The California Senate has passed a bill restricting the information that certain online retailers can collect in connection with consumer purchases. Senate Bill 383 would amend Sections 1747.02 and 1747.08 of the California Civil Code to address the collection of customer information in connection with credit card purchases in online transactions for downloadable products. The bill aims to close a perceived gap in the data privacy protections afforded to California residents, by placing these types of transactions within the scope of California’s Song-Beverly Credit Card Act, which prohibits retailers from requiring certain customer personally identifiable information as a condition to accepting credit card payment.
Does this all sound vaguely familiar? If so, that is likely because SB 383, in its current form, is just the latest development in a series of efforts to adapt Song-Beverly, a law that pre-dates the modern internet, to current retail and data collection practices.
The battle over how far the provisions of Song-Beverly can be extended began in earnest after the California Supreme Court, in Pineda v. Williams-Sonoma Stores, held that in the interest of advancing the privacy protection goals of Song-Beverly, the term “personal identification information” should be ready broadly to include the ZIP codes of customers. After the Pineda decision, a number of class action suits were filed arguing that Song-Beverly should apply to online merchants in addition to brick-and-mortar stores. In February 2013, however, the Court held, in Apple v. Superior Court (Krescent), that Song-Beverly’s restrictions on collecting personal information in connection with credit card transactions do not apply to online sales of electronic downloadable products. Sellers of online downloadable material, the Krescent Court held, would not be able to rely on the methods of fraud control, such as asking to see the purchaser’s driver’s license or State-issued ID, that are explicitly permitted by Song-Beverly.
The original version of SB 383 was introduced, in part, in reaction to the Krescent decision. The language of the original bill broadly applied to all online transactions and only permitted a seller to require and retain personal information when required to prevent fraud, theft or identity theft. SB 383 faced strong opposition from a number of tech and online commerce associations who claimed the original bill was overreaching, as well as the California Chamber of Commerce, and ultimately stalled in the legislature.
And now, at last, we arrive at the current SB 383, which we’ll refer to as “New SB 383”. The re-introduced bill, which passed the Senate with the minimum number of votes at the end of January, differs from its predecessor in a number of important ways:
New SB 383 applies only to online transactions involving an electronic downloadable product (the same subset singled out in the Krescent decision), rather than online transactions generally.
In addition to prevention of fraud, theft or identity theft, New SB 383 permits sellers to require and retain personal information of consumers for (i) the detection or investigation of fraud, theft or identity theft, (ii) the detection, investigation or prevention of criminal activity or (iii) the enforcement of terms of sale.
New SB 383 allows sellers to share consumer personal information when required by state or federal law or when contractually obligated to share the information with another entity for purposes of (i) verifying the purchaser’s information, (ii) completing the transaction, (iii) detecting, investigating or preventing fraud, theft, identity theft, or criminal activity or (iv) enforcing terms of sale.
New SB 383 includes a process through which sellers can have consumers opt-in to having information collected, so long as consumers are contemporaneously given notice (i) that providing the information is not required to complete the transaction, (ii) of the purpose of the request and (iii) the intended use of the information. Consumers must also be given an additional opportunity to opt-out before the purchase transaction is completed.
New SB 383 is notable for a few reasons. First, the use of the terms “contemporaneously” and “before” in the opt-in/opt-out process show a clear move toward statutory requirements for just-in-time notification (part of the concept of “Privacy by Design” that has been endorsed and recommended by, among others, the Federal Trade Commission and California Attorney General Kamala Harris). Second, some of the added language appears likely to be subject to disputes in interpretation (defining, for example, the scope of information that could be retained for purposes of “enforcement of terms of sale” seems problematic), and since Song-Beverly includes a private right of action, there is a substantial likelihood that those questions of interpretation would be presented in the form of civil actions.
The changes made to SB 383 seem intended to narrow the scope of the bill in an effort to win over some of the original bill’s detractors. However, the most important change determining the fate of New SB 383 may not be in the language of the bill at all. In recent weeks a number of high profile data breaches have hit the front pages and affected millions of consumers. In the press release announcing the Senate’s passing of SB 383, Senator Hannah-Beth Jackson is quoted as saying that these recent data breaches have “reminded us all how vulnerable our personal information can be unless we put safeguards in place to protect it.” In choosing this moment to resurrect SB 383, Senator Jackson is likely wagering that an uptick in consumer worries can tip the political balance against ongoing industry concerns.
New SB 383 will now move to the Assembly.