Potentially.
Some consumers may assume that a company owns the payment card-related information that it collects when it accepts payment cards (e.g., credit or debit cards). In order to process payment cards, however, a company typically must enter into a written contract with a payment processor or merchant-bank. Those contracts often specify that payment card-related data is “owned” by the payment brands (i.e., Visa, MasterCard, American Express, and Discover) and require the company that accepts the payment card to agree to the payment brands’ published rules and procedures (collectively referred to as the “payment brand rules”).1 The payment brand rules contractually govern how a company may use payment-card related information.
The CCPA requires that a service provider agree to three substantive restrictions involving their use, disclosure, and retention of personal information. The CPRA amended the CCPA to require that, beginning on Jan. 1, 2023, a written contract with a service provider include additional clarifications and provisions regarding the use, disclosure, and retention of personal information.
The following chart compares the substantive requirements within the CCPA’s definition of a service provider with those requirements that would be contractually imposed upon a company that has agreed to comply with the payment brand rules:
Requirement | CCPA | Payment Brand Rules |
1. Use Restrictions. A service provider can only process personal data consistent with a controller’s documented instructions. | 2 | 3 |
2. Disclosure Restrictions. Confidentiality provision that ensures that persons authorized to process personal data have committed themselves to confidentiality. | 4 | 5 |
3. Delete or return data. Service provider will delete or return data at the end of the engagement. | 6 | 7 |
1 See, e.g., American Express Merchant Operating Guide § 3.5 (stating that all Cardmember information is the “sole property” of American Express.
2 Cal. Civ. Code 1798.140(v) (Oct. 2020).
3 For example, American Express’s Merchant Operating Guide states that a merchant must not “use” Cardmember information for any purpose not specified in the Merchant Operating Guide. American Express Merchant Operating Guide dated Oct. 2020 at 11 (Section 3.5).
4 Cal. Civ. Code 1798.140(v) (Oct. 2020).
5 For example, Mastercard’s rules prohibit a merchant from “in any manner disclos[ing] Account or Transaction data, including but not limited to the Account PAN [Primary Account Number] . . . or personal information of or about a Cardholder to anyone other than its Acquirer, to the Corporation, or in response to a valid government demand.” Mastercard Rules dated Aug. 4, 2020, at 110 (Rule 5.13). The American Express Merchant Operating Guide also provides that a member may not “disclose Cardmember Information” other than as permitted by American Express. American Express Merchant Operating Guide dated Oct. 2020 at 11 (Section 3.5).
6 Cal. Civ. Code 1798.140(v) (Oct. 2020).
7 For example, American Express’s Merchant Operating Guide states that a merchant must not “store” Cardmember information for any purpose not specified in the Merchant Operating Guide. American Express Merchant Operating Guide dated Oct. 2020 at 11 (Section 3.5). It further states that after the termination of the agreement, such information may only be retained as permitted by the PCI DSS. Id.