California Book Legislation Doesn’t Understand How Retailers Work
Written by Mark RaschAttorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.
If you’re selling books in California, you may soon have to handle all customer data very differently. If a piece of legislation now winding its way through the California legislature becomes a law, new restrictions on your record-keeping and file maintenance will extend far beyond the sales of actual books.
The legislation, which has more holes than a chunk of Swiss cheese, would place these burdens on retailers while ignoring a lengthy list of other people in the retail environment who have access to the identical data. The key problem: The writers of the legislation didn’t think much about how retailers do their magic.
For example, the statute would make it illegal for a book retailer—and presumably any employee of that retailer—to disclose information about book (and, for that matter, all types of) purchases to police. But it places no restrictions on the volumes of other people who have access to the identical data, including card processors, card brands and possibly POS vendors. What about the employees of the security firm that handles the security cameras and other customers? Both are groups who might see or overhear the information. What if a third-party firm handles the loyalty/CRM system? If the transaction is handled by the customer’s mobile device, that brings in an entirely different set of people who might know about a purchase.
If a receipt for a book is E-mailed to the consumer (or sent by SMS or other means), the ISP and E-mail provider could be forced to give the cops that information (which confirms the name of the book). If books are read online or through, say, the Kindle app for a computer or iPhone, although Amazon might not have to turn over the records (as a provider), Apple, AT&T, Verizon or another ISP would enjoy no such legal restriction/protection.
It would be like saying that Barnes and Noble couldn’t turn over records of what customers bought, but the chain’s security company could be forced to turn over the high-def security tapes of customers—book in hand—at the cash register. Although the videotape would be “personal information” under the statute, because it would include “information that relates to, or is capable of being associated with, a particular user’s access to or use of a book service or a book, in whole or in partial form,” the security company would not be a provider of a book service and, therefore, would not be covered by this law.
If the government really wants to know what someone is reading without a court order, it could subpoena family members, other customers or even members of a book club—indeed anyone who is not a provider—to try and find out.
Many years ago, I helped represent a local Washington, D.C., bookstore that received a subpoena from a special prosecutor demanding the production of cash-register receipts for book purchases by a particular former White House intern named Monica Lewinsky. After reaching a deal with prosecutors, Lewinsky herself agreed to provide these records. But the case raised both First Amendment and general privacy concerns that have recently been addressed by the State of California in its proposed “Reader’s Privacy Act,” for which public hearings are scheduled for August 17.
If enacted and signed, the bill would prohibit anyone who provides a book service with the primary purpose of selling or lending books from disclosing customer personal information (including IP address) without a valid court order supported by probable cause unless there is some imminent danger of death or serious injury.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
