Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Consumer Privacy

Online Retailers Can Collect Personal Data Under Song-Beverly Where Products Downloaded, Says California Supreme Court

California State FlagOn February 4, 2013 a sharply divided California Supreme Court held in Apple, Inc. v. Superior Court (Case No. S199384) (“Apple”) that the Song-Beverly Credit Card Act (the “Act”) does not apply to online purchases in which products are downloaded.  The Act prohibits retailers from requesting or requiring consumers to provide personal identification information (“PII”) that is written or recorded on the credit card transaction form or otherwise and has given rise to numerous class actions against retailers who asked consumers to provide PII including their ZIP codes when making a purchase paid for with a credit card.  In Pineda v. Williams Sonoma Stores, Inc., 51 Cal. 4th 524 (2011) the California Supreme Court concluded that a ZIP code constitutes PII within the meaning of the Act, so that a retailer was forbidden from requesting or recording such information.

Class actions alleging a violation of the Song-Beverly Credit Card Act have targeted not only traditional “brick-and-mortar” retailers like Williams Sonoma but also online retailers.  In Apple the consumer alleged that he had been required to provide his address and telephone number as a condition of accepting his credit card as payment for an electronic download via the Internet in violation of the Act.  However, four of the seven justices held in the majority opinion that the Act did not apply to such a transaction.

Analyzing the text of the Act, including statutory exceptions to the ban on collecting PII, the majority noted that the provision in question was adopted in 1990, prior to online commercial transactions becoming widespread, so that there was no express statement by the Legislature as to whether online transactions were included or not.  Since the plain meaning of the Act’s  text was not decisive, the majority looked at the entire statutory scheme, including the protection of consumer privacy balanced by the desire to avoid exposing consumers and retailers to undue risk of fraud.

The majority opinion noted that an online retailer, unlike a brick-and-mortar retailer, cannot inspect the credit card or the customer’s photo identification.  The majority held that the Legislature could not have intended that the Act would ban the collection of PII by online retailers selling electronically downloadable products to protect against credit card fraud.  Most importantly, the majority opinion noted that no decision was being made regarding the applicability of the Act to online transactions not involving electronically downloadable products or to mail order or telephone order transactions where the credit card of the consumer was not physically present.  The majority invited the Legislature, should it wish, to revisit the issue of consumer privacy and fraud prevention in online credit card transactions.

Two vigorous dissenting opinions took issue with the majority’s analysis, expressing concern that the Act’s “robust” consumer protection “is now largely relegated to the dust heap” and that online retailers will be “free to collect and use the personal information of credit card users as they wish.”  One can expect further legal battles over the reach of the Act in online commercial transactions not involving downloadable products, as well as in mail or telephone order transactions.  Given the narrow scope of the ruling and the divided Court, the California Legislature may also take action to address unanswered questions regarding the scope of the Act, as it previously did in 2011 to insulate gasoline retailers from liability for using ZIP codes to prevent fraud in “pay-at-the-pump” transactions (CA Civil Code Section 1747.08(c)(3)(B)).