State Sen. Hannah-Beth Jackson, D-Santa Barbara, has introduced a bill that would sharply limit the information that online sellers can gather and keep when customers use a credit card to pay for a transaction.
The bill, SB 383, is designed to address the outcome of the California Supreme Court decision earlier this year in Apple vs. Superior Court of Los Angeles County. In that case, the state’s highest court sided with Apple and agreed that sellers of downloadable products can ask for a customer’s name, address and other personally identifiable information during a credit card transaction because of the unique risk of credit card fraud online.
Physical businesses, in contrast, are allowed to ask a customer for identifying information or check a driver’s license, but the seller is prohibited from recording that information or using it in any way aside from fraud prevention. Phone and mail order operations face similar restrictions. In an interview, Sen. Jackson said the intention of the bill is to bring consumer privacy rights into parity whether a purchase is online or offline.
“It’s paralleling the process of what happens in a brick-and-mortar store when you want to buy something,” Jackson said. “They’re not entitled to take down your information, and they’re certainly not entitled to sell it to anybody.”
Apple and other Silicon Valley giants rarely disclose how they put the data they collect to use. However, many user agreements — that box most consumers click without reading before completing a transaction — give companies broad leeway to store data, sift through it and use it. Sometimes that’s through internal marketing and business intelligence, but it can also be through monetizing data.
“Some companies will aggregate the information and will sell it to other companies without our permission,” Sen. Jackson said.
It is not immediately clear what impact, if any, the bill would have on the e-commerce and digital advertising businesses in the Tri-Counties.
Digital advertisers contacted by the Business Times said the change would have no effect on their firms because they specifically avoid dealing in personally identifiable information.
The bill would not affect e-commerce businesses that collect addresses for shipping or providing physical services, but it would affect sellers of software and online services. Several business-to-business software providers contacted by the Business Times said very few of their business clients pay via credit card.
Goleta-based Citrix Online, the region’s largest seller of software services directly to consumers, said that it had not yet formally reviewed the proposal but that it aims to create a “trusting experience” with its users and complies with all applicable laws.
The bill would ban online sellers from asking for anything other than the minimum to reasonably prevent fraud, such as billing ZIP codes. Sellers would have to securely destroy that information and would be banned from sharing it with third parties.
Richard Holober, executive director of the Consumer Federation of California, a privacy group that pushed for the bill, said it will contain some exceptions and flexibility. Sellers would be allowed to keep information for some period of time — perhaps 60 days — so that consumers who believe a transaction was fraudulent will have time to contest the charge through their credit card companies. And while ZIP codes are currently sufficient to verify identity when using credit cards at gas stations, other data points might be needed in the future, though they too would only be kept temporarily.
“We plan to make an amendment that there could be other data required in the future for fraud prevention. If in fact it is required, then an online merchant would be able to collect it,” Holober said.
Moreover, merchants would still have leeway to keep information related to transactions as online and offline commerce blend.
“You’re not having something shipped — you’re ordering online but going to go down to Macy’s to pick it up. If you don’t show up, there’s a legitimate need for them to have your phone number, but that’s specific to that transaction and the use of that should be limited to that transaction,” Holober said.
The California Supreme Court’s decision did not address how companies can use the information they keep, but Holober said that big firms’ ability to filter and combine data from difference sources could lead to disclosures that consumers never intended to make.
“We think that Apple and other merchants have a great interest in developing very comprehensive dossiers on their customers and using that for marketing and sales to third parties,” Holober said. “The kind of data collected could include very private information, information that could go well beyond the address, zip code and phone number but could also include our online purchasing and searching habits and the websites you visit. That could reveal all sorts of information — your sexual orientation, your medical concerns, your political activity.”