California Privacy Laws Don’t Protect Consumers Online
The California Supreme Court ruled last week that online retailers of electronically downloaded goods may seek personal information from customers who use credit cards, bypassing privacy restrictions placed on physical stores.
The ruling came after a lawsuit was filed against Apple for asking for address information from customers who purchased music from iTunes.
Under most circumstances, vendors in California cannot record any personal identifying information beyond what is required to complete a credit card transaction. According to the Song-Beverly Credit Card Act of 1971, “Merchants cannot request or require that the consumer write any personal information, including address and telephone number, on any form associated with the credit card transaction when the consumer uses a credit card to pay for goods or services.”
Normally the vendor can take information such as an address only if there is another relevant reason, like the customer wants the item shipped.
The legislature in 2011 had updated the law so gas stations could request zip codes from people who use credit cards to pay at the pump in order to add a layer of fraud security.
Despite the law, both brick-and-mortar and online stores had been asking for address information from customers to complete transactions. A 2011 state Supreme Court decision ruled that ZIP codes weren’t necessary at physical stores, after Williams Sonoma was sued for using ZIP codes to figure out customer addresses and send them unsolicited catalogs. A number of lawsuits followed against other retailers, including the class action against Apple.
Privacy vs. Fraud Protection
A key point the judges noted is that in a face-to-face interaction, the merchant can ask for customer identification at the point of sale to verify that the name matches that on the credit card, as long as they don’t record any of the ID data. Online retailers lack a similar opportunity to check ID.
“While it is clear that the Legislature enacted the Credit Card Act to protect consumer privacy, it is also clear that the Legislature did not intend to achieve privacy protection without regard to exposing consumers and retailers to undue risk of fraud,” the majority opinion reads.
The court decision does not exempt Internet retailers from the Song-Beverly Act; rather, the judges ruled that the privacy law doesn’t apply to those particular transactions at all. Still unclear is what the recent changes could mean for telephone transactions, physical goods purchased online, or other sales where the buyer and the vendor don’t actually meet face-to-face.
The state Supreme Court is yet to rule on two other similar cases, involving Ticketmaster and eHarmony, and could issue a decision that applies more broadly to Internet or other non-face-to-face transactions. Alternately, the state legislature could also amend the law again to clarify when information could be collected and for what purposes.
Christine A. Scheuneman and Amy L. Pierce of Pillsbury Law, who have closely followed the challenges to the Song-Beverly Act, spoke to Lawyers.com about the implications of the judges’ decision, and what could come next.
A major factor in the unfolding story is how courts interpret laws enacted prior to the invention of technologies that they are now being used to govern.
“We’re dealing with a law that had been amended in 1990 before there was a public Internet,” says Scheuneman. “There could not have been contemplation of this type of situation in the legislative history because it didn’t exist at the time.”
As technology changes and evolves, courts and lawmakers both have to adjust to figure out how old law can apply, or what new law is required. “This area of law is developing rapidly,” Pierce says. “There’s a question of whether the legislature will get involved in the short term.”
For the moments, customers and retailers will have to await more action before there is clarity on exactly what information can be asked for.
“It’s an open question at this point at time as to whether information can be collected and what sort of information can be collected,” Scheuneman says. “There’s no bright line at this moment.”