Point of Sale Data Collection Litigation – An Overview and Future Directions
California and 14 other states plus the District of Columbia have laws that restrict the collection of personal information at the point of sale when payment is by credit card. Unfortunately for retailers, the scope of prohibited conduct under these laws is not always clear. Complicating matters further, these laws were generally enacted in the early 1990s, but are now being applied to retail practices that could not have been contemplated at the time the statutes were enacted. For instance, plaintiffs have sued under these laws to address modern retail practices, such as rewards or customer loyalty programs, e-receipts, unmanned kiosks, and the collection of ZIP codes for CRM purposes. Plaintiffs have also argued – unsuccessfully so far in California under the Song-Beverly Credit Card Act – that these laws apply online. Litigation under these laws is increasing, following consumer-friendly decisions from the California and Massachusetts high courts. This article provides an overview of the current state of the law on point of sale data collection laws, including recent and pending litigation, and makes predictions regarding where the law is heading. What Information Is Covered by These Statutes?
State laws can broadly be classified into two camps: those that broadly restrict the collection of “personal identification information” (or similar terms) (“PII”), such as the California and Massachusetts laws,[1] and those that restrict the collection of specific categories of information, such as the District of Columbia law, which applies only to addresses and phone numbers.[2]
Unfortunately, it is not always clear what specifically is covered by these statutes. For instance, before the California Supreme Court and the Massachusetts Supreme Judicial Court decided otherwise,[3] reasonable minds may have believed that ZIP codes were not PII because that information, standing alone, could not identify a person individually. Even today, that is not a foregone conclusion in other states where litigation has not addressed the meaning of this undefined term.[4] Furthermore, in the jurisdictions that restrict the collection of specific categories of information like an “address,” there is no judicial guidance on whether an email address or a ZIP code is within the scope of the statutes.[5] Because there presently is no case law on these statutes outside of California and Massachusetts, retailers may wish to consider all possible outcomes before collecting information from customers.
What Conduct Is Covered by These Statutes?
There is substantial variance in the specific conduct that is prohibited by these statutes. For example, the California statute prohibits a retailer from requesting or requiring a customer to write personal information, and from recording personal information that the customer provided, as a condition of accepting a credit card.[6] Other states use similar – although sometimes different – language, and some also prohibit a retailer from causing information to be written.[7] While California prohibits a retailer from recording information anywhere as a condition of completing a transaction, other states simply prohibit recording information on a “transaction form.”[8] But what is a “transaction form” in the era of computerized point of sale systems? (Remember, these statutes were drafted in the early 1990s.) So far only the Massachusetts Supreme Judicial Court has weighed in, holding that the statutory term “transaction form” applies both to electronic and paper forms, but that it is a factual question whether a particular electronic form qualifies.[9]
Due to the wide variability of the precise conduct covered by these statutes, a close reading of each state statute is necessary when considering the collection of personal information in connection with a sale. Minor nuances may have a substantial impact on whether a retailer’s conduct is likely to comply with these laws, such as the time of the request,[10] the nature of the request,[11] or even the method of data entry.[12]
Transaction Types
It is clear that the California statute and other state laws apply to in-store purchases in many circumstances. However, several cases have addressed the applicability of these statutes outside the scope of traditional face-to-face transactions at a cash register:
In-Person Transactions with E-Receipts. Electronic receipts have been an option at some retailers for several years now.[13] In October 2013, a United States District Court in California addressed a retailer’s practice of requesting an email address to send an e-receipt in connection with a motion to dismiss a claim under California’s statute.[14] The court ruled that an email address is PII, but noted that future factual development was necessary to determine whether sending an electronic receipt qualifies for the “special purpose” exception under the California statute. As the first case to address a growing retail practice, Capp has the potential to set precedent in this area.
Online Transactions. In 2013, the California Supreme Court ruled that California’s law does not apply to online transactions for a downloadable product.[15] However, the court declined to address whether the law applies to other kinds of “transactions that do not involve in-person, face-to-face interaction between the customer and retailer,” such as online transactions for a physical, shipped product. Some cases from California federal courts, however, have concluded that the law does not apply such transactions.[16] On January 30, 2014, the California Senate passed S.B. 383, which would restrict the collection of personal information during the sale of an electronic downloadable product; but as of the date of publication, this bill is still pending before the California Assembly.
Kiosk Transactions. One federal court has ruled that the California statute does not apply to unmanned kiosk transactions, although that decision is currently on appeal before the Ninth Circuit.[17]
Other Transactions. Litigation has not addressed whether the California statute applies to mail order or telephone transactions, an issue left undecided by Apple. Gas station pay-at-the-pump transactions that collect ZIP codes solely for the prevention of fraud, theft, or identity theft, were exempted from the scope of the statute by legislative amendment in 2011. See Cal. Civ. Code § 1747.08(c)(3)(B).
Future Directions: Unexplored Issues and Questions
Several issues and potential defenses have not yet been fully addressed in litigation. It will be interesting to watch the development of the law, particularly on these points:
Special Purpose Exception. Certain state statutes include a potentially broad exception, such that the collection of personal information is permissible if it is collected for an incidental “special purpose.”[18] Some federal courts have concluded that a rewards program qualifies for the “special purpose” exception under certain circumstances.[19] However, no court to date has ruled whether an electronic receipt option qualifies as a “special purpose.”[20] Although not helpful for marketing purposes, fraud prevention has also been held to fall within the scope of this exception.[21] The special purpose exception may be broad enough to encompass other use cases.
Contractual Obligation Exception. The California statute includes an exception that permits information collection if the merchant is “contractually obligated” to provide information to complete a transaction.[22] This exception is unexplored by the courts.
Unmanned Kiosk Use & Self-Checkouts. Although the Mehrens court concluded that unmanned kiosks are not covered by the California statute, currently no case law has addressed what makes a kiosk “unmanned” or whether the California statute applies to a self-checkout solution present in a retail store.
Online Transactions Completed In Person. Cases also have not addressed if there is a meaningful difference between online transactions with products delivered by a common carrier, versus online transactions that are picked up by the customer in a retail store. On the one hand, the same anti-fraud concerns apply to these transactions to the extent that payment is not handled by a live person; but a court could also conclude the existence of an in-store component means that the laws should apply.
Statutory Scope. In the jurisdictions that restrict the collection of only certain categories of information like an “address,” a natural question is, what is an address? Do email addresses or ZIP codes qualify?
Developing a Corporate Policy
Retailers collecting personal information from customers should keep these laws in mind. Complying with all sixteen statutes can be tricky, but it is critically important. Recent settlements in class action cases have ranged from high six-figures to low seven-figures.[23] In some states, criminal enforcement is possible.[24]
Thus, a retailer may wish to develop a comprehensive strategy targeted at compliance with these point of sale data collection laws. A written policy may also enable a retailer to argue for applicability of the “safe harbor” for unintentional violations that exists in some of the state statutes.[25] However, it is also worth noting that some retailers have been able to avoid class certification under the California statute precisely because of the non-uniform nature of requests for information.[26]
Class action litigation is picking up in Massachusetts following the Supreme Judicial Court’s ruling that the Massachusetts law applies to ZIP codes and that the “transaction form” language is no barrier to suit against retailers using modern point-of-sale systems.[27] A case has also been filed in the District of Columbia.[28]There appears to be no reason why litigation will not eventually be brought in other states with similar laws. Accordingly, retailers that already collect personal information at the point of sale may wish to revisit their current practices, and retailers that wish to commence information collection should consider these laws thoroughly before implementing a new program.
[1] Cal. Civ. Code § 1747.08; Mass. Gen. Laws ch. 93, § 105.
[2] D.C. Code § 47-3153.
[3] Pineda v. Williams-Sonoma Stores, Inc., 51 Cal. 4th 524 (Cal. 2011); Tyler v. Michaels Stores, 984 N.E.2d 737 (Mass. 2013).
[4] See, e.g., N.Y. Gen. Bus. Law § 520-a(3). To date, no case law has been decided under the New York statute.
[5] The plaintiff in Hancock v. Urban Outfitters, however, alleges that a ZIP code is an “address” because a ZIP code is part of an address. A motion to dismiss has been fully briefed since September 2013 and is pending decision. No. 13-cv-00939 (D.D.C. June 21, 2013).
[6] Cal. Civ. Code § 1747.08(a)(1).
[7] See, e.g., Mass. Gen. Laws ch. 93, § 105(a).
[8] See, e.g., N.Y. Gen. Bus. Law § 520-a(3).
[9] Tyler v. Michaels Stores, Inc., 984 N.E.2d 737, 747 & n.22 (Mass. 2013).
[10] For instance, a consumer may perceive a request for information to be a requirement if the request is made before ““the transaction has reached an official end.” See Davis v. Devanlay Retail Group, Inc., 2012 WL 6589204, *4 (E.D. Cal. Dec. 17, 2012).
[11] The court in Gass v. Best Buy Co., Inc., for instance, listed a “continuum of business practices” to give examples of conduct that violates or complies with the California statute. See 279 F.R.D. 561, 570-71 (C.D. Cal. 2012).
[12] In some states, for instance, the law prohibits a retailer from recording information, but does not plainly prohibit the merchant from asking the customer to record the information, e.g., by having the customer enter the information on a keypad or tablet. The counterargument, of course, is that by having the customer enter the information and storing it, the retailer thereby recorded it.
[13] See Andrew Hoffman, Emerging Electronic Receipt Option Requires Creative Thinking for Retailers Under State Law, 16 Cyberspace Lawyer, at 1, 4 (Nov. 2011).
[14] Capp v. Nordstrom, Inc., No. 13-CV-00660, 2013 WL 5739102 (E.D. Cal. Oct. 22, 2013).
[15] Apple, Inc. v. Superior Court, 56 Cal. 4th 128 (Cal. 2013).
[16] See Ambers v. Buy.com, Inc., 2013 WL 1944430 (C.D. Cal. Apr. 30, 2013); Saulic v. Symantec Corp., 596 F.Supp. 2d 1323, 1336 (C.D. Cal. 2009) (concluding categorically that the California statute does not apply to online transactions, in a case involving a downloadable product).
[17] Mehrens v. Redbox Automated Retail LLC, 2012 WL 772200 (C.D. Cal. Jan. 6, 2012). On appeal in the Ninth Circuit, the case is styled Sinibaldi v. Redbox Automated Retail LLC, No. 12-55234.
[18] For example, the California statute does not apply if personal information is “required for a special purpose incidental but related to the individual credit card transaction.” The California statute includes a nonexclusive list of examples – “information relating to shipping, delivery, servicing, or installation of the purchased merchandise, or for special orders.” Some other state statutes also have a similar exception.
[19] See Dean v. Dick’s Sporting Goods, Inc., 2013 WL 3878946 (C.D. Cal. July 26, 2013); Gass v. Best Buy Co., Inc., 279 F.R.D. 561 (C.D. Cal. 2012).
[20] Cf. Capp v. Nordstrom, Inc., 2013 WL 5739102 (E.D. Cal. Oct. 22, 2013) (stating that further factual development is necessary before it is possible to determine whether an electronic receipt option qualifies for the “special purpose” exception).
[21] See Flores v. Chevron U.S.A., Inc., 217 Cal. App. 4th 337 (Cal. Ct. App. 2013), which addressed the collection of ZIP codes during a pay-at-the-pump transaction. Although the California legislature amended the statute to exempt these transactions after the litigation was initiated, the court declined to address whether the amendment merely clarified existing law or applied retroactively, and instead ruled that the collection of a ZIP code during a pay-at-the-pump transaction was an anti-fraud measure that qualified for the “special purpose” exception. Id. at 340 n.2, 341.
[22] Cal. Civ. Code § 1747.08(c)(3)(A).
[23] See, e.g., Lance Duroni, Michaels Stores Settles ZIP Code Collection Suit, Law360 (Feb. 12, 2014), http://www.law360.com/privacy/articles/509620 (reporting a preliminary approval of an $875,000 settlement in Massachusetts litigation); Lance Duroni, OfficeMax Gets Go-Ahead for ZIP Code Collection Settlement, Law360 (Nov. 14, 2013), http://www.law360.com/privacy/articles/488794 (reporting approval of a $600,000 settlement in California litigation); Andrew Scurria, Lululemon Exits ZIP Code Collection Suit With $25 Credits, Law360 (Nov. 7, 2013), http://www.law360.com/privacy/articles/487046 (reporting approval of a $505,000 settlement in California litigation); Juan Carlos Rodriguez, Wal-Mart Pays $1.1M To Settle Suit Over Credit Card Records, Law360 (May 28, 2013), http://www.law360.com/articles/445086 (reporting approval of a $1.1 million settlement in California litigation).
[24] See, e.g., Del. Code tit. 11, § 914.
[25] See, e.g., Cal. Civ. Code § 1747.08(e); N.Y. Gen. Bus. Law § 520-a(3); but see Romeo v. Home Depot U.S.A., Inc., No. 06CV1505, 2007 WL 3047105 (S.D. Cal. 2007) (concluding that the exception did not apply under the facts of that case).
[26] See, e.g., Gossoo v. Microsoft Corp., 2013 WL 5651271, *4 (C.D. Cal. Oct. 9, 2013) (finding that class certification was inappropriate when the “evidence show[ed] that the customers in plaintiff's proposed class had a variety of materially different experiences” at the point of sale); Rothman v. General Nutrition Corp., 2011 WL 6940490, *6 (C.D. Cal. Nov. 17, 2011) (holding that class certification was inappropriate, in part, because the evidence suggested that there was no uniform policy with respect to requesting ZIP code information that was applied in a uniform manner).
[27] See, e.g., Complaint, Christensen v. Apple, Inc., No. 14-cv-10100 (D.Mass. Jan. 15, 2014); Complaint, Alberts v. Petsmart, Inc., No. 13-cv-12261 D.Mass. Sep. 12, 2013); Rich v. Lowe’s Cos., Inc., No. 13-cv-30144 (D. Mass. Aug. 7, 2013).
[28] Complaint, Hancock v. Urban Outfitters, No. 13-cv-00939 (D.D.C. June 21, 2013).