Are E-Retailers Prohibited from Collecting Personal Identification Information During Credit Card Transactions from CA Residents?

Published On November 8, 2012 | By Melissa Maalouf | General, Litigation, Privacy
TwitterLinkedInFacebookRedditCopy LinkEmailPrint

On 11/7, the California Supreme Court heard oral argument on this question in a case against Apple regarding whether the CA Song Beverly Act, which restricts companies from collecting certain information from consumers during a credit card transaction, applies to e-commerce.

Under the Act, retailers are prohibited from collecting personal identification information (“PII”) from consumers during credit card transactions.  PII includes information not visible on a credit card, including a customer’s address and phone number.  While retailers can ask to see photo ID, they may not record any PII.  In 2011, the California Supreme Court held that the definition of PII extends to a consumer’s zip code (Pineda v. Williams-Sonoma Stores, Inc.).

Following the Pineda decision, class action lawsuits were filed against Apple, Ticketmaster, and eHarmony in 2011, arguing that the law should apply to them.  In the complaint against Apple, the plaintiff, a California resident, alleged that he was required to provide his phone number and address to establish an iTunes account.  He argued that because such information was not necessary to confirm his credit card information, the collection violated the Act.  A California trial court judge agreed that the Act should apply to online retailers, and in January 2012, Apple petitioned the CA Supreme Court, along with Ticketmaster, eHarmony, Wal-Mart and eBay acting as amicus curiae (Apple v. S.C. (Krescent), No. S199384).

During oral argument, Apple argued that the law only applies to brick-and-mortar businesses, given that e-commerce did not exist when the law was enacted in 1971.  Moreover, Apple and the other e-retailers cautioned that applying the law online would increase the risk of identity theft and credit card fraud because online retailers would no longer be able to verify credit card information during purchases.

In contrast, consumer advocates argued that the law should apply to both online and offline credit card commerce, given that e-retailers have alternative means by which to protect against fraud that do not involve over-collection of information from consumers.  They did concede, however, that online retailers may need some information for fraud prevention purposes, such as zip code.

Reports from the oral argument suggest that the Court overall seemed more sympathetic to the online retailers’ concerns about fraud, but the decision is likely to be close, as a couple of the justices seemed to agree with the plaintiffs, and all justices expressed concern over the lack of concrete information in the record (e.g., regarding whether Apple uses the PII it collects during e-transactions for marketing or other purposes, and whether credit card companies will reimburse online retailers for fraudulent purchases absent the ability to review PII).

About The Author

Melissa Maalouf’s practice focuses on advising a broad range of clients, from start-ups to established companies, on both U.S. and international data privacy and security issues. Melissa assists clients in drafting appropriate website disclosures, implementing legally-compliant e-commerce flows, responding to FTC Section 5 and state AG enforcement actions, analyzing advertising claims, and children’s online privacy and safety issues. She also regularly helps clients obtain certification under the EU-US Safe Harbor and navigate compliance with divergent international privacy laws.

Leave a Reply

Your email address will not be published. Required fields are marked *