Testimony of the Retailers Association of Massachusetts

Jon Hurst, President,
Bill Rennie, Vice President
Erin Trabucco, General Counsel

Before the Joint Committee on Consumer Protection and Professional Licensure
May 12, 2009

 
RE: S.173, An Act Ensuring the Privacy of Certain Data
 H.239, An Act Relative to Consumer Gift Cards
 H.3865, An Act Relative to Gift Certificates
 H.3870, An Act Further Regulating the Sale of Gift Certificates
 S.142, An Act Relative to the Use of Radio Frequency Identification Systems

         
The Retailers Association of Massachusetts (RAM), established in 1920, is a statewide trade association of over 3,000 retail and restaurant member companies.  Our membership ranges from independent “mom and pop” retailers to larger national retail chains.  The retail industry's contributions to the Commonwealth include over $100 billion in annual sales; $4 billion in annual sales and use taxes; 18% of Massachusetts jobs; and operations in over 40,000 locations across the state.

On behalf of the Retailers Association of Massachusetts, we respectfully ask the Committee to support S.173, An Act Ensuring the Privacy of Certain Data. 

S.173 addresses several concerns the business community has with 201 CMR 17.00.  The regulation, which will be extremely costly for businesses, went far beyond the legislative intent of M.G.L. Chapter 93H.  RAM continues to believe that this regulation is unnecessary and costly.  It is important to remember that consumers continue to be protected financially by employers from the criminal acts of ID theft, and the statute gives consumers and businesses alike the protective tools to fight the crime.  Yet, state standards on how the data is protected will create a heavy financial burden - $300 million in initial costs for small businesses alone under the Administration's impact statement.  

This legislation prohibits the Office of Consumer Affairs and Business Regulation (OCABR) from mandating a specific technology or technologies, or a specific 
method for protecting personal information.  The current regulation requires businesses to encrypt personal information.  No one doubts the importance of moving towards encrypted data when personally identifiable information is involved.  Yet no one—large or small—can get there overnight.  Small businesses, large businesses, non-profits, and taxpayer funded institutions, all purchase computer equipment, software, and point of sale systems as economics allow. New systems would certainly be encrypted, but not systems purchased even just a few years ago. For the state to require an immediate investment in totally new systems in order to fight criminal acts perpetuated against all of us, represents an unfair financial burden for any business, particularly in bad economic times. 

Moreover, there is a difference between encrypting laptops and PCs so that information contained in files stored on laptops and PCs may not be accessed inappropriately and sending an individual email that is encrypted with a digital certificate so that the email is unreadable over the public network.  The requirement of universal encryption of files transmitted over public networks or wirelessly presents special problems that no company, regardless of its size or resources can presently solve.  Companies frequently communicate with their retail customers by email, and those communications are likely to contain personal information.  In order for encryption to work, each customer would have to apply compatible encryption software on their personal computer.  It is simply not possible for different companies to require different encryption software of customers in order to communicate with them. 

RAM strongly believes that it is not in the best interest of businesses or consumers to require a specific type of technology to guard personal information.  By giving businesses flexibility as to how they protect personal information, technology will be able to evolve beyond today's encryption capabilities to best protect personal information. 

Additionally, S.173 directs the OCABR to take into account the person's size, scope and type of business and the amount of resources available to such persons.  Consumers and employers alike have taken a beating over the last year, from declining home values, rising energy and food prices, to the recent crashing of 401(k)'s.  With consumer confidence down, retailers have been hit particularly hard.  To allocate what money and resources they have left to attempt compliance with the current regulation will significantly impact their ability to best serve their customers and recover from the losses they have seen over the past few months.

Lastly, this legislation deems persons in compliance with federal laws, rules, regulations, guidance or guidelines safeguarding personal information to be in compliance with Ch.93H.  Many different industries have standards in place for protecting personal information.  These standards are specific to the types of entities they cover.  Many of these standards are very stringent and how been very effective in protecting against identity theft.  RAM firmly believes that industries should be deemed in compliance of Ch.93H if they are in compliance with their industries standard.  RAM respectfully asks the Committee for a favorable report on S.173.

RAM opposes H.239, H.3865 and H.3870 concerning Gift Cards and Certificates 

H.239, H.3865 and H.3870 all require sellers of gift certificates to deposit funds into an escrow account or trust.  There is a high cost to offering a gift card service, but small businesses are doing it because of consumer demand.  It is always done by an outside processor, which charges monthly fees, card acquisition costs, and transaction fees.  Already high for small businesses, those costs will go up dramatically with this bill.  Sellers do not have the name of the buyer—let alone the name of the ultimate receiver of the card.  Thus it is not like stocks, bonds, bank accounts--you don't know the “rightful owner” to whom the state should attempt to return money; and thus this concept could easily be viewed as nothing more than a money grab from local businesses.  There are also important privacy and convenience issues at stake here for the consumer; as well as high costs and red tape for the sellers.  Gift cards are popular, but they are redeemed quickly and usually for more than the face value.  In addition, there has been an industry trend for the cards to be good forever, with no fees.  So why grab the money away from consumers and businesses, when they are good forever? 

Additionally, H.239 seeks to allow consumers to redeem the remaining $10 of a gift card for cash.  This bill does not reflect the changes made to our gift card law just last session.  Effective as of June 9, 2008, a consumer may to elect to receive the balance in cash on a reloadable card once the balance falls below $5.00.  For those cards that are non-reloadable, a consumer may elect to receive the balance in cash once the card has been redeemed for 90% or more of its original value.

The gift card law in Massachusetts has been updated three times over the past decade.  Changes were made to the law as recently as last year.  A good law is in place.  Moreover, federal court cases have ruled that states do not have the ability to regulate bank issued cards, thus the effect of any change in state gift card law affects only local employers and businesses and not the bank issuers. Let's let the currently amended law work a while, instead of once again changing the rules for local businesses and consumers alike.  RAM respectfully asks the Committee for an “ought not to pass” on H.239, H.3865 and H.3870.   

We urge the Committee to oppose S.142, An Act Relative to the Use of Radio Frequency Identification (RFID) Systems. 

This legislation, which proposes to regulate and implement restrictions on the use of RFID systems in a retail environment, is unnecessary and has the potential to be very harmful to a developing technology that will lead to lower prices and better service for all consumers.  The expected long term consumer benefits of electronic product code (EPC) and RFID technology are numerous and will save millions of dollars in the future; however, the technology is still in the early stages of development and testing.  The up-front costs and infancy of the technology are significant barriers for the retailing industry, making full scale implementation years away. 

RFID is the term used for technologies that use radio waves to automatically identify items.  Generally, a unique number, or EPC, that identifies a product is stored on a microchip that is attached to an antenna which then can transmit information to a reader.  The Massachusetts Turnpike's Fast Lane electronic toll collection system is a good example of EPC/RFID technology in use.  In the future, the EPC will be an important tool in the ongoing effort to thwart organized retail theft and counterfeited products, allowing retailers to track products as they move through the inventory supply chain.  However, the fact that the technology is still essentially years away on a widespread, individual product and consumer level basis makes state regulation and legislation premature at this time.

RFID technology is a home grown product, being developed right here in Massachusetts.   We must be mindful of the fact that any legislative or regulatory barriers imposed could send the wrong message to companies developing this new technology, possibly negatively impacting our local economy. 

Consumer privacy issues are at the forefront of discussions surrounding the development of RFID and EPCglobal, an industry sponsored standards organization, is leading that effort.  Guidelines to address various issues including those relating to consumer notice and education are in place for all companies implementing EPC and RFID systems.  Guidelines include requiring that consumers be given clear notice of the presence of EPC on products or their packaging through a logo or identifier; consumers be informed of the choices to discard or remove (or in the future disable) EPC tags from products; consumers be provided with easily obtainable and accurate information about EPC and its applications; and that EPC does not contain, collect or store personally identifiable information.  As with conventional barcode technology, data associated with EPC will be collected, used, maintained, stored and protected in compliance with applicable laws. 

RAM respectfully urges the Committee to give this legislation an unfavorable report. 

Thank you for your consideration.