SENATE DOCKET, NO. 63 FILED ON: 1/12/2009
SENATE . . . . . . . . . . . . . . No. 187
|
The Commonwealth of Massachusetts
_______________
In the Year Two Thousand Nine
_______________
An Act to restore consumer control over the private information collected by retail discount cards.
Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority of the same, as follows:
SECTION 1. General information.
(a) Short title:
This law’s short title is “The Consumer Privacy Restoration Act.”
(b) General objectives:
This law has the purpose of creating a more informed consumer and restoring consumer control over private information in the context of retail discount cards.
(c) Applications or general principles section:
(i) A court shall resolve ambiguities in this law in a way that will protect consumer privacy, create a more informed consumer with regard to retail discount card practices, and curb deceptive retail practices with regard to the collection and sale of private information.
(ii) A court shall construe a violation of this law as an unfair business practice as defined in section 2 of chapter 93A of the General Laws.
SECTION 2. Section 104 of chapter 93 of the General Laws, as appearing in section 1 of chapter 414 of the acts of 1991, is hereby amended by striking the first sentence and inserting the following sentence:- For the purposes of this section and sections 105 through 105C inclusive, the following words have the following meanings:
SECTION 3. Section 104 of chapter 93 of the General Laws, as so appearing, is hereby further amended by inserting the following paragraphs after the first sentence:- “Anonymous purchasing behavior data”, cardholder purchasing behavior data that contains none of the cardholder’s private information.
“Card-issuer”, a person who engages in the business of making sales at retail or for use, storage or consumption and who operates a retail discount card program; this definition subsumes all the person’s subsidiaries and agents.
“Cardholder”, a consumer to whom a retailer has issued a retail discount card, or a consumer who is applying for a retail discount card.
SECTION 4. Section 104 of chapter 93 of the General Laws, as so appearing, is hereby further amended by adding the following paragraphs:- “Personally identified purchasing behavior data”, cardholder purchasing behavior data which may contain one or more of the following: the cardholder’s name, telephone number(s), street address, city, state, ZIP code, E-mail address and birthdate.
“Purchasing behavior data”, information a card-issuer collects about a cardholder’s buying habits, including product preference, transaction size and time, location and frequency of shopping trips.
“Private information”, a cardholder’s personally identifiable information, including first name, last name, initials, telephone number(s), street address, city, state, ZIP code, month and day of birth, social security number, driver’s license number, E-mail address, employer, credit card or bank account balances or numbers and retail discount card account numbers.
“Retail discount card”, a card, tag, coupon booklet or device that a retailer issues to consumers and which a cardholder presents to a retailer at the time of a transaction to obtain discounts on retail products or services the card-issuer offers.
SECTION 5. Chapter 93 of the General Laws is hereby amended by inserting after section 105 the following sections:-
Section 105A. Card-issuers, restrictions on.
(a) A card-issuer shall not withhold incentives from or offer additional incentives to a cardholder based upon any provisions of this section. A card-issuer shall not charge a cardholder a fee for any performance in conformity with this section.
(b) A card-issuer may collect a cardholder’s anonymous purchasing behavior data. A card-issuer may disclose this anonymous purchasing behavior data to its agents and subsidiary companies. When a cardholder has granted a card-issuer the permission to do so, the card-issuer may collect the cardholder’s personally-identified purchasing behavior data and distribute the cardholder’s personal information and personally-identified purchasing behavior data to its agents or subsidiary companies. When a cardholder has granted a card-issuer the permission to do so, the card-issuer may sell, rent, lease or disclose the cardholder’s personal information and personally-identified purchasing behavior data to a third-party.
(c) Retail discount card applications:
(i) On a retail discount card application, a card-issuer shall not require a cardholder to provide the following information: telephone number(s), E-mail address, birth date, social security number, employer or income. Unless a cardholder seeks to use the retail discount card for check-cashing or other financial services, a card-issuer shall not require a cardholder to provide a driver’s license or other identification. If a cardholder provides personally-identified information to obtain check-cashing privileges or other financial services in connection with the retail discount card, or if a cardholder completes a transaction with a credit card, the card-issuer shall not connect this information in conjunction with the cardholder’s purchasing behavior data unless the cardholder grants the card-issuer permission to do so. If a cardholder requests to obtain a retail-discount card anonymously, a card-issuer shall permit the cardholder to do so.
(ii) On a retail discount card application, a card-issuer shall clearly and conspicuously print:
(A) a list of all agents and subsidiary companies to which the card-issuer will disclose the cardholder’s purchasing behavior data;
(B) the pertinent aspects of this section and section 105C in language the office of consumer affairs provides according to section 105B(a)(ii); and
(C) other information as the office of consumer affairs and business regulations may mandate.
(iii) On a retail discount card application, a card-issuer shall present a cardholder with the opportunity to choose from among the three following privacy options:
(A) the card-issuer may collect the cardholder’s anonymous purchasing behavior data and the card-issuer may disclose this data to its agents and subsidiary companies;
(B) the card-issuer may collect the cardholder’s personally-identified purchasing behavior data, and the card-issuer may disclose this data to its agents and subsidiary companies; or
(C) the card-issuer may collect the cardholder’s personally-identified purchasing behavior data, and the card-issuer may disclose this data to its agents and subsidiary companies. The card-issuer may sell, rent, lease or disclose this data to a third-party.
(iv) A card-issuer shall print the privacy options set out in (c)(iii) in language the office of consumer affairs and business regulations provides according to section 105B(a)(i). A card-issuer shall print these options on the first page of the application in a typeface no smaller than 12 points (one sixth of an inch high) and no smaller than the smallest type on the application.
(iv) If a cardholder does not choose one of the three options set out in (c)(iii), a card-issuer may only collect the cardholder’s anonymous purchasing behavior data and disclose this data to its agents and subsidiary companies. Once a cardholder selects a privacy option, a retailer shall honor that selection until such time when the cardholder selects a different privacy option.
(d) A card-issuer shall provide a cardholder with the following notice and choices:
(i) On the day this section takes effect and once per calendar year thereafter, a card-issuer shall mail to existing cardholders a letter informing the cardholder of the cardholder’s right to choose from among the three privacy options. The card-issuer shall alter its collection of the cardholder’s purchasing behavior data accordingly within 30 days of the cardholder’s response to the letter. Once a cardholder selects a privacy option, a retailer shall honor that selection until such time when the cardholder selects a different privacy option. The card-issuer shall construe a cardholder’s lack of response to the letter as permission to continue collecting and sharing the cardholder’s data without alteration. In the letter, the card-issuer shall include the following:
(A) a summary of the pertinent provisions of this section and section 105C in language the office of consumer affairs and business regulations provides according to section 105B(a)(iii);
(B) the opportunity to choose from among the three privacy options as set out in (c)(iii) and in language the office of consumer affairs and business regulations provides according to section 105B(ii);
(C) a toll-free telephone number, E-mail address, website address or self-addressed postage-paid envelope for the cardholder’s response;
(D) a statement that cardholders may respond to the letter at any time; and
(E) other information as the office of consumer affairs and business regulations may mandate.
(ii) At a card-issuer’s customer service desk, return desk or the equivalent, and in at least one place in the retail location, a card-issuer shall post a sign detailing the pertinent provisions of this act in language the office of consumer affairs and business regulations provides according to section 105B(a)(iii) and in typeface no smaller than 54 point (three-quarters of an inch high). The card-issuer shall place the sign in plain view no further than five feet from where a cardholder may stand, and at a height no lower than four feet and no higher than eight feet from the ground.
(iii) On a cardholder’s receipt of transaction and on a retail discount card larger than three square inches, a card-issuer shall print the Attorney General’s Consumer Hotline telephone number with the caption, “Is this retailer selling your private information without your permission? Call the Attorney General’s Consumer Hotline to report violations of the Consumer Privacy Restoration Act.” The retailer shall print this information in typeface no smaller than nine points (one eighth of an inch high) and no smaller than the smallest typeface on the retail discount card or receipt.
(e) Once per calendar year and upon a cardholder’s verbal or written request, a card-issuer shall provide the cardholder with the cardholder’s purchase behavior data free of any processing, printing, postage, shipping or handling fees or other costs. After a cardholder’s first request of a calendar year, a card-issuer may charge the cardholder a nominal fee for this data.
(f) A card-issuer shall not seek to admit a cardholder’s purchasing behavior data as evidence in its defense in any civil action to which the card-issuer and the cardholder are parties. A card-issuer shall not use a cardholder’s purchasing behavior data as a basis for litigation. A card-issuer shall not provide a third-party with a cardholder’s purchasing behavior data for the purpose of litigation.
(g) This section shall take effect 60 days after the day sections 105B and 105C take effect.