AB 844: Trojan Horse that would have destroyed credit card privacy protections
Update: AB 844 died in committee in June 2013.
AB 844 (Dickinson) is being touted as a bill to protect consumers’ personal information for online credit card purchases, with claims it will better protect consumers’ privacy by safeguarding against the exploitation of personal information.
Unfortunately, newly amended AB 844 is a Trojan Horse that actually destroys brick-and-mortar store credit card privacy protections of current California law, and eliminates any hope for privacy protections for credit cardholders in online transactions.
Since 1991, the Song-Beverly Credit Card Act has prohibited businesses from requesting or requiring personal identification information including, but not limited to, a cardholder’s address and telephone number in a purchase using a credit card.
In February 2013, a 4-3 California Supreme Court majority delivered a blow to consumers worried about privacy in cyberspace. The majority ruled that online merchants can require consumers to furnish personally identifiable information, including address, phone number, and other data in order to make online credit card purchases. The Court stated that the remote nature of the transaction creates a heightened risk of fraud that was not contemplated when the privacy provisions were enacted.
Originally, AB 844 was intended to restore consumer privacy protections in online transactions in response to the recent Court’s ruling. As introduced, the bill applied the principle of privacy to online credit and debit card transactions, with limited new exceptions for fraud prevention.
But in sharp contrast to its original intent, the amended bill would eviscerate the privacy provisions that have applied to brick and mortar and other credit card purchases for over 20 years.
AB 844 would give merchants in any credit card transaction a license to violate a consumer’s right to privacy with impunity.
These amendments would not advance the legislative goal of the Song-Beverly Credit Card Act. They actually exacerbate the risks articulated by the Legislature and numerous California courts.
A 1991 amendment to Song-Beverly added a prohibition on “requesting” personal information in a credit card transaction to prevent “a retailer from making an end-run around the law by claiming the customer furnished the personal identification data ‘voluntarily.’” The amendment was to stop merchants and others from data mining, stating the “1991 amendment was to prevent retailers from ‘requesting’ personal identification information and then matching it to the consumer’s credit card number.”
However, under AB 844, a retailer may record personal identification information if the cardholder is advised or “it is apparent” that the requested information is not required for a purchase. The amendments would allow a defendant to argue that the privacy protections are waived if a retailer puts up a small sign in the store saying that the personal identification information is not required, even if a customer never saw the sign.
The amendments to AB 844 would also permit online merchants to bypass the privacy of a credit cardholder’s personal identification information by allowing a business to collect this information if it is part of an “account” that a business creates for a customer. This language provides online businesses a loophole against privacy protection, since virtually every online credit card transaction is, or would become, associated with a cardholder’s “account.”
AB 844 would license all merchants – of brick-and-mortar and online businesses alike – to use personal identification information for any purpose, including marketing, customer profiling, or sale to third parties.
The bill will be voted on by the Senate Banking and Financial Institutions Committee on Wednesday, July 3. To protect consumer privacy, and to protect credit card holders from greater risk of identity theft, the Consumer Federation of California opposes AB 844.