Recently, several large retail chains have started offering customers the option to receive electronic receipts for in-store purchasers, as the New York Times reports. For instance, a cashier may ask a customer for his or her email address at check-out and then email the receipt to the customer. Paperless receipt programs offer retailers new and exciting marketing opportunities—for instance, adding a retail store purchaser’s email address to the company’s customer relationship management database, even if that customer never shops online. But with these new opportunities come potential liabilities from old laws that were not written with this new technology in mind.

Fifteen states and the District of Columbia have laws that place restrictions on a retailer’s collection of personal information when a customer pays with a credit card. (A number of states also restrict the collection of personal information when a customer pays by check, but who uses checks anymore?) Of these states with credit card laws, eight states’ statutes broadly restrict the collection of personal information, although some of them contain a variety of conditions of applicability and exceptions. California’s Song-Beverly Act, the most litigated of these laws, has even been interpreted by a court to prevent a retailer from collecting a ZIP Code under most circumstances. The remainder of states have more limited restrictions, such as on the collection of addresses, which nonetheless could apply to electronic receipts if a state court or attorney general interprets “address” expansively to encompass an email address. Notably, some states have exceptions that allow the collection of personal information under certain circumstances, such as when the collection is required “for a special purpose incidental but related to the individual credit card transaction,” which may be broad enough to encompass electronic receipts.

The penalties for violations of these statutes vary. For instance, California’s statute provides for a liability cap of $250 per violation for a first violation of its statute and a $1,000 per violation cap for each subsequent violation. If class action status is sought, potentially crippling liability exposure can accrue overnight. While most states treat improper data collection as a civil matter, Delaware, for instance, treats a violation of its data collection law as a misdemeanor. To our north, the offering of electronic receipts has already caught the attention of Canada’s Office of the Privacy Commissioner, which notes that under Canadian law, customers should be informed about how their email addresses will be used.

Thus, because of the potential liabilities and new technology that is quickly catching the eyes of class action plaintiff lawyers and regulators, retailers considering offering electronic receipts would be well-advised to consider state laws before implementing an electronic receipt option. By taking these laws into consideration in advance, electronic receipt programs can be designed to comply with these laws in at least most states.  Such consideration and appropriate planning may help avoid significant legal and financial liabilities under state laws.