In the wake of recent highly publicized consumer data breaches, the California Senate has passed S.B. 383 (the "Bill"), a bill that restricts the personal identification information that retailers can collect from consumers making online credit card purchases of downloadable content. The Bill provides for penalties of $250 for an initial violation and $1,000 for subsequent violations, which can become significant if aggregated in a class action. 

Decades ago, the California Legislature enacted the Song-Beverly Credit Card Act of 1971 ("Song-Beverly" or the "Act") to govern the issuance and use of credit cards. In 1990, the Act was amended to specifically address the misuse of personal identification information by retailers for marketing purposes. The amended Song-Beverly forbid retailers from requesting and recording a customer's personal identification information during a credit card transaction. 

On January 30, the state Senate passed S.B. 383, introduced by Senator Hannah-Beth Jackson last year to amend the Act. The Bill would restrict the seller of a downloadable product from requesting or requiring that customers provide certain personal information to complete an online credit card transaction, except to the extent that the retailer collects such information to protect against fraud and other similar purposes. Proponents of the bill claim that this legislation will fill a gap in consumer identity protection that resulted from a California Supreme Court decision last year. In a 4–3 decision, the Court held Song-Beverly does not apply to an online transaction involving a downloadable product, and as a result, the privacy protections of the Act do not apply to such transactions.

The Bill was introduced in response to the Supreme Court decision. The Bill originally contained broad language restricting the personal information that could be required or requested by retailers for all online transactions, except where the information would be collected to protect against fraud. The Senate scaled back the Bill's scope and passed an amended version that applies only to online transactions involving a downloadable product. The amended version of S.B. 383 allows online businesses to collect personal identification information from customers only if that data is used solely to prevent, detect, or investigate fraud, theft, identity theft, or criminal activity, or for enforcement of terms of sale. Any data collected must be destroyed in a secure manner when it is no longer needed for these purposes. 

Also, the Bill prohibits the data collected from being sold or shared or aggregated with any other personal identification information, except to the extent required under state or federal law. The Bill provides an additional exception that allows a retailer to request, but not require, personal information from a cardholder in an online transaction involving a downloadable product if the customer opts into the collection of the information and is notified (i) that providing the information is not required to complete the transaction, (ii) of the purpose of the retailer's request, and (iii) of the intended use of the information.

As S.B. 383 moves to the Assembly, online retailers selling downloadable products should consider the impact this law could have on their customer online data collection practices and policies.