Song-Beverly Credit Card Act

Last week the BNA Privacy & Security Law Report published an article discussing in detail California’s Song-Beverly Credit Card Act (the “Act”). The aim of the article is to provide those persons and businesses that regularly engage in credit card transactions in California, most notably retail merchants, with a meaningful primer on some critical current and developing aspects of the Act.  The article provides an overview of the Act’s provisions, and discusses the important legal issues surrounding the Act, including several that California courts have resolved, several that are currently pending before those courts, and one that may be resolved in the near future.

On a related note, the California Court of Appeals, Fourth Appellate Division, recently issued a decision in Carson v. Michaels Stores, Inc., which addressed several issues under the Act. See id. at No. 37-2008-00089773-CU-BT-CTL, 2010 WL 2862077 (Cal. App. Ct. July 22, 2010). Carson filed a complaint against Michaels Stores, Inc., alleging violations of the Act and her constitutional right to privacy by requesting and recording her zip code, and then using her zip code to obtain her address from a public database. First, the court, following Pineda v. Williams-Sonoma Stores, Inc., 100 Cal.Rptr.3d 458 (Cal. App. Ct. 2009), affirmed the trial court’s holding that zip codes are not personal identification information under the Act. Because zip codes are not personal identification information under the Act, Michael’s use of this information to obtain plaintiff’s address was also held not to be prohibited under the Act. Id. at 7. (See our prior posts discussing Pineda and issues under the Act.)

In addition, the court held that plaintiff had no reasonable expectation of privacy in her address – as it was obtained from public databases available on the Internet – and therefore plaintiff did not have a valid invasion of privacy claim under the California constitution. Id. at 9-10.

Notably, the court declined to decide a significant open issue under the Act – whether the Act prohibits a retailer from requesting personal information as a condition of accepting the customer’s credit card payment.  Id. at n.4. This open issue is discussed in detail in the above-referenced article.

In a previous post, we noted that the California Supreme Court in Pineda v. Williams-Sonoma Stores, Inc., granted a petition to review the issue of whether a retailer violates California’s Song-Beverly Credit Card Act if, in connection with a credit card transaction, it records a customer’s zip code for the purpose of later using it and the customer’s name to obtain the customer’s address through a reverse search database. The appeal is now fully briefed. The following are some of the more significant arguments proffered by each side, and the potential impact of the ruling on retailers.

The trial court sustained Williams-Sonoma’s demurrer to Pineda’s Section 1747.08 claim on the grounds that under Party City Corp. v. Superior Court, 169 Cal. App. 4th 497 (2008) (discussed previously on this blog), zip codes can never constitute “personal identification information” for purposes of that section.  In its brief, Pineda asks the Supreme Court to disregard this well-reasoned precedent on the grounds that zip codes are expressly defined as “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.” Pineda argues that the trial court and court of appeal erred by inserting an additional criteria into the definition and requiring that the information be “unique” to the cardholder, rather than merely “concerning” the cardholder as set forth in the statute. In addition, Pineda argues that Williams-Sonoma preys on its credit card customers who are accustomed to providing their zip codes for legitimate verification purposes at gas stations and mistakenly assume that Williams-Sonoma is requesting their zip codes to process their credit cards. Meanwhile, according to Pineda, their sole intent is to use its customers’ zip codes to “covertly” obtain their home addresses to build its customer database.

Williams-Sonoma, on the other hand, argues first that the question of whether a zip code is “personal identification information” was not certified for review by the California Supreme Court, thus, the court of appeal’s decision in Party City stands.  In addition, Williams-Sonoma argues that the Song Beverly Credit Card Act does not prohibit the use of information that is collected by a retailer at the point of sale. Instead, Song Beverly is silent as to any conduct other than the request and recording of “personal identification information” during a credit card transaction. Because a zip code has already been held to not fit within the definition of “personal identification information,” the inquiry ends there – it cannot be transformed into “personal identification information” based on how the zip code is used. Further, according to Williams-Sonoma, there is nothing improper about using zip codes to have third party vendors narrow down publicly available information about customers, such as their address.

How the California Supreme Court resolves this issue may have a substantial impact on retailers that collect customer zip codes. If the Supreme Court accepts Pineda’s interpretation of Song Beverly that zip codes are “personal identification information,” retailers could be left wondering what other conduct is prohibited, since neither “zip codes” nor “reverse data searches” are expressly mentioned in the language of the statute. In addition, after having relied on Party City, retailers could be left wondering whether they are now liable for this conduct under Song Beverly for up to $1,000 per transaction.

This appeal has not yet been set for oral argument.  We will keep you updated as to any developments.

If you or your company collect zip codes in California as part of a loyalty program or otherwise, and reverse data mine for additional customer information, you should be aware that the California Supreme Court recently granted a petition to review the issue of whether a retailer violates California’s Song-Beverly Credit Card Act if, in connection with a credit card transaction, it records a customer’s zip code for the purpose of later using it and the customer’s name to obtain the customer’s address through a reverse search database.

The Song-Beverly Credit Card Act prohibits merchants that accept credit cards in transacting business from making requests that the cardholder provide “personal identification information” and from recording that information. (Cal. Civ Code § 1747.08, subd. (a)(2).) Under the Act, “personal identification information” means information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number. In Party City Corp. v. Superior Court, 169 Cal.App.4th 497 (Cal. App. Ct. 2008) (discussed previously on this blog), the California Court of Appeals considered the language of the Act and the legislative history and concluded, as a matter of law, that a zip code is not “personal identification information” within the meaning of section 1747.08, subdivision (b) because a zip code is not facially individualized information. Last year, in Pineda v. Williams-Sonoma Stores, Inc., 100 Cal.Rptr.3d 458 (Cal. App. Ct. 2009), the California Court of Appeals followed Party City and affirmed the decision below that Williams-Sonoma did not violate the Act by requesting and recording the customer’s zip code for the purpose of using it and the customer’s name to obtain the customer’s address through the use of reverse data mining. The Court of Appeals in Pineda also held that using a legally-obtained zip code to acquire and use an address that is public is not “a serious invasion of privacy,” which is a necessary element of a privacy claim. Pineda failed to allege facts showing that her home address was not otherwise publicly available or that she undertook efforts to keep it private.

While the Party City and Pineda decisions provided clarity for companies in California that collect customer zip codes and then reverse data mine, the California Supreme Court’s decision to review this issue again creates uncertainty as to whether the practice is permissible. Stay tuned for future posts on any developments.
 

If you or your company have a loyalty program or collect customer information in any form, and reverse data mine for additional customer information, you face the risk of being sued in California for a violation of the California Constitutional right to privacy. Recently, in Watkins v. Autozone Parts, Inc., No. 08-cv-01509-H, 2008 WL 5132092 (S.D. Cal. Dec. 5, 2008), the United States District Court for the Southern District of California held that all a plaintiff needs to allege to state a claim for a breach of the constitutional right to privacy is that the defendant requested plaintiff’s personal information and then “covertly” reverse data mined for additional information about that plaintiff. As you may know, this decision cuts against the recent trend in California Courts of Appeal decisions aimed at narrowing the types of actions involving the collection of customer data that can be brought against retailer defendants (see e.g. Absher v. AutoZone, Inc., 164 Cal. App. 4th 332 (2008); TJX Cos., Inc. v. Sup. Ct., 163 Cal. App. 4th 80 (2008)), and creates great uncertainty for companies with respect to their ability to collect customer information.

In Watkins, plaintiff brought a putative class action alleging that Autozone violated the California Song-Beverly Credit Card Act, California Civil Code §1747.08 (the “Act” or “Section 1747.08”) by unlawfully requesting and recording personal customer information, and then “covertly” engaging in a “reverse search” to determine additional customer personal information, in violation of the California Constitution’s privacy provision.

First, the court held that plaintiff plead facts sufficient to support a claim for a violation of Section 1747.08. See 2008 WL 5132092, at *6. Second, and more significantly, in holding that plaintiff sufficiently plead a claim for invasion of privacy, the court reasoned that:

  • plaintiff adequately alleged a legally protected privacy interest in his home address;
  • the allegations that Autozone obtained and subsequently used his home address information from using his telephone number and credit card information after plaintiff’s purchase at Autozone satisfied the pleading requirements of a reasonable expectation of privacy in these circumstances; and
  • plaintiff sufficiently alleged that the invasion into his privacy was "serious," given his allegation that Autozone used his private information for profit without his consent and without informing him of the use of his information. See id.
  • Further, the court stated that the purpose of statutory provisions (including Section 1747.08) prohibiting the requesting of personal information from credit card customers “speaks to the potential seriousness of invasions that may occur.” Id. at *7 (citation omitted).

This holding creates great uncertainty for companies in determining in what circumstances collecting customer information and then reverse data mining is permissible. For instance:

  • Can a company utilize information that was obtained from a credit card customer for shipping purposes to reverse data mine for additional information about that customer?
  • Does a retail company violate a customer’s right to privacy by using a credit card customer’s zip code to obtain additional information about that customer given the recent California Court of Appeal holding that a zip code is not “personal identification information” under Section 1747.08? See Party City Corp. v. Sup. Ct. of San Diego County, No. D053530 (Cal. Ct. App. Dec. 19, 2008).

 

Continue Reading Use Of Customer Information For Data Mining May Be A Violation Of California Constitutional Right To Privacy

As of January 1, 2009, and in contrast to federal law, California Civil Code Section 1747.09 requires that no more than the last five digits of a credit or debit card number be printed on both the electronically-printed card receipt retained by the business as well as the receipt provided to customers. See CAL. CIVIL CODE § 1747.09(a)-(d). If you or your business accept credit cards or debit cards for payment you must ensure that all machines and registers are in compliance with these truncation requirements. Businesses that fail to comply with revised Section 1747.09 face potentially significant consequences, including enforcement actions by state agencies, and, perhaps more significantly, individual and class action lawsuits brought by cardholders.

A brief look at the recent history of class actions filed under the federal truncation statute – the Fair Credit Reporting Act (“FCRA”), which applies only to transaction receipts provided to customers – may offer guidance on how California courts may deal with actions brought under Section 1747.09.

Beginning in December 2006, plaintiffs’ attorneys began filing class action lawsuits against a broad spectrum of retailers and other businesses in California based largely on the failure to truncate expiration dates on electronically printed credit card receipts provided to consumers, and sought statutory penalties of between $100 and $1,000 per transaction for each “willful” violation alleged, plus attorneys’ fees, costs and punitive damages. See15 U.S.C. § 1681n. In order to prevent consumers, who had not suffered any actual damage, from recovering potentially annihilating statutory damages against retailers and other merchants, Congress passed the Credit and Debit Card Receipt Clarification Act, which added a provision to the Fair and Accurate Credit Transactions Act (“FACTA”) preventing consumers from obtaining statutory damages for willful expiration date violations taking place between December 4, 2004 and June 3, 2008. Further, several courts refused to certify a class on the theory that a class action is not superior to other methods for the fair and efficient adjudication of the controversy. However, no similar legislation has been enacted by the California legislature, and it remains to be seen whether courts will deny certification of a class action brought under Section 1747.09, as several courts have done in FACTA cases, to limit abusive lawsuits brought by consumers under California state law.

Accordingly, if you have not already done so, you should act swiftly to ensure that all machines and registers are in compliance with the truncation requirements. To accomplish this, consider auditing machines and registers by printing out receipts both retained by the company and issued to the customer. If any violation of Section 1747.09 or FACTA is detected, corrective action should be taken to limit potential liability and to decrease the risk of a potential lawsuit.