Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

Under the Act, Cal. Civ. Code §1798.83, California residents have the right to request from a business with twenty or more employees, with whom they have an established business relationship, certain information about the business’s disclosure of personal information to third parties for direct marketing purposes. Specifically, such California residents may ask for details about what personal information the business shares with third parties for those third parties’ direct marketing purposes during the immediately preceding calendar year. 

There are several compliance options available to businesses under the Act. One option is for the business to adopt and disclose to the public in its privacy policy a procedure that allows its California customers to opt-out of the business’s sharing of their personal information for third parties’ direct marketing purposes. Alternatively, a business can inform its California customers of the business’s designated contact point to which a request under the Act should be directed in any of the three following ways: (A) by instructing its agents or employees to inform the customers of such information; (B) by including such information in the business’s web site privacy policy with the required emphasis and conspicuousness; or (C) by making such information available to customers at the business’s physical locations. 

To date, despite being effective since 2005, there are no published decisions under the Act. But that may change with this month’s wave of class action lawsuits. The complaints in the recently filed class action lawsuits share the same allegation (in addition to sharing the same plaintiff’s lawyer): that each respective business failed to comply with its obligations by not providing its California customers with the information necessary for them to make requests under the Act.

According to Cal. Civ. Code §1798.84(c), violating the Act can result in a civil penalty of up to $500 per violation, unless the violation is willful, intentional or reckless, in which case the business can be on the hook for as much as $3,000 per violation. However, businesses are given a ninety day cure period before they can be held in violation of the law, as long as their violation was not willful, intentional or reckless.  Many companies who have been challenged may be able to avail themselves of this safe harbor to avoid costly settlements and class notification expenses. 

Although these cases are still in their early stages and it is not clear how things will be resolved, it is important to note that while complying with the Shine the Light privacy law may be burdensome, noncompliance may result in a business’s lights being dimmed, or, given the possibility of statutory damages, turned off for good.

Fifteen states and the District of Columbia have laws that place restrictions on a retailer’s collection of personal information when a customer pays with a credit card. (A number of states also restrict the collection of personal information when a customer pays by check, but who uses checks anymore?) Of these states with credit card laws, eight states’ statutes broadly restrict the collection of personal information, although some of them contain a variety of conditions of applicability and exceptions. California’s Song-Beverly Act, the most litigated of these laws, has even been interpreted by a court to prevent a retailer from collecting a ZIP Code under most circumstances. The remainder of states have more limited restrictions, such as on the collection of addresses, which nonetheless could apply to electronic receipts if a state court or attorney general interprets “address” expansively to encompass an email address. Notably, some states have exceptions that allow the collection of personal information under certain circumstances, such as when the collection is required “for a special purpose incidental but related to the individual credit card transaction,” which may be broad enough to encompass electronic receipts.

The penalties for violations of these statutes vary. For instance, California’s statute provides for a liability cap of $250 per violation for a first violation of its statute and a $1,000 per violation cap for each subsequent violation. If class action status is sought, potentially crippling liability exposure can accrue overnight. While most states treat improper data collection as a civil matter, Delaware, for instance, treats a violation of its data collection law as a misdemeanor. To our north, the offering of electronic receipts has already caught the attention of Canada’s Office of the Privacy Commissioner, which notes that under Canadian law, customers should be informed about how their email addresses will be used.

Thus, because of the potential liabilities and new technology that is quickly catching the eyes of class action plaintiff lawyers and regulators, retailers considering offering electronic receipts would be well-advised to consider state laws before implementing an electronic receipt option. By taking these laws into consideration in advance, electronic receipt programs can be designed to comply with these laws in at least most states.  Such consideration and appropriate planning may help avoid significant legal and financial liabilities under state laws.