downloadable product. This bill
allow a business to gather any personally identifiable
information from a customer, who is making an online transaction
for a downloadable product, as long as that information is only
used for the detection, investigation, or prevention of fraud,
identity theft or other criminal activity, or to enforce the
terms of the transaction. SB 383 also clarifies that a business
may request the consumer to voluntarily opt-in to information
gathering for other purposes, as long as business explains the
intended use for that personally identifiable information.
According to the Consumer Attorneys of California, "instead of
permitting limited data collection for fraud prevention, as the
legislature did when enacted the gas station amendment, the
�
SB 383
Page 10
Court voided Son Beverly in its entirety for certain online
transactions. Under this ruling, online merchants may demand
personal information without limit from credit card holders and
use information gathered for marketing, creation of customer
dossiers, for sale to third parties, or other purposes. SB 383
strikes a balance between consumer privacy and crime prevention.
Arguments in Opposition
According to the Los Angeles Area Chamber of Commerce, "While we
appreciate that SB 383 attempts to address consumer privacy
concerns, it only creates complex and confusing regulations that
hinder Internet-based shopping and services. For example, in
order to comply with SB 383, California based businesses would
potentially have to create a two-tiered online system, one
tailored to California customers and other tailored to
non-California customers. California customers would need to
enter more personal information before completing their
purchase. The creation of an unequal payment and service
systems means added costs and inefficiencies to businesses
because of the need to adopt their online system to gather the
additional California customer's information and subsequently
dispose of that information after a given date, as proposed in
the bill."
According to the California Newspaper Publishers Association,
"SB 383 would impose a signification burden if not outright
prohibition on the use of personal information that rewards
customer loyalty by making it convenient for readers and
subscribers to access downloadable content about their
communities. Newspapers, in order to survive in today's hyper
competitive media market, legitimately use personal information
as the lifeblood to obtain and retain subscribers. Keeping the
personal information of customers on file also allows readers to
readily access and purchase single stories about important
events they want as keepsakes and photographs of their kids who
are featured in an issue. This will further harm newspapers and
in some cases where a newspaper is already struggling, could be
the death blow that puts them out of business."
Questions
1)While the Apple court case only pertained to downloadable
products, the court stated as a whole that the Song-Beverly
�
SB 383
Page 11
Credit Card Act was out of touch with the internet era. This
measure takes a piecemeal approach because it only pertains to
online downloadable products, should the legislature consider
taking a bigger approach and apply the same protections to all
online transactions similar to AB 844? Splitting up an online
shopping experience for a consumer based on whether they
purchase a downloadable product or physical item may cause
more confusion for the consumer and the online retailer.
2)This measure attempts to update credit card privacy
protections over the internet but does not address the issue
of online purchases made by a debit card. Will this measure
steer online retailers to set up a new platform for debit
cards?
3)The measure may open the door for online retailers who sell
downloadable products to ask for any information if they use
the information solely for fraud, theft, identity theft, or
criminal activity, or enforcement of terms of sale. What does
enforcement of terms of sale mean and is this provision a
potential loophole because who make these determinations?
4)Since the Court's ruling in the Apple case, have online
retailers who sell downloadable products changed their
behavior? Are online retailers who sell downloadable products
collecting more information than is necessary to complete the
transaction since the court ruling?
Recommended Amendments & Double Referral
This measure is double-referred to the Assembly Judiciary
Committee. Should this measure pass out of the Assembly Banking
& Finance Committee, it will be heard in the Assembly Judiciary
Committee on Tuesday, June 24 at 9am. Due to this timeframe,
amendments will be adopted in the Assembly Judiciary Committee.
The author has proposed author's amendments that will be taken
in the Assembly Judiciary Committee. These amends attempt to
clarify the author's intent of the measure as related to the
credit card holder setting up an account when purchasing a
downloadable product.
REGISTERED SUPPORT / OPPOSITION :
Support
�
SB 383
Page 12
Consumer Federation of California (Sponsor)
UFCW Western States Council (Sponsor)
American Civil Liberties Union of California (ACLU)
California Conference Board of the Amalgamated Transit Union
California Conference of Machinists
California Alliance for Retired Americans
California Public Interest Research Group (CALPIRG)
California Teamsters Public Affairs Council
CALPIRG
Christ Our Redeemer (COR)
Christ Our Redeemer AME Church of Irvine
Consumer Action
Consumer Attorneys of California
Consumer Watchdog
Ecumenical Center for Black Church Studies
Engineers and Scientists of CA
International Longshore & Warehouse Union
Jesse Miranda Center for Hispanic Leadership
Los Angeles Latino Chamber of Commerce
National Asian American Coalition (NAAC)
National Hispanic Christian Leadership Conference
Orange County Interdenominational Alliance
Privacy Activism
Privacy Rights Clearinghouse
Professional and Technical Engineers
United Food & Commercial Workers Western States Council
UNITE-HERE
Utility Workers Union of America
Opposition
California Bankers Association (CBA)
California Chamber of Commerce
California Credit Union League (CCLU)
California Independent Bankers (CIB)
California Retailers Association (CRA)
CTIA - The Wireless Association
Direct Marketing Association
Internet Coalition
Los Angeles Area Chamber of Commerce
Motion Pictures Association of America
State Privacy and Security Coalition
�
SB 383
Page 13
TechAmerica
TechNet
Analysis Prepared by : Kathleen O'Malley / B. & F. / (916)
319-3081