Since the California Supreme Court issued its highly-anticipated Song-Beverly Credit Card Act decision in February of this year, Apple v. Superior Court (Krescent), various courts in California have had the opportunity to apply Apple to Song-Beverly cases involving e-commerce issues.
Song-Beverly prohibits merchants from requesting or requiring a customer’s personal identification information (“PII”) as a condition of accepting a credit card for payment. The statute defines PII as “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder's address and telephone number.” Cal. Civ. Code § 1747.08(b). In Apple, the California Supreme Court held that the Act does not apply to online purchases of electronically-downloadable products. (A more detailed summary of the Apple decision is available here.)
In Apple, the Court declined to hold that all e-commerce transactions are outside the reach of the Act. But the opinion did acknowledge that the Legislature could not have had e-commerce transactions in mind when Song-Beverly was enacted in 1990-91. The Court therefore determined that the Act should not be applied in a way that places online merchants—who cannot physically inspect a customer’s credit card or confirm the customer’s identity using a driver’s license or other identification card—at a higher risk of fraud than merchants who transact with customers in a face-to-face environment. In the cases discussed below, courts have addressed claims relating to e-commerce using this guiding principle from Apple.
Krescent v. StubHub, Inc. and Ambers v. Buy.com, Inc.
On July 9, 2013, the California Superior Court for the County of San Francisco awarded a victory to StubHub, Inc. in a Song-Beverly case brought by plaintiff David Krescent (the same plaintiff who initiated the Apple suit). Thomas Brown and Kristin Hall of Paul Hastings represented StubHub.
Mr. Krescent alleged that StubHub violated the Act by requesting his telephone number in connection with his purchase of tickets from various online ticket sellers, where the tickets were mailed or shipped to Mr. Krescent’s address. StubHub asked the court to dismiss the case on the pleadings, arguing that the Act does not apply to online transactions, and even if it did, the Act’s prohibitions cannot be used to impede online merchants from verifying a customer’s identity.
The Superior Court granted StubHub’s motion and dismissed the case on grounds that the theory presented in Mr. Krescent’s case was “analytically indistinguishable” from the claim that the Court struck down in Apple, which involved the purchase of electronic downloads. In both contexts, the court said, “the Act provides no means for online retailers to protect against credit card fraud, and thus in neither situation could the Legislature have intended [the Act] to apply.”
A case before the U.S. District Court for the Central District of California, Ambers v. Buy.com, reached a similar conclusion with regard to online purchases of physical goods. The Buy.com court held that the collection of PII in such circumstances did not violate the Act because online merchants need a way to verify that the persons presenting credit cards for payment are authorized to do so.
Capp v. Nordstrom, Inc.
Another recent post-Apple case that implicated e-commerce issues is Capp v. Nordstrom, Inc. The plaintiff, Robert Capp, claimed that a cashier requested his email address for the purpose of sending him an electronic receipt, and that Nordstrom later used that address to send him unsolicited marketing emails. Nordstrom moved to dismiss, arguing that an email address is not PII—an issue of first impression in California.
Nordstrom first argued that an email address could not be considered PII because it does not necessarily identify a specific person. Unlike a person’s home address, “an email address can be anything chosen by the owner,” is easily changeable, and a person can have multiple email addresses at one time. Relying on the Apple decision, Nordstrom also pointed out that “email addresses were not used by businesses or consumers at the time Song-Beverly was enacted[,] . . . when the Internet was still primarily a governmental and academic tool.”
The court rejected these arguments (and Nordstrom’s other arguments based on the First Amendment and preemption under the federal CAN-SPAM Act), noting that access to a consumer’s email address “permits direct contact and implicates the privacy interests of a cardholder.” Thus, the court concluded that an email address constitutes PII because it is “information concerning the cardholder.”
The court also observed that the holding of Apple “was based not on the historical fact that the Legislature had not considered the prospect of electronic music downloads” when the law was enacted, but rather, upon its recognition that the interests of privacy protection should not be upheld at the expense of merchants’ interests in protecting themselves from fraud.
The Practical Effect of These Post-Apple Decisions
Although courts post-Apple have declined to explicitly hold that the Act does not apply to e-commerce, a practical implication of these decisions is that the collection of PII in connection with online transactions is more likely to be excused on grounds that cardholder information can provide a necessary tool for the prevention of credit card fraud.
Under this reasoning, Nordstrom’s expansion of PII to include email addresses would not seem to expose online retailers to greater risk of liability under Song-Beverly, so long as the reviewing court applies the fraud-prevention analysis of Apple, StubHub, and Buy.com. To illustrate, in a future case involving an online merchant’s collection of a customer’s email address, the merchant could likely argue that email addresses are a necessary customer verification tool, as well as a way to notify the customer about the status of his or her order. The more immediate effect of Nordstrom (depending on how the case develops in the trial court, or on appeal) will likely be upon on brick-and-mortar retailers, who should consider examining their practices of requesting customer email addresses at checkout to avoid potential liability under the Act.
Caveat Vendor is Paul Hastings' Consumer Issues blog. We welcome your feedback. Please contact our blog editor with any thoughts or suggestions.