Song-Beverly Credit Card Act Does Not Apply To Online Credit Card Sales
To download a PDF of this Alert, click here.
In a case decided on January 5, 2009 (Saulic v. Symantec Corp.), the U.S. District Court for the Central District of California held that the Song-Beverly Credit Card Act (the “Act”) does not apply to online transactions due to the plain-language of the Act and the merchant’s reasonable need for personal information due to concerns of fraud.
The Act is intended to protect consumer privacy rights by restricting the type of information which retailers can request from consumers in connection with credit card transactions. At the same time, the Act also makes it difficult for retailers to collect information from their customers that could help them provide services and goods on a competitive basis. In particular, the restrictions imposed by the Act do not address the manner in which online transactions are affected, and online merchants have raised concerns that they may violate the act unwittingly.
Background – Restrictions on Gathering Personal Identification Information
The Act provides in part that retailers shall NOT do any of the following:
(1) Request, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to write any personal identification information upon the credit card transaction form or otherwise.
(2) Request, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the person, firm, partnership, association, or corporation accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise.
(3) Utilize, in any credit card transaction, a credit card form which contains preprinted spaces specifically designated for filling in any personal identification information of the cardholder.
Under the Act, “personal identification information” is “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.”
The Act’s prohibition makes it difficult for a retailer to include customers in mailing lists, since the most natural time to get information from a customer is at the time of sale. Some parties have suggested that the Act prohibits a retailer from collecting general, non-specified information. Online merchants are uniquely impacted because of the need to use identifying information in order to validate transactions using forms which, on their face, could violate the Act. Additionally, online merchants often request information in order to add customers as registered users to facilitate transactions and to create a more effective online experience.
Penalties for Violation
The penalties for violating the Act can be significant, and can include a civil penalty not to exceed two hundred fifty dollars ($250) for the first violation and one thousand dollars ($1,000) for each subsequent violation. The fines can be assessed and collected in a civil action, by the Attorney General, or by the district attorney or city attorney of the county or city in which the violation occurred. The result has a been a steady rise in the number of class action lawsuits brought against retailers.
Symantec Case – Online and “Brick and Mortar” Transactions Differ
On January 5, 2009, the U.S. District Court for the Central District of California clarified that the Act does not apply to transactions conducted over the internet.
In Symantec, the plaintiff claimed that consumer credit card transactions are covered by the Act regardless of whether they occur in “brick-and-mortar” stores or over the internet. In making its arguments before the court, the plaintiff analogized to cases where the Americans with Disabilities Act was held to apply to both brick-and-mortar stores and web sites.
The court rejected this argument, finding that the purpose of the Act was to prohibit information misuse for marketing and holding that an expansion of its protections to online transactions was not justified. The court also found that the plain-language and legislative history of the Act indicated that it was specifically designed to apply to brick-and-mortar transactions.
Further, the court pointed to key differences between in-store and online transactions that allow merchants to confirm the legitimacy of credit card transactions. For example, in brick-and-mortar stores, merchants can compare the signature on the receipt with the signature on the card or they can request to see photo identification. Since these options are not available online, the court found it sensible to allow merchants to request personal information in connection with online transactions.
Zip Codes, Return Transactions, and Other Exceptions
On December 19, 2008, in Party City Corp. v. The Superior Court of San Diego County, the California Court of Appeal held that zip codes did not fall within the definition of “personal identification information.” As discussed in our January Client Alert this ruling allowed retailers to request zip code information prior to a credit card transaction provided that such information is not requested in connection with other personal information (i.e., name, phone number, address, etc.) and the customer is not required to give this information in order to consummate the transaction.
Another important exception to the Act is that it does not apply to a refund for the return of merchandise purchased by credit card. See Absher v. Autozone, Inc. et al. (2008). In Absher, the California Court of Appeal reasoned that the term “credit card transaction” only applied to purchase transactions and did not apply to return transactions.
The court found that personal information may be necessary to verify that a return transaction was legitimate, in case the retailer needs to contact the customer following the return, and to prevent cases of employee fraud. As discussed above, the Symantec court similarly used arguments about fraud prevention to justify its decision to allow personal information to be collected in online transactions.
Retailers can also collect personal information, as long as it clearly is not requested or required as part of a credit transaction. This can require careful planning and training of sales associates to ensure that appropriate standards are established and implemented.
Suggested Actions
JMBM represents many retailers, and we strongly recommend that our clients implement written policies and procedures that comply with the requirements of the Act. We would be happy to assist you if you require additional information on these recent developments, the Act or preparing policies and procedures.
Please contact Robert E. Braun at 310-785-5331 or rbraun@jmbm.com with any questions regarding this information.