Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

This is the first federal appellate court decision to focus on FACTA’s truncation requirements for electronically printed transaction receipts. FACTA’s truncation requirements, 15 U.S.C. § 1681c(g), prohibit the “electronic printing” of any receipt at “the point of the sale or transaction” that contains the expiration date of a consumer’s credit or debit card or more than the last five digits of the credit or debit card account number.

The Seventh Circuit followed the majority view among district courts that “the term ‘electronically printed’ reaches only those receipts that are printed on paper.” The court noted that a printed receipt brings to mind “a tangible document” and “ordinarily connotes recording it on paper.” The court rejected Shlahtichman’s argument that the use of “electronically” in section 1681c(g) evidences a congressional intent to broaden the meaning to include more modern usages. The court instead interpreted that language to suggest an intention to capture receipts that are printed by a machine rather than credit card slips or receipts that are imprinted or handwritten.

Next the court looked to the overall statutory context of FACTA and noted that the truncation requirements apply to receipts “that are printed and ‘provided to the cardholder at the point of the sale or transaction.’” The court concluded that “the statute contemplates transactions where receipts are physically printed using electronic point of sale devices like electronic cash registers or dial-up terminals.”

Finally the court noted that even if email order confirmations were “electronically printed” receipts for FACTA purposes, the dismissal of Shlahtichman’s complaint was appropriate because Shlahtichman sought the statutory damages authorized only for willful violations of the truncation requirement and 1-800 Contacts had not willfully violated the statute.

 We previously posted about the district court’s decision in Shlahtichman v. 1-800 Contacts, Inc., 2009 U.S. Dist. LEXIS 112379 (N.D. Ill. Dec. 2, 2009) here.

Under the terms of the proposed settlement, each class member will be offered a settlement relief voucher good for any one of the following: (a) $50 off a purchase of $100 or more, (b) a “classy” tee shirt with a suggested retail value of up to $40 or (c) a hooded sweatshirt (“hoodie”) with a suggested retail value of approximately $55. The voucher will be redeemable at any store in PNC Park, the home of Major League Baseball’s Pittsburgh Pirates. Aramark has agreed that, if the settlement is approved, it will distribute not just those settlement relief vouchers claimed by members of the class, but a total of 4,773 vouchers – one for each electronically printed receipt alleged to have violated FACTA. To effectuate this requirement, beginning fifteen days after in-store notices to class members are removed, Aramark will distribute unclaimed vouchers to every customer who makes a purchase using a credit or debit card at PNC Park. Aramark will also be responsible for the costs of notifying class members regarding the settlement and paying class counsel’s fees of $105,000.

While coupon or voucher settlements are generally frowned upon by courts, Judge Lancaster acknowledged that such relief “appears well suited to the [FACTA] violations alleged, especially in light of the lack of actual damages.” The court’s acknowledgement lends credence to the denial of class certification, in, for example, Soualian v. International Coffee & Tea LLC, No. 07-cv-502 (RGK) (C.D. Cal. June 11, 2007), on account of the damages sought being disproportionate to the actual harm suffered by the class.

FACTA’s truncation requirements, 15 U.S.C. § 1681c(g), prohibit the “electronic printing” of any receipt at “the point of the sale or transaction” that contains the expiration date of a consumer’s credit or debit card or more than the last five digits of the credit or debit card account number. It is clear that this prohibition applies to hard copy receipts provided to consumers, but reported decisions regarding the applicability of FACTA to electronically displayed receipts are inconsistent in their holdings. Compare Grabein v. 1-800-Flowers.com, Inc., No. 07-22235 (S.D. Fla. Jan. 29, 2008) with Meehan v. Buffalo Wild Wings Inc., No. 07C4562 (N.D. Ill. Feb. 26, 2008). Nonetheless, many judges have held that FACTA does not apply to online receipts (see, for example, the Smith v. Zazzle.com case reported here). On December 2, Judge Darrah joined them.

In Shlahtichman, an electronic order confirmation containing plaintiff’s credit card expiration date was e-mailed to plaintiff after he placed an order through defendant’s website. The plaintiff alleged that this “receipt” violated FACTA’s truncation requirements. Judge Darrah, in coming to his conclusion, relied on the plain meaning of the word “print” and determined that under FACTA, an e-mail order confirmation is not an “electronically printed” receipt because “‘print’ is not commonly understood as a display on a computer screen.” Shlahtichman, 2009 U.S. Dist. LEXIS 112379, at *7 (citing Grabein v. Jupiterimages, 2008 WL 2704451, at *6 (S.D. Fla. 2008)). Judge Darrah also held that an e-mail order confirmation is not subject to FACTA because an e-mail is not provided “at the point of sale or transaction” due to the fact that an e-mail can be accessed from anywhere in the world. Id.

The FTC acknowledged that many entities, particularly small businesses and other companies with a low risk of identity theft, remain uncertain about whether they are covered under the Rule, and, if so, what steps they must take to comply. As part of its education campaign, the FTC stated that it plans to create a link on its Red Flags Rule website to provide additional guidance regarding the Rule to small and low-risk entities.  To date, the FTC has provided, among other things, a how-to guide for businesses, FAQs, and an online do-it-yourself Identity Theft Prevention Program for low-risk entities. 

The delay underscores the difficulty the Commission staff has had in anticipating and explaining the precise scope of the Rule – namely what entities are covered the Rule. As a practical matter, the Rules, and the FTC’s interpretation of them, have cast a net so wide so as to ensnare businesses that have not encountered identity theft in their operations and that are not normally subject to the Commission’s jurisdiction.  Indeed, as we have discussed before on this blog, there has been confusion among companies regarding the scope of the Rule. And despite previous delays and additional FTC guidance, many businesses, as well as entire industries, have still been caught off-guard by the Rule.  Nevertheless, the FTC believes that this extension and the new guidance the Commission will provide “should enable businesses to gain a better understanding of the Rule and any obligations that they may have under it.”

Users must establish reasonable policies to enable the user to form a reasonable belief as to whether the consumer report received actually relates to the customer in question. Users must evaluate the address discrepancy regardless of whether a new account with the customer will be opened. Policies and procedures designed to confirm whether a consumer report relates to the consumer about whom the report was requested include:

o         Comparing information in the consumer report with information that the user

o         obtains and uses to verify the consumer’s identity pursuant to Customer Identification Program rules,

o         maintains in its own records, such as applications or change of address requests, or

o         obtains from third parties;

o         Verifying the information provided by the CRA with the consumer by requesting a copy of the applicant’s driver’s license or other proof of current address; and

o         Other reasonable means.

In the event that a user reasonably confirms, through the policies and procedures established, that the report received belongs to the user’s customer, the user may be obligated to report the consumer’s address to the CRA that provided the notice of discrepancy. Such obligation arises if the user establishes a continuing business relationship with the customer and regularly furnishes information, regardless of the type or comprehensiveness, to that particular CRA.

While the Address Discrepancy Rule is designed to identify instances where a user has not received the correct consumer report for the customer inquired upon, a notice of address discrepancy may signal identity theft. Notices of address discrepancy therefore may implicate the Red Flags Rules for users that are financial institutions or creditors.

Also included in the Rule are special provisions regarding change-of-address notices for debit and credit card issuers. If a card issuer receives a change-of-address notice, and within 30 days, receives a request for an additional or replacement card, the card issuer must verify the address before issuing the card. The card issuer may validate the address either when receiving the change-of-address notice or shortly after receiving the request for a card. To validate the address, the issuer must either notify the cardholder at the last known address and provide the cardholder with a means of reporting any incorrect address change, or otherwise asses the validity of the change of address in accordance with its written policies and procedures established to comply with the Rule. 

For the complete text of the “Address Discrepancy Rule”, please see http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf, and for more information on the Red Flags Rule: http://ftc.gov./redflagsrule. Also check out our prior discussions of the Red Flags and Address Discrepancy Rules. 

Proskauer summer associate Rebecca Guttman contributed to this post.     

Judge King’s opinion focused on the meaning of the word "print" in the following FACTA provision: "no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction." 15 U.S.C. § 1681c(g)(1). Judge King found, based on the ordinary meaning of the word "print," that Congress intended "print" to mean the "imprinting of something on paper or another tangible surface." Zazzle.com, 2008 U.S. Dist. LEXIS 101050 at **7-8.

Confusion Among Companies Regarding Coverage

The rules apply to financial institutions and creditors. But, according to the FTC, many companies “indicated that they were not aware that they were engaged in activities that would cause them to fall under the FACT Act’s definition of creditor or financial institution.” Moreover, the FTC said that companies not traditionally subject to the jurisdiction of the FTC did not follow the FTC’s rulemaking, and consequently did not become aware of their obligations under the Red Flag Rules until very recently.  The FTC also expressed concern that covered entities, to meet the fast approaching November 1 deadline, were not taking the appropriate care necessary to do a proper risk assessment and craft a meaningful red flags program.

As the FTC stated, “[g]iven the confusion and uncertainty within major industries under the FTC’s jurisdiction about the applicability of the rule, and the fact that there is no longer sufficient time for members of those industries to develop their programs and meet the November 1 compliance date, the Commission believes that immediate enforcement of the rule on November 1 would be neither equitable for the covered entities nor beneficial for the public.”Therefore, the FTC will delay enforcement of the new rules for six months.Considering this generous extension, covered entities should be on notice that they will need to have a written identity theft prevention program in place by the May 1, 2009 deadline.

Who and What Are Covered

A company must consider whether it would be considered a covered entity – i.e., a financial institution or a creditor.  Financial institutions include banks, mortgage lenders, savings and loan associations, mutual savings banks, credit unions or any other person that, directly or indirectly, holds a transaction account belonging to a consumer.  As to the definition of creditor, the Red Flag Rules reference the Equal Credit Opportunity Act (“ECOA”), which defines a creditor as anyone who grants to a debtor the right “to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefor.”  In its Enforcement Policy Statement, the FTC noted that under the ECOA’s definition, “any person that provides a product or service for which the consumer pays after delivery is a creditor.”  Thus, under this broad interpretation, many companies that permit their customers to defer payment for any purchase may be covered under the rules. 

Once a company determines that it is indeed a covered entity, it must assess which of its accounts or products fall under the definition of “covered accounts” – a red flag program need only apply to these covered accounts.  The definition of “covered account” is divided into two parts:  (1) an account primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, or (2) any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft.

Covered entities then must develop written policies and procedures not only to identify and detect red flags, but also to respond to red flags by preventing or mitigating potential identity theft.  A red flag is a pattern, practice or activity that could indicate identity theft.  Because covered entities must tailor their red flags programs to their particular business, these companies will need to do risk assessment to evaluate current identity theft prevention measures, their shortcomings and the risks to customers.  In addition, companies must periodically update their identity theft programs to address emerging threats.  The final rules became effective on January 1, 2008, and, prior to this announcement, covered entities were required to comply by November 1, 2008.  You can read more about the Red Flag Rules here. 

Summary of the Final Rule’s Requirements

In general, the Affiliate Marketing Rule prohibits a “person” from using consumer “eligibility information” received from a corporate “affiliate” for making marketing “solicitations” to the consumer, unless:  

• the consumer is first given a clear, conspicuous, concise and written notice explaining that the person may use eligibility information about that consumer received from an affiliate to make solicitations for marketing purposes;
• the consumer is first given a reasonable opportunity and a reasonable and simple method to “opt out,” or prohibit the use of the eligibility information to make solicitations for marketing purposes; and
• the consumer has not opted out thereof. 

Opt-Out Requirements

The opt-out notice must be delivered “so that each consumer can be reasonably expected to receive actual notice.” Examples of delivery methods that can be reasonably expected to provide actual notice include hand-delivery, mailing a printed copy of the notice to the consumer’s last known address, e-mail to consumers who have agreed to receive electronic disclosures from the affiliate providing notice, and posting the notice on a website at which the consumer obtained a product or service electronically and requires the consumer to acknowledge receipt of the notice. 

Once notice has been delivered, a consumer must be given a reasonable opportunity to opt out, and the reasonable opportunity to opt out must be accompanied by a “reasonable and simple” method for exercising the opt-out right, such as a conspicuous check box, a reply form and a self-addressed envelope with the opt-out notice, a toll-free telephone number, and an electronic opt out.

Consumer opt outs must be honored for 5 years, and a renewal notice must be sent to the consumer before the expiration of the initial 5-year opt-out period, giving the consumer an opportunity to extend the opt-out for an additional 5 years. The Final Rule includes model forms that may be used to comply with the Final Rule’s requirements.

Key Definitions

Under the Final Rule, “affiliates” are companies that are related by common ownership or common corporate control with one another. A “solicitation” means the marketing of a product or service initiated by a person to a particular consumer that is based on eligibility information communicated to that person by its affiliate and intended to encourage the consumer to purchase or obtain such product or service. (Communications aimed at the general public such as television or billboard advertisements are not “solicitations,” but marketing emails, telemarketing calls and direct mailings aimed at particular consumers are considered “solicitations.”) 

“Eligibility information,” as defined by the Rule, encompasses any information that, if communicated, would constitute a “consumer report” (as such term is defined by the Act) but for specific statutory exclusions. “Eligibility information” might include, for example, a person’s own transaction or experience information and information from consumer reports or applications, but does not, however, include aggregate or blind data that does not contain personal identifiers. 

Exceptions

The provisions of the Affiliate Marketing Rule do not apply to certain uses of eligibility information obtained from an affiliate in certain situations, including:

o       to make a marketing solicitation to a consumer with whom the person has a “pre-existing business relationship” as that term is defined in the Rule;

o       to facilitate certain communications to a consumer for whose benefit the company has provided employee benefits or other services;

o       to perform services on behalf of an affiliate, except that this does not permit a person to send solicitations on behalf of an affiliate if the affiliate would not be permitted to send the solicitation on its own behalf due to the consumer’s opt-out election;

o       in response to a communication initiated by the consumer;

o       in response to a consumer’s authorization or request to receive a solicitation; and

o       if compliance with the Final Rule would prevent the person from complying with state insurance laws relating to unfair discrimination.

As the compliance deadline quickly approaches, it is important for covered entities to understand that the potential consequences of non-compliance with the Final Rule’s requirements not only could include enforcement by the applicable federal banking agency or the FTC (if the FTC has jurisdiction over such covered entity), but also could result in civil liability to affected consumers (including punitive damages for certain willful actions, as well as attorneys’ fees).

As discussed here last year , the Supreme Court ruled in Safeco Insurance Co. of America, et al. v. Burr, et al that reckless disregard of the requirements of FCRA can constitute willful violation.  The court left open the question of whether it was objectively reasonable for merchants to continue to print expiration dates on customer receipts after the date for compliance with FACTA had passed. 

In response to the widespread FACTA litigation, Congress amended FCRA to prevent certain putative consumer class actions. The “Credit and Debit Card Receipt Clarification Act of 2007” (“the Act”), signed by President Bush on June 3, amends FCRA to specify that printing expiration dates on receipts where the account number is otherwise properly truncated does not in and of itself constitute willful noncompliance.  Consumers will not be entitled to pursue suits claiming willful violation, and thus not be entitled to seek statutory damages, merely because an expiration date is printed on an otherwise compliant receipt.  The Act does not affect negligence suits filed by consumers who can show actual harm as a result of the printing of the expiration date, or suits against merchants who are otherwise not in compliance with FACTA’s requirements.  The Act applies to any company that printed an expiration date on any receipt provided to a consumer cardholder at a point of sale or transaction between December 4, 2004, and the date of the enactment. 

Proskauer summer associate Nicole Ross contributed to this post.

Defendant moved to dismiss the case on three theories: (1) the word “print” means to actually put ink to paper, rather than to display on a computer screen; (2) that “point of sale” refers only to receipts “printed” in stores, rather than at home at the option of the consumer; and (3) that 15 U.S.C. § 1681c(g) is unconstitutionally vague. 

The court rejected all three arguments. First, after considering a battle of dictionaries, the court held that “print” can mean both the display of data on a computer monitor and the physical marking of paper or another surface. This conclusion was consistent with the only other FACTA case on point, Vasquez-Torres v. Stubhub Inc., No. 07-1328, 2007 U.S. Dist LEXIS 63719, *7 (C.D. Cal. July 2, 2007).

Second, consistent with Ehrheart v. Bose Corp., No. 07-350, 2008 WL 64491 (W.D. Pa. Jan. 4, 2008), the Grabein court held that the legislative intent of FACTA was to prevent identity theft broadly, and that such intent encompassed receipts “printed” both at home and in stores.

Finally, the court held that 15 U.S.C. § 1681c(g) is sufficiently clear so as to allow ‘persons of common intelligence” to understand its prohibitions, and that the statute therefore is not unconstitutionally vague.

In addition to the fine, the stipulated judgment and order requires American United to obtain an immediate third-party audit of its privacy safeguards and ongoing audits every two years for a decade. American United is also permanently enjoined from further violations of the FACTA Safeguards, Disposal, and Privacy rules.

The Disposal Rule, 16 C.F.R. 682, requires that any company collecting consumer information for a business purpose must dispose of that information in a way that prevents unauthorized access and misuse of the data. "Disposal" includes any discarding, abandonment, sale, donation or transfer of information.