California Senate Passes Privacy Bill Restricting E-tailers' Collection of Customer Data
In the wake of recent highly publicized consumer data breaches, the California Senate has passed S.B. 383 (the "Bill"), a bill that restricts the personal identification information that retailers can collect from consumers making online credit card purchases of downloadable content. The Bill provides for penalties of $250 for an initial violation and $1,000 for subsequent violations, which can become significant if aggregated in a class action.
Decades ago, the California Legislature enacted the Song-Beverly Credit Card Act of 1971 ("Song-Beverly" or the "Act") to govern the issuance and use of credit cards. In 1990, the Act was amended to specifically address the misuse of personal identification information by retailers for marketing purposes. The amended Song-Beverly forbid retailers from requesting and recording a customer's personal identification information during a credit card transaction.
On January 30, the state Senate passed S.B. 383, introduced by Senator Hannah-Beth Jackson last year to amend the Act. The Bill would restrict the seller of a downloadable product from requesting or requiring that customers provide certain personal information to complete an online credit card transaction, except to the extent that the retailer collects such information to protect against fraud and other similar purposes. Proponents of the bill claim that this legislation will fill a gap in consumer identity protection that resulted from a California Supreme Court decision last year. In a 4–3 decision, the Court held Song-Beverly does not apply to an online transaction involving a downloadable product, and as a result, the privacy protections of the Act do not apply to such transactions.
The Bill was introduced in response to the Supreme Court decision. The Bill originally contained broad language restricting the personal information that could be required or requested by retailers for all online transactions, except where the information would be collected to protect against fraud. The Senate scaled back the Bill's scope and passed an amended version that applies only to online transactions involving a downloadable product. The amended version of S.B. 383 allows online businesses to collect personal identification information from customers only if that data is used solely to prevent, detect, or investigate fraud, theft, identity theft, or criminal activity, or for enforcement of terms of sale. Any data collected must be destroyed in a secure manner when it is no longer needed for these purposes.
Also, the Bill prohibits the data collected from being sold or shared or aggregated with any other personal identification information, except to the extent required under state or federal law. The Bill provides an additional exception that allows a retailer to request, but not require, personal information from a cardholder in an online transaction involving a downloadable product if the customer opts into the collection of the information and is notified (i) that providing the information is not required to complete the transaction, (ii) of the purpose of the retailer's request, and (iii) of the intended use of the information.
As S.B. 383 moves to the Assembly, online retailers selling downloadable products should consider the impact this law could have on their customer online data collection practices and policies.
For further information, please contact your principal Firm representative or one of the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com.
Katherine S. Ritchey
Mauricio F. Paez
Gregory P. Silberman
Abigail C. Johnson, an associate in the San Francisco Office, assisted in the preparation of this Alert.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.