Skip to content

Potentially.

Some consumers may assume that a company owns the payment card-related information that it collects when it accepts payment cards (e.g., credit or debit cards). In order to process payment cards, however, a company typically must enter into a written contract with a payment processor or merchant-bank. Those contracts often specify that payment card-related data is “owned” by the payment brands (i.e., Visa, MasterCard, American Express, and Discover) and require the company that accepts the payment card to agree to the payment brands’ published rules and procedures (collectively referred to as the “payment brand rules”).1 The payment brand rules contractually govern how a company may use payment-card related information.

The CCPA requires that a service provider agree to three substantive restrictions involving their use, disclosure, and retention of personal information. The CPRA amended the CCPA to require that, beginning on Jan. 1, 2023, a written contract with a service provider include additional clarifications and provisions regarding the use, disclosure, and retention of personal information.

The following chart compares the substantive requirements within the CCPA’s definition of a service provider with those requirements that would be contractually imposed upon a company that has agreed to comply with the payment brand rules:

Requirement CCPA Payment Brand Rules
1. Use Restrictions. A service provider can only process personal data consistent with a controller’s documented instructions. 2 3
2. Disclosure Restrictions. Confidentiality provision that ensures that persons authorized to process personal data have committed themselves to confidentiality. 4 5
3. Delete or return data. Service provider will delete or return data at the end of the engagement. 6 7

1 See, e.g., American Express Merchant Operating Guide § 3.5 (stating that all Cardmember information is the “sole property” of American Express.

2 Cal. Civ. Code 1798.140(v) (Oct. 2020).

3 For example, American Express’s Merchant Operating Guide states that a merchant must not “use” Cardmember information for any purpose not specified in the Merchant Operating Guide. American Express Merchant Operating Guide dated Oct. 2020 at 11 (Section 3.5).

4 Cal. Civ. Code 1798.140(v) (Oct. 2020).

5 For example, Mastercard’s rules prohibit a merchant from “in any manner disclos[ing] Account or Transaction data, including but not limited to the Account PAN [Primary Account Number] . . . or personal information of or about a Cardholder to anyone other than its Acquirer, to the Corporation, or in response to a valid government demand.” Mastercard Rules dated Aug. 4, 2020, at 110 (Rule 5.13). The American Express Merchant Operating Guide also provides that a member may not “disclose Cardmember Information” other than as permitted by American Express. American Express Merchant Operating Guide dated Oct. 2020 at 11 (Section 3.5).

6 Cal. Civ. Code 1798.140(v) (Oct. 2020).

7 For example, American Express’s Merchant Operating Guide states that a merchant must not “store” Cardmember information for any purpose not specified in the Merchant Operating Guide. American Express Merchant Operating Guide dated Oct. 2020 at 11 (Section 3.5). It further states that after the termination of the agreement, such information may only be retained as permitted by the PCI DSS. Id.

Print:
EmailTweetLikeLinkedIn
Photo of David A. Zetoony David A. Zetoony

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation.

David receives regular recognitions from clients and peers for his knowledge and experience in the fields of data privacy and security. The National Law Journal named him a “Cybersecurity and Data Privacy Trailblazer,” JD Supra recognized him four times as one of the most widely read names when it comes to data privacy, cyber security, or the collection and use of data, and Lexology identified him six times as the top “legal influencer” in the area of technology, media, and telecommunications in the United States, the European Union, and in the context of cross-border transfers of information. He is the author of the American Bar Associations primary publication on the European General Data Protection Regulation (GDPR) and is writing the American Bar Associations primary publication on the California Consumer Privacy Act (CCPA).

Photo of Jena M. Valdetero Jena M. Valdetero

Jena M. Valdetero serves as Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice where she advises clients on complex data privacy and security issues. She has led more than 1,000 data breach investigations. A litigator by background, Jena defends companies against…

Jena M. Valdetero serves as Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice where she advises clients on complex data privacy and security issues. She has led more than 1,000 data breach investigations. A litigator by background, Jena defends companies against privacy and data breach litigation, with an emphasis on class action lawsuits. She has designed and conducted dozens of data breach tabletop exercises to empower clients to respond effectively to a data security incident. She also counsels companies on data privacy and security compliance programs and advises on cyber risks associated with mergers and transactions. Jena also advises a diverse array of clients on compliance with existing and emerging privacy laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Gramm Leach Bliley Act (GLBA), and the Health Insurance Portability and Accountability Act (HIPAA). She is a certified privacy professional through the International Association of Privacy Professionals (CIPP/US), for which she is a former KnowledgeNet Co-Chair.
Jena is a passionate advocate of diversity and inclusion. She currently serves as a board member of the Chicago chapter of Women in Law Empowerment Forum.