April 30, 2011

KEEPING CURRENT: California Supreme Court Expands Retailers' Liability Under Credit Card Privacy Laws

Paul S. Rosenlund

Many California retailers have been impacted in recent years by lawsuits brought by self-styled privacy advocates seeking damages and other redress resulting from retailers' gathering customer addresses, e-mail addresses, telephone numbers, or other personal information during the course of a credit card transaction.

The Supreme Court of California issued a decision on February 10, 2011, that appears to render the privacy landscape even riskier for retailers that accept credit card payments from California customers. In Pineda v. Williams-Sonoma Stores, Inc., 2011 Cal. LEXIS 1355 (Cal. Feb. 10, 2011), the state supreme court ruled that a customer's ZIP code constitutes "personal identification information" and that requesting and recording the customer's ZIP code during the course of certain credit card transactions may subject the requesting party to claims for up to $1,000 per transaction, plus other liabilities.

Song-Beverly Credit Card Act

The basis of the court's ruling in Pineda was the Song-Beverly Credit Card Act of 1971, California Civil Code § 1747, et seq. Many provisions of the Song-Beverly Credit Card Act were intended to parallel the federal Truth in Lending Act, 15 U.S.C. § 1601, et seq., but the California law covers additional topics. One of its provisions, Civil Code § 1747.08, prohibits businesses that accept credit cards from doing any of the following:

  1. Requesting, or requiring as a condition of accepting the credit card as payment in full or in part for goods or services, the cardholder to write any personal identification information upon the credit card transaction form or otherwise;
  2. Requesting, or requiring as a condition of accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information that the person, firm, partnership, association or corporation accepting the credit card writes, causes to be written or otherwise records upon the credit card transaction form or otherwise.
  3. Utilizing, in any credit card transaction, a credit card form that contains preprinted spaces specifically designated for filling in any personal identification information of the cardholder.

The Song-Beverly Credit Card Act provides many exceptions to this prohibition, but each must be carefully considered when applied to the circumstances at hand. For example, a retailer may record information that is on the face of the credit card, but nevertheless must comply with Title I, section 113 of the Fair and Accurate Credit Transactions Act, Public Law 108-159, codified at 15 U.S.C § 1681c(g), which limits the data that may be electronically printed on receipts provided to the customer. The retailer may demand reasonable identification, but may not record identification information, such as a driver's license number, phone number, or address, on the transaction record or elsewhere. The law exempts transactions involving security or damage deposits; cash advance transactions; Internet, telephone, and mail order transactions; refund transactions; and a variety of other instances for which personal identification information is required for a special purpose incidental but related to the individual credit card transaction.

Potential Claims

Only the California attorney general can seek injunctive relief under the Song-Beverly Credit Card Act, but private parties pursuing individual claims and class actions can obtain civil penalties of up to $1,000 per transaction, plus costs and legal fees. Potential also exists for violations to draw parallel claims based on other California consumer statutes, such as the Consumers Legal Remedies Act (Calif. Civil Code § 1750, et seq.) or the Unfair Competition Law (Calif. Bus. & Prof. Code § 17200, et seq.).

Numerous class action suits have been brought under the Song-Beverly Credit Card Act. Plaintiffs typically contend that they made a purchase and were asked to provide a ZIP code, address, or telephone number that was then typed into the cash register, and that they were led to believe that providing this information was a mandatory condition of the transaction. They also may allege a panoply of potential losses of privacy and misuse of their personal information, but the core of their claims-and a potentially significant risk to retailers and others dealing with California consumers-is the $1,000 civil penalty per transaction, as well as attorneys' fees.

Impact on Retailers

Many retailers request ZIP codes from customers, not for the purpose of reconstructing their customers' addresses to send them junk mail or to sell their information to others, but for perfectly legitimate purposes such as determining where to locate new stores or focus newspaper advertising. Until this month, retailers who requested only ZIP codes enjoyed a respite from liability under the Song-Beverly Credit Card Act based on lower court holdings, such as Party City v. Superior Court, 169 Cal. App. 4th 497, 86 Cal. Rptr. 3d 721 (2008), that a ZIP code does not constitute "personal identification" under the statute.

However, in Pineda v. Williams-Sonoma, the supreme court disapproved the Party City ruling and others like it. The court held that a credit card customer's ZIP code-even when provided with nothing more-constitutes "personal identification information," and that businesses are subject to liability for requesting and recording it during a credit card transaction, irrespective of what they do with the information.

In so holding, the supreme court dismissed arguments that the statute violates due process because it could result in substantial penalties that might be confiscatory in nature. The court noted that the Song-Beverly statute provides flexibility to courts in setting penalties, because the $1,000 figure is a maximum penalty, and a court is free to award a lower amount "or even the proverbial peppercorn we all encountered in law school."

The supreme court also dismissed defense arguments that its new ruling should apply only prospectively, thereby potentially exposing businesses to liability if they relied on Party City or similar cases in thinking that they were compliant with the Song-Beverly law by requesting customer ZIP codes and nothing more.

Retailers' Response

All businesses who accept credit card payments from California consumers should consider assessing their credit card transaction and information-capture policies and procedures for compliance with the Song-Beverly Credit Card Act and other pertinent laws and regulations.

Even those businesses who have settled Song-Beverly claims and revised their operating procedures in the past should now consider taking a second look at their practices.

Paul S. Rosenlund

Paul S. Rosenlund is a partner in the San Francisco office of Duane Morris LLP. This article has been prepared and published for informational purposes only and is not offered, or should be construed, as legal advice.