Emerging Electronic Receipt Option Requires Creative Thinking for Retailers under State Law

Posted on August 19, 2011 by Andrew Hoffman

Recently, several large retail chains have started offering customers the option to receive electronic receipts for in-store purchasers, as the New York Times reports. For instance, a cashier may ask a customer for his or her email address at check-out and then email the receipt to the customer. Paperless receipt programs offer retailers new and exciting marketing opportunities—for instance, adding a retail store purchaser’s email address to the company’s customer relationship management database, even if that customer never shops online. But with these new opportunities come potential liabilities from old laws that were not written with this new technology in mind.

Fifteen states and the District of Columbia have laws that place restrictions on a retailer’s collection of personal information when a customer pays with a credit card. (A number of states also restrict the collection of personal information when a customer pays by check, but who uses checks anymore?) Of these states with credit card laws, eight states’ statutes broadly restrict the collection of personal information, although some of them contain a variety of conditions of applicability and exceptions. California’s Song-Beverly Act, the most litigated of these laws, has even been interpreted by a court to prevent a retailer from collecting a ZIP Code under most circumstances. The remainder of states have more limited restrictions, such as on the collection of addresses, which nonetheless could apply to electronic receipts if a state court or attorney general interprets “address” expansively to encompass an email address. Notably, some states have exceptions that allow the collection of personal information under certain circumstances, such as when the collection is required “for a special purpose incidental but related to the individual credit card transaction,” which may be broad enough to encompass electronic receipts.

The penalties for violations of these statutes vary. For instance, California’s statute provides for a liability cap of $250 per violation for a first violation of its statute and a $1,000 per violation cap for each subsequent violation. If class action status is sought, potentially crippling liability exposure can accrue overnight. While most states treat improper data collection as a civil matter, Delaware, for instance, treats a violation of its data collection law as a misdemeanor. To our north, the offering of electronic receipts has already caught the attention of Canada’s Office of the Privacy Commissioner, which notes that under Canadian law, customers should be informed about how their email addresses will be used.

Thus, because of the potential liabilities and new technology that is quickly catching the eyes of class action plaintiff lawyers and regulators, retailers considering offering electronic receipts would be well-advised to consider state laws before implementing an electronic receipt option. By taking these laws into consideration in advance, electronic receipt programs can be designed to comply with these laws in at least most states.  Such consideration and appropriate planning may help avoid significant legal and financial liabilities under state laws.
Tags: , , , , , , , , ,

90210 Gets Personal: California Supreme Court Rules that ZIP Codes are "Personal Identification Information"

Posted on February 11, 2011 by Brendon Tavelli

Yesterday, the California Supreme Court held that ZIP codes are “personal identification information” within the meaning of the state’s Song Beverly Credit Card Act. The court’s decision in Pineda v. Williams-Sonoma Stores, Inc., No. S178241 slip op. (Cal. Feb. 10, 2011), casts a dark cloud over the established retail practice of asking for ZIP codes when customers make purchases using a credit card in brick-and-mortar stores. In Pineda, the plaintiff sued Williams-Sonoma alleging that when she made a purchase at one of defendant’s stores, the cashier requested her ZIP code and recorded it as part of her credit card transaction. Subsequently, Williams-Sonoma used plaintiff’s ZIP code to perform a “reverse append” and thereby locate plaintiff’s home address.

The Song Beverly Act prohibits businesses from requesting that cardholders provide “personal identification information” during credit card purchase transactions that do not fall within one of the exceptions in subdivision (c), and then recording that information. Personal identification information is defined as “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.” The trial court in Pineda concluded that a ZIP code, without more, did not constitute personal identification information. The Court of Appeal affirmed the trial court’s decision in all respects, in large part because a ZIP code pertains to a group of individuals, unlike an address or telephone number that is “specific in nature regarding an individual.”

The California Supreme Court, however, rejected the trial court’s and the Court of Appeal’s reasoning. Relying (too heavily it seems) on the Song Beverly Act’s protective purpose and expansive language, the court concluded that the word “address” should be construed as “encompassing not only a complete address, but also its components.” The court expressed concern about Williams-Sonoma’s “reverse append” practices and the potential for retailers to make an end-run around the statute by collecting indirectly what they cannot legally collect directly. But the Court’s language does not appear to be limited to collecting and using ZIP codes to perform such reverse appends. Rather, the decision broadly states that “[i]n light of the statute’s plain language, protective purpose, and legislative history, we conclude that a ZIP code constitutes ‘personal identification information’ as that phrase is used in section 1747.08.” In so holding, the Supreme Court essentially reversed the Court of Appeal’s decision in Party City Corp. v. Superior Court, 169 Cal. App. 4th 497 (2008), in which the Court of Appeal first explained that a ZIP code identifies a relatively large group rather than an individual. In fact, the Party City record showed that there were 24,953 individual addressees in the plaintiff’s ZIP code. Consequently, the Court of Appeal concluded that a ZIP code was not, as a matter of law, the kind of personalized or individual identification information that falls within the scope of the Act.

In addition to some spirited debate, the Pineda decision is likely to generate a healthy number of lawsuits against California retailers. So ZIP up those jackets and be prepared to weather the storm!
 
Tags: , , ,

Zip Codes not "Personal Identification Information" under California's Song-Beverly Act

Posted on December 26, 2008 by Proskauer Rose LLP

On December 19, 2008, in Party City Corp. v. The Superior Court of San Diego County, the California Court of Appeal in the Fourth Appellate District held that zip codes are not "personal identification information" under California's Song-Beverly Credit Card Act of 1971, California Civil Code Sec. 1747.08 (the "Act."). The Act prohibits a retailer that accepts credit cards from, among other things, "request[ing], or require[ing] as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the [retailer] writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise." Id. at § 1748.08(a)(2). Under the Act, "personal identification information" is "information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder's address and telephone number." Id. at § 1747.08(b). Subdivision (e) of the statute provides that "[a]ny person who violates this section shall be subject to a civil penalty not to exceed two hundred fifty dollars ($250) for the first violation and one thousand dollars ($1,000) for each subsequent violation, to be assessed and collected in a civil action brought by the person paying with a credit card, by the Attorney General, or by the district attorney or city attorney of the county or city in which the violation occurred."

In Party City, the plaintiff claimed that Party City’s request for a zip code in conjunction with a credit card purchase violated the Act. The trial court agreed, granting the plaintiff summary judgment. The Court of Appeal granted a writ of mandate and overturned the trial court concluding that summary judgment should be entered for Party City. The Court of Appeal found that zip codes are not personal identification information based on the plain language of the statute. In applying a plain reading, the court first examined postal regulations to understand what zip codes encompass. The court determined that zip codes as defined by the postal service are not individualized identification criteria. Rather they are used to "provide identification of a relatively large group." Because "tens of thousands of people have the same zip code" the court concluded a zip code standing alone is not the same as an individual’s address or telephone number. The court found its interpretation bolstered by the principle that statutes that create mandatory civil liabilities should be construed in favor of the "persons sought to be subject to their operation."

This is the third California appellate decision this year taking a narrow interpretation of the Act. See here and here for blog posts on earlier appellate court decisions holding that the Act does not apply in the merchandise returns context.
Tags: , , , , , , , ,