SB 383: Battle For Privacy In Online Purchases Falters After 2-Year Fight


Update June 23, 2014: Sen. Hannah-Beth Jackson pulled her bill from the Assembly Banking and Finance Committee agenda this afternoon. The bill will not advance.

MARCH 26, 2013 The Consumer Federation of California is sponsoring SB 383 (Jackson) to restore privacy protection for online credit card purchases, which was recently eliminated by a bad California Supreme Court decision.

In February, a 4-3 Supreme Court majority delivered a blow to consumer advocates worried about privacy in cyberspace. The Court ruled that online merchants can require consumers to furnish personal information including address, phone number, and other data in order to make credit card purchases.

This means that the Song Beverly Credit Card Act – which prohibits retailers from collecting and recording a customer’s personal identifying information as a condition of accepting payment by credit cards – does not apply to transactions relating to the multibillion-dollar online commerce world, only to brick-and-mortar establishments.

Instead of requiring limited data collection for fraud prevention, the Court voided Song Beverly in its entirety for certain online transactions. Under this ruling, online merchants may demand personal information, without limit, from credit card holders, and use the information gathered for marketing, creation of customer dossiers, for sale to third parties, or other purposes.

“Consumers deserve privacy protection when they use a credit card. Privacy should not be eliminated when a credit card is used online, but unfortunately that is the law today,” said Richard Holober, Executive Director, Consumer Federation of California. “SB 383 eliminates this double standard, and gives online shoppers the same privacy rights that California consumers enjoy when they use a credit card at a store.”

The fact is, online merchants can protect against fraud without forcing buyers to turn over unnecessary personal information in credit card transactions. For example, fraud prevention hardly explains why Apple and other online companies need a customer’s telephone number, which isn’t necessary to complete a credit card transaction or to verify identity.

“Workers in retail stores are already able to assure their customers that their personal information is safeguarded when they use a credit card. Consumers should have that same protection when they shop online. SB 383 helps complete the circle of consumer protections that are necessary for the online marketplace to work,” said James Araby, Executive Director, United Food and Commercial Workers Western States Council.

“SB 383 allows online merchants to collect only the personal information that is needed to stop fraud or identity theft,” remarked Beth Givens, Executive Director, Privacy Rights Clearinghouse. “As important, it prohibits online merchants from using that private information for marketing, data mining or for sale to third parties.”

SB 383 strikes a balance between consumer privacy and crime prevention. It would close the loophole for online commerce opened by the Apple decision and would make it clear that the credit card privacy law applies to all transactions, regardless of the technology used. SB 383 would allow online businesses to collect only a customer’s zip code and other limited information necessary to combat fraud or identity theft, and require the information will be destroyed when the crime prevention purpose is concluded.

Consumer privacy organizations supporting SB 383 (partial list):

Consumer Federation of California (co-sponsor)
American Civil Liberties Union of California
California Alliance for Retired Americans
California Public Interest Research Group
Consumer Action
Electronic Frontier Foundation
Privacy Rights Clearinghouse
United Food and Commercial Workers Council (co-sponsor)


The case is Apple Inc. v. Superior Court of Los Angeles County, arising from a lawsuit filed by David Krescent, who alleged that Apple had violated his privacy when it required his telephone number and address to complete credit card purchases of downloadable audio and video files. Lower courts ruled against Apple.

The 4-3 Court majority rewrote history, and concluded that – because online commerce did not exist when the Song Beverly Act was enacted and amended in the early 1990s – the law cannot apply to online transactions.
Without weighing evidence, the Court assumed that online purchases open new opportunities for fraud or identity theft. But instead of carving out a narrow privacy exception for fraud prevention, the Court majority gave online businesses a license to collect all sorts of personal data, with no limitation on how the data may be used.

This decision retreated from the ardent pro-consumer construction the Court had given the Song Beverly Act in 2011 in Piñeda v. Williams-Sonoma Stores. In that case, a unanimous California Supreme Court ruled the retail chain violated the Song Beverly Act by collecting ZIP codes from customers. The Consumer Federation of California filed an amicus brief in that case – and the Court sided with consumers.

This new ruling flies in the face of the clear language of the Act, which covers all credit card transactions, not just those limited to in-person transactions.

The three dissenting justices warned that the decision erodes online privacy protections for consumers. Justice Baxter pointed out that “there is nothing in the record” of this case to discern that Apple needed the cardholder’s address and phone number to prevent fraud or identity theft. Justice Joyce Kennard wrote, “The majority’s decision is a major win for (merchants), but a major loss for consumers, who in their online activities already face an ever-increasing encroachment upon their privacy.”

The California Legislature long ago recognized that retailers don’t have the right to gather personal information from credit card users for marketing purposes. This has been California law for more than two decades and the Court’s recent opinion is a gift to online businesses, many of which have demonstrated a callous disregard for consumer privacy.

Apple: Rotten to the Core

Apple has led fierce business opposition to SB 383, along with other high tech and retail industry businesses.

Apple claims SB 383 would harm the company by forcing it to differentiate California customers from those living elsewhere.

Apple fails to mention that it complies with the stricter privacy rules in place in many of the 156 countries where it conducts sales.

Apple has a lengthy record of disregarding consumer privacy.

The company is sitting on $147 billion in cash reserves. Apple has avoided paying US corporate income tax on $44 billion over the past three years by accounting gimmicks to hide assets in Ireland, a tax haven.