Header graphic for print
Privacy Law Blog

California Supreme Court Holds Online Retailers of Downloadable Products May Require Personally Identifying Information For Credit Card Transactions

Posted in California, Data Privacy Laws, Financial Privacy, Online Privacy

The California Supreme Court held on February 4, 2013 that the provision of the Song-Beverly Credit Card Act of 1971 (the “Act”) prohibiting retailers from requesting personally identifying information as a condition to processing credit card transactions does not apply to online purchases of electronically downloadable items. (Apple v. Super. Ct., S199384, Case No. B238097, available at http://www.courts.ca.gov/opinions/documents/S199384.PDF.) The Court agreed with Apple that online sales of electronically downloadable products fall outside the coverage of the Act. The Court’s reasoning emphasized that the collection of some personally identifying information is important in preventing online fraud. Although the Act does not apply to the transactions in question, the Court pointed out that online retailers are not given free rein because other state and federal laws do apply to place limits on the collection and use of personally identifying information.

Among the provisions of the Act, codified at California Civil Code section 1747 et seq, is a prohibition in section 1747.08 against retailers’ requesting or requiring a credit card holder’s personal identification information in order to process a credit card transaction. The Court has previously held that requesting and recording a Zip Code during a credit card transaction in a brick-and-mortar store is forbidden under the Act. Pineda v. Williams-Sonoma Stores, Inc., 51 Cal. 4th 524 (2011). The Court wrote in Apple that the plain meaning of the statute’s language was not decisive of the issue at hand, and an analysis of the legislature’s statutory scheme as a whole was necessary. The Court also pointed out that section 1747.08 of the act makes no reference to online transactions, which is unsurprising, given that the provision that later became section 1747.08 was enacted in 1990.

The plaintiff in the underlying trial court case alleged that Apple requested or required his address and telephone number in order to accept his credit card payment for electronically downloadable items. Apple demurred to the Complaint, arguing that online transactions fall outside the scope of the Act, and that holding otherwise would undermine the prevention of online identity theft and fraud. Although not addressed in the opinion, presumably, Apple’s payment card processor cross-checks the address information provided by the customer with the payment card billpay address as a method to verify the customer is the authorized cardholder.

The Court noted in its Apple decision various exceptions to the prohibition outlined in the Act, including where the retailer is contractually required to provide personally identifying information to complete the transaction, uses the Zip Code solely to prevent fraud, is obligated to collect information by a federal or state law, or collects the information for a purpose incidental but related to the credit card transaction (like shipping or delivery information). Furthermore, section 1747.08, subdivision (d) specifically states that the Act does not prohibit retailers from requiring safeguards, in the form of reasonable forms of positive identification, as a precondition to a credit card transaction.

The Court reasoned that since the law’s exceptions and its allowance to check IDs at the point of sale do not have practical applicability in e-commerce transactions, it must be that the legislators did not intend the law to apply to e-commerce transactions at all. The Court seemingly was also influenced by a desire to balance the protection of consumers from undesired solicitation against the need to authenticate payment card purchasers who are not physically present to show an ID or provide their signature on a transaction form.

The Court explicitly did not identify specifically what types of personally identifying information would be allowable to collect for authentication purposes. The Court held only that section 1747.08 cannot have been intended to apply to online sales of downloadable products because holding otherwise would foreclose anti-fraud protections enabled by the collection of personal information during e-commerce transactions.