November 03, 2014 Top Story

Self-Service Kiosks Can Require Consumers' Zip Codes

Ninth Circuit finds collection does not violate California consumer privacy law

Teresa Rider Bult

Requiring consumers to provide their zip code when renting from self-service video rental kiosks does not violate California’s consumer privacy laws, where the data is being used as a security measure to ensure payment. Sinibaldi v. Redbox Automated Retail, LLC.

Class Action Alleged Song-Beverly Credit Card Act Violations

Redbox operates self-service movie and video game rental kiosks, where customers can use credit or debit cards to pay the charges. As part of the transaction, Redbox requires customers to provide their zip codes to ensure the security of the credit card transaction. If customers do not return the disc within 24 hours, they are charged another dollar per day, up to a maximum of $25 for DVDs, and additional amounts for Blu-ray discs or video games. Those additional costs are charged to the credit card provided by the customer.

California plaintiffs brought a putative class action against Redbox in the U.S. District Court for the Central District of California, alleging the zip code requirement violated California’s Song-Beverly Credit Card Act. The act prohibits retailers from requesting “personal identification information” in connection with credit card transactions. Zip codes, according to the California Supreme Court, are considered “personal identification information.”

Redbox argued that the act did not apply to stand-alone kiosks, since, like online transactions, the kiosk transaction was processed completely electronically and did not present the risks of “brick and mortar” fraud the act was implemented to prevent. Redbox pointed to a recent decision by the same district court finding online transactions were not covered by the act, and argued unsecured kiosks were akin to online transactions.

Redbox further argued that its kiosks fit into one of the act’s exceptions because the credit card was used to ensure the security of the credit card transaction. The act exempts transactions “[i]f the credit card is being used as a deposit to secure payment in the event of a default, loss, damage, or other similar occurrence.”

District Court Equates Redbox to Online Transactions

The district court found that the kiosk transaction was indeed akin to an online transaction because no employee was physically present at the kiosk. It reasoned that, when the Song-Beverly Act was enacted in 1971, there were no Internet or self-service credit card kiosks, and such transactions were not anticipated by the act. Rather, the legislation was intended to prevent physically present store employees from harassing customers to obtain personal information for overreaching marketing purposes. The district court found those risks were not present at stand-alone kiosks and, in fact, because of the heightened risk of fraud, stand-alone kiosks and Internet transactions have a great need for information, such as zip codes, to ensure the security of the transaction.

Ninth Circuit Finds Redbox Fits Exception to Act

On appeal, the Ninth Circuit reached the same result, but avoided the comparison to online transactions and focused instead on the act’s exception, which exempts transactions that are “used as a deposit to secure payment in the event of a default, loss, damage, or other similar occurrence.”

The appellate court found that Redbox uses the credit card as a “deposit” even though the company does not immediately withdraw the cost of the DVD from the customer’s account. The circuit court specifically listed car rental companies and hotels as examples of other vendors that fall into this exception because both of those industries often require a credit card to secure a reservation.

Opinion May Limit Lawsuits

Some ABA leaders believe the ruling provides long overdue restrictive guidance for the statute. “The Song-Beverly Act was designed to address specific concerns about misuse of consumer information,” says Rudy R. Perrino, Los Angeles, CA, cochair of the ABA Litigation Section, Commercial & Business Litigation Committee. He believes an onslaught of recent putative class actions, like the Redbox case, have been “clear examples” of an overreaching attempt to “take advantage of loose statutory language.” Teresa H. Michaud, San Francisco, CA, cochair of the Section of Litigation’s Class Action & Derivative Suits Committee Emerging Issues Subcommittee, feels this ruling not only helps narrow the issues, but actually “works to improve the protection of consumers’ private information by requiring a form of identity verification to prevent fraudulent transactions.”

More Retailers Fit Exception

On the other hand, both Perrino and Michaud recognize the ruling may allow merchants to use personal information for marketing. “The Ninth Circuit seemed to say that what Redbox was actually doing with the information was irrelevant, so long as it was plausible that the information could be used to protect Redbox in the event of default, loss, damage, or other similar occurrence,” Perrino points out. Thus, arguably, a merchant who fit within the exception could use the personal information for the very marketing and “harassing” the act was intended to prevent.

Further, Michaud notes that because the Ninth Circuit focused on the exception rather than the “online” nature of the transaction (as the district court had), it leads to the conclusion that even “brick and mortar” stores or transactions where a store employee is physically present, such as grocery self-checkout lines, could also qualify for the exception—that is, if they could prove the information was gathered for security purposes rather than marketing.

Don’t Be Too Quick to Assume Exception Fits

Even so, Michaud believes “the Ninth Circuit’s decision addresses a narrow and express exception to the Song-Beverly Act,” and therefore will only apply to “companies operating in the rental car or hotel industries where credit card security deposits are common.”

Perrino agrees, cautioning California merchants not to assume they can begin collecting personal information merely because of the Redbox ruling. “The majority of retailers do not have a reason to collect security deposits, so they would not be able to exploit this particular exemption,” Perrino advises.


Teresa Rider Bult is an associate editor for Litigation News.

Keywords: Song Beverly Credit Card Act, credit card, consumer privacy, zip code, online transaction

Related Resources

Copyright © 2014, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).