Collecting Customer Information Online: California Court Rules Song-Beverly Credit Card Act Inapplicable to Online Retailers

Collecting Customer Information Online

California Court Rules Song-Beverly Credit Card Act Inapplicable to Online Retailers

Robert E. Braun, Esq.

On August 24, 2011, the California Superior Court for San Francisco County held in Gonor v. Craigslist Inc. that the provisions of the Song-Beverly Credit Card Act, California Civil Code § 1747 et seq. (the “Act”) prohibiting retailers from collecting a consumer’s personal information as a condition to completing a credit card transaction do not apply to online transactions. This was the first time a California state court has ruled on the application of the Act to online merchants, and it sheds light on many questions which were previously subject to speculation.

As previously discussed in our January 2009, March 2009 and February 2011 client alerts, the Act is intended to protect consumer privacy rights by restricting the type of information which retailers can request from consumers in connection with credit card transactions. At the same time, these restrictions make it difficult for retailers to collect information from their customers that could help them provide services and goods on a competitive basis.

Background. The Act provides in part that retailers shall NOT do any of the following:

  1. Request, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to write any personal identification information upon the credit card transaction form or otherwise.
  2. Request, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the person, firm, partnership, association, or corporation accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise.
  3. Utilize, in any credit card transaction, a credit card form which contains preprinted spaces specifically designated for filling in any personal identification information of the cardholder. See Cal. Civ. Code § 1747.08(a).

Under the Act, “personal identification information” is “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.” Id. at § 1747.08(b).

Penalties for Violation. The penalties for violating the Act can be significant, and can include a civil penalty not to exceed two hundred fifty dollars ($250) for the first violation and one thousand dollars ($1,000) for each subsequent violation. The fines can be assessed and collected in a civil action, by the Attorney General, or by the district attorney or city attorney of the county or city in which the violation occurred.

Court Decisions. Courts have actively interpreted what does, and what does not, constitute personal identification information. On December 19, 2008, in Party City Corp. v. The Superior Court of San Diego County, the California Court of Appeal held that ZIP codes did not fall within the definition of “personal identification information.” This ruling allowed retailers to request ZIP code information prior to a credit card transaction provided that such information is not requested in connection with other personal information (i.e., name, phone number, address, etc.) and the customer is not required to give this information in order to consummate the transaction. On February 10, 2011, however, the California Supreme Court reversed Party City and held in Pineda v. Williams Sonoma that ZIP codes should be considered to be personal identification information under the Act.

These rulings dealt with physical, in-store transactions, and did not directly address the January 2009 holding of the U.S. District Court for the Central District in Saulic v. Symantec Corp. that the Act does not apply to online transactions due to the plain-language of the Act, and the merchant’s reasonable need for personal information to prevent fraud.

Because of the gap between the state and federal court rulings, a large number of online national retail chains operating in California have been hit with lawsuits, including Craigslist.com, Ticketmaster.com, Amazon.com, PayPal.com and StubHub.com, raising questions as to whether the Symantec decision would be upheld in state court. The court’s ruling in Craigslist offers good news for retailers and suggests that California state courts, like the federal district court in Symantec, will agree that the restrictions of the Act do not apply to online transactions.. In Craigslist, the court held that the Act did not apply to online transactions “on its face” and turned to applicable case law, legislative intent and public policy to support its position.

Although this decision is good news for online businesses and website operators, the Craigslist case is a trial court decision only, and there remain a number of other cases pending in state and federal courts which leave the door open for future challenges to the distinction between “online” and “brick-and-mortar” retailers. Suffice it to say, consumer advocacy groups will be monitoring these decisions as they unfold. As importantly, while online transactions are increasingly important to merchants, it is clear that Craigslist applies only to online transactions, and merchants must continue to follow the restrictions imposed by the Act for face-to-face, in-store purchases.

Suggested Actions. JMBM represents many retailers, and we strongly recommend that our clients implement written policies and procedures that comply with the aforementioned requirements of the Act. We would be happy to assist you if you require additional information on these recent developments, the Act or preparing policies and procedures.

Please contact Robert E. Braun at 310-785-5331 or rbraun@jmbm.com with any questions regarding this information.