California Supreme Court: Online Sales of Downloadable Products Not Covered by Song-Beverly Credit Card Act
The California Supreme Court ruled this week in a 4-3 decision that an online retailer may request personal information when selling a downloadable product. See Apple, Inc. v. Superior Court, Case No. S199384 (Cal. Feb. 4, 2013). This decision, interpreting the Song-Beverly Credit Card Act of 1971, Cal. Civ. Code § 1747.08 (the "Credit Card Act"), is a sensible limitation of the Act, which, to date, has been read expansively by California courts. However, by its own terms, the decision only applies to downloadable products, not to online purchases of physical goods. Thus, the question of whether the Credit Card Act applies to online sales of physical goods remains to be answered. Background
The Credit Card Act prohibits retailers from requesting or requiring as a condition of accepting a credit card that a consumer "write any personal identification information upon the credit card transaction form or otherwise." This statute was generally viewed as restricting retailers' ability to collect information at the point of sale for marketing purposes (such as a phone number or mailing address). However, that common view was shattered by the California Supreme Court’s 2011 decision in Pineda v. Williams-Sonoma Stores, Inc. that even a ZIP code is "personal identification information" under the statute -- and therefore it cannot be collected at the point-of-sale. Pineda prompted a swath of class action lawsuits challenging the then-common practice of requesting a consumer's ZIP code at the point of sale, and prompted the legislature to amend the Credit Card Act to permit gas stations to collect ZIP codes during pay-at-the-pump transactions.
Given the broad construction that the court gave to the Credit Card Act in Pineda, it is pleasantly surprising to see the court conclude in Apple that online transactions are not covered by the statute. The Apple case arose from the plaintiff's iTunes purchases, which required the provision of a telephone number and address to complete the credit card purchase. The plaintiff brought a putative class action against Apple, claiming that by requiring this information, Apple violated the Credit Card Act. After Apple's attempts to have the case dismissed were rejected at the trial and intermediate appellate levels, the California Supreme Court granted review.
The Majority Opinion
The majority opinion first noted that the Credit Card Act does not explicitly refer to online transactions. Although Apple argued that the statute's use of the terms "write" and "credit card transaction form" demonstrates that the statute only applies to in-person transactions, the court rejected this argument, concluding that "it does not seem awkward or improper to describe the act of typing characters into a digital display as 'writing' on a computerized 'form.'" Despite this possible interpretation, the Court concluded that the "plain meaning of the statute's text is not decisive."
The court next turned to the legislative history of the Credit Card Act, which it had previously addressed in Pineda. The court recast its view of the underlying purpose of the Credit Card Act, which it stated in Pineda was to protect privacy, adding that "it is also clear that the Legislature did not intend to achieve privacy protection without regard to exposing consumers and retailers to undue risk of fraud."
With its newfound focus on fraud prevention, the court noted that with brick-and-mortar transactions, collection of personal information was not necessary for fraud prevention because the retailer has means to verify a customer's identity (such as comparing the signed credit card with the signature on the transaction slip or inspecting a photo ID card). In contrast, no such mechanisms are available for online transactions. Thus, the court concluded that because the Credit Card Act "provides no means for online retailers selling electronically downloadable products to protect against credit card fraud," the legislature "could not have intended [the Credit Card Act] to apply to this type of transaction."
The court also noted that the California legislature knows how to regulate online privacy if it chooses, citing CalOPPA, which requires companies to conspicuously post a website online privacy policy under many circumstances. The court also speculated that the existence of CalOPPA, combined with the federal TCPA, may provide sufficient online privacy protections, such that the California legislature might have deemed it unnecessary to amend the Credit Card Act to apply online. Nevertheless, the court invited the California legislature to revisit the issue if it so chooses.
The Dissenting Opinions
Two dissenting opinions were also filed. Justice Kennard (joined by Justice Baxter and Judge Jones of the First Appellate District, sitting by designation) would have found that the statute applies to online transactions simply because it included no exemption for such transactions. The dissent also argued that no significant difference exists between an internet purchase versus a mail or telephone purchase because in all cases, the card is not physically present and the seller has limited ways of confirming the buyer's identity. Justice Kennard argued that a retailer could collect a drivers' license number for fraud prevention purposes, or seek contractual obligations from a payment processor, merchant bank, or card issuer to collect personal information.
Justice Baxter's separate dissent echoed many of the points raised in the former dissent, but it also argued that the majority's opinion is based on two flawed assumptions. First, according to Justice Baxter, "neither Pineda nor the legislative history itself mentions a legislative intent to protect retailers from undue risk of fraud" Second, given the posture of the case, there was nothing in the record from which the majority could conclude that cardholder addresses and telephone numbers are necessary to combat online fraud and identity theft. Justice Baxter also criticized the court for citing CalOPPA, which only requires the disclosure of privacy practices: "disclosure requirements do nothing to restrict an online retailer's use of a consumer's personal identification information; nor do they prevent the sharing or sale of such information."
Commentary & Analysis
The Apple opinion may bode well for online retailers. Under Apple, those that sell online downloadable products are free to collect personal identification information without restriction by the Credit Card Act. But the Apple opinion explicitly does not address online retailers that sell physical goods -- so it remains unresolved whether online merchants that ship physical goods are prohibited from requesting or requiring personal information to complete a transaction.
However, given several of the comments in the opinion (e.g., that online merchants do not have the same fraud prevention measures available as brick-and-mortar retailers), it seem reasonable to conclude that the court would reach a similar conclusion for online retailers selling physical goods. But decisions aren’t always predictable in California (as we saw with Pineda). Moreover, there is always a risk that the legislature may amend the statute to apply to online transactions. Until then, online retailers may wish to breathe a sigh of relief until the next big privacy liability crisis comes to light in California. Certainly, with the California Attorney General's recent creation of a Privacy Enforcement and Protection Unit, it's not only private lawsuits that retailers need to worry about.