Companies That Process Payment Cards Need to Comply with the California Privacy Rights Act

In November 2020, the California Privacy Rights Act (Proposition 24 or “CPRA”) passed by more than 56% of voters. It will replace and strengthen the existing California Consumer Privacy Act (“CCPA”). The new law will take effect on January 1, 2023 but the individual rights granted by the CCPA will remain in effect until then.

What is the CCPA and what does it affect?

Companies that process payment cards (credit and debit cards) typically enter into a written agreement with a payment processor, and those contracts specify that payment card information is owned by the Payment Card Brands (Visa, MasterCard, American Express, and Discover), and require the company to agree to the Payment Card Brands published rules and procedures (Payment Card Brand Rules).  Some consumers just assume that a company owns the payment card related information that it collects when it processes their payment cards.  However, it is the Payment Card Brand Rules that govern how a particular company can use payment card related information.  

The CCPA also requires that a payment process service provider to agree to three substantial restrictions involving the card information’s use, disclosure, and retention of personal information.  The CPRA’s amended requirements include that a written contract with the payment service provider include additional clarifications regarding the use, disclosure, and retention of personal information.

GL Consumer Privacy

What does this mean for my company?

The good news is that the CCPA and Payment Card Brand Rules are currently aligned.  For use restrictions, a payment processing service provider can only process personal data consistent with a controller’s documented instructions.  There must be confidentiality restrictions that ensures a persons or entities authorized to process personal data have committed themselves to confidentiality.  And the payment service provider must delete or return data at the end of the engagement.

As a result, several companies have begun to contact their payment processing service provider to require their it or the merchant bank sign new contract addendums.  For example, one auto dealership recently sent a contract addendum to its payment processing service provider to ensure compliance with the CCPA.  That contract addendum requires: (a) the service provider agrees to use and protect all personal information; (b) the service provider will not sell the personal information of consumers; and (c) the service provider shall not retain, use, or disclose personal information, subject to certain limitations.

Consult with an Attorney

If you or your company receive a similar request, it would be wise to consult with an experienced attorney well versed in the electronic payments industry and CCPA to advise on the best way to respond to keep the business relationship thriving.  The take away is that these contract addendums need to be narrowly tailored so that the ISOs or payment processors are not forced into contracts with harsher terms than the Payment Card Brand Rules.

About Global Legal Law Firm

Global Legal Law Firm has years of experience tracking the legal developments in the electronic payments space and helping clients develop strategies for various laws and prevailing interpretations across the United States.  We have helped clients with compliance advice, drafting and negotiating business contractual terms and conditions, defending state and federal regulatory actions, and representation in civil litigation matters involving electronic payment transactions and electronic payment companies. Contact us today to help your organization.

Recommended Posts