Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Federal Court Holds Email Addresses Are PII Under California Credit Card Act

    Privacy, Cyber Risk & Data Security

    On October 21, the U.S. District Court for the Eastern District of California held that email addresses are personal identification information (PII) under California’s Song-Beverly Credit Card Act. Capp v. Nordstrom, Inc., No. 13-660-MCE-AC, 2013 WL 5739102 (E.D. Cal. Oct. 21, 2013). In this case, a customer sued a retailer on behalf of a putative class after the retailer sought the customer’s email address in connection with a credit card transaction to provide the customer with an electronic receipt. The customer alleged that the retailer subsequently used the email address to send unsolicited marketing materials. Following the California Supreme Court’s ruling in Pineda v. Williams Sonoma, in which the court held that a ZIP code is part of a person’s address and constitutes PII, the court here predicted that the state supreme court also would hold that an email address constitutes PII. Citing the statute’s broad terms and its overarching objective to protect the personal privacy of consumers who make purchases with credit cards, the district court held that the alleged conduct directly implicated the purposes of the statute. The district court also rejected the retailer’s argument that, if email addresses constitute PII, then the customer’s claim would be preempted by the CAN-SPAM Act, which regulates unsolicited commercial electronic mail, i.e. “spam.” The court held that the Song-Beverly Act claims were not subject to the CAN-SPAM Act’s express preemption clause because the Song-Beverly Act applies only to email addresses and does not regulate the content or transmission of email messages.

    Credit Cards Class Action Song-Beverly Credit Card Act Privacy/Cyber Risk & Data Security

  • California Federal Court Denies Class Certification In Song-Beverly Credit Card Act Case

    Privacy, Cyber Risk & Data Security

    On October 4, the U.S. District Court for the Central District of California denied certification of a putative class of consumers that had alleged a major retailer’s policy of requiring online customers to provide their telephone numbers or addresses in connection with credit card purchase transactions violated the Song-Beverly Credit Card Act. Leebove v. Wal-Mart Stores, Inc., No. 13-1024, slip op. (C.D. Cal. Oct. 4, 2013). The court held that the commonality requirement for class certification was not satisfied.  The court explained that the relevant provision of the Act prohibits collecting certain information from a “cardholder,” which includes only “natural persons,” and held that an individualized inquiry would need to be made regarding whether the card used by each class member was issued as a consumer or business card. The court further reasoned that individual inquiries would be required to determine whether each class member’s claim was barred under an exception that allows retailers to request certain otherwise prohibited personal information for use in shipping, delivering, servicing, or installing the purchased items.

    Class Action Song-Beverly Credit Card Act Privacy/Cyber Risk & Data Security

  • California Federal Court Holds Online Purchase Transactions for Shipped Merchandise Not Covered by Song-Beverly Credit Card Act

    Fintech

    On April 30, the U.S. District Court for the Central District of California held that Section 1747.08 of the Song-Beverly Credit Card Act, which prohibits retailers from requiring personal information as a condition to completing credit card transactions, does not apply to online purchase transactions in which the merchandise is shipped or delivered to the customer. Ambers v. Buy.com, No. 13-196, slip op. (C.D. Cal. Apr. 30, 2013). The ruling extends a recent holding by the California Supreme Court in Apple Inc. v. Sup. Ct. Los Angeles, which held that the Song-Beverly provisions do not apply when the item purchased is downloaded via the Internet. In this case, the customer claimed on behalf of a putative class whose claims could total $500 million that Apple created a standard that applies the Song-Beverly protections whenever the retailer has “some mechanism” to verify the customer’s identity. The plaintiff argued that the retailer’s request as part of the purchase transaction for a phone number in addition to the shipping address violated the statutory privacy protection. The court reasoned that as explained in Apple, the state legislature intended to allow retailers to verify that a person making a card purchase is authorized to do so, and stated that the shipping address alone would not work as an anti-fraud mechanism because a person who buys merchandise online may direct shipments to addresses not related to the credit card billing address. As such, the court held that Song-Beverly privacy protection does not apply to online purchases where the merchandise is being shipped or delivered, and granted the retailer’s motion to dismiss.

    Credit Cards Song-Beverly Credit Card Act Privacy/Cyber Risk & Data Security

  • California Supreme Court Holds Online Download Purchase Transactions Not Covered By Song-Beverly Credit Card Act

    Fintech

    On February 4, the California Supreme Court held, in a 4-3 split ruling, that the personal privacy protections afforded consumers by the Song-Beverly Credit Card Act do not apply when the item purchased is downloaded via the Internet. Apple Inc. v. Sup. Ct. Los Angeles Cty., No. S199384, 2013 WL 406586 (Cal. Feb. 4, 2013). However, the court did not consider whether the Song-Beverly Act privacy provisions apply to the broader category of online transactions that do not involve a downloadable product. In this case, a customer filed a putative class action against an online digital media retailer, alleging that the retailer’s practice of requiring customers to provide their telephone number and address before accepting credit card payment for downloadable media purchases violates Section 1747.08 of the Song-Beverly Act, which prohibits retailers from requiring personal information as a condition to completing credit card transactions. Citing the statutory language and legislative history, the court explained that while Song-Beverly was intended to protect personal privacy, it was not meant to do so at the risk of increasing fraud. Further, the court determined that fraud protections provided in Song-Beverly, which allow retailers to request proof of identification, are not available to online retailers selling downloadable products. The court also reasoned that in later enacting the California Online Privacy Protection Act, the state legislature demonstrated that it can unambiguously address online transactions, and that it sought to strike a different balance between privacy protections and online commerce than did the Song-Beverly Act. Therefore, the court held, online transactions involving downloadable products fall outside the scope of Song-Beverly. The court invited the legislature to revisit consumer privacy in connection with online transactions.

    Song-Beverly Credit Card Act Privacy/Cyber Risk & Data Security

  • California District Court Holds Song-Beverly Credit Card Act Does Not Prohibit Post-Transaction Collection of Zip Codes, Denies Class Certification

    Fintech

    On January 28, the U.S. District Court for the Northern District of California denied a motion for class certification filed by a group of plaintiffs seeking to challenge, on behalf of similarly situated individuals, a retailer’s policy that required cashiers to request consumer zip codes in connection with a purchase transaction. Gormley v. Nike, Inc., No, 11-893, 2013 WL 322538 (N.D. Cal. Jan. 28, 2013). The court held that the named plaintiffs failed to demonstrate typicality because their experiences were inconsistent with the policy they sought to challenge. The court explained that while the policy required cashiers to request zip codes after providing the purchased merchandise and a receipt to the customer, each plaintiff testified that the cashier asked for a zip code prior to providing those items. The court disagreed with the plaintiffs’ argument that the timing of the request was irrelevant based on the plaintiffs’ assertion that the California Supreme Court held in  Pineda v. Williams-Sonoma Stores Inc. that a request for a card holder’s zip code violates the Song-Beverly Credit Card Act. The court explained that Pineda only addressed whether zip codes constituted personal identification information, and then chose to follow subsequent district court decisions holding that the Song-Beverly Act prohibits only a request for personal identification information as a condition to completing a credit card transaction.

    Song-Beverly Credit Card Act Privacy/Cyber Risk & Data Security

  • Retail Customers Obtain Unusually Favorable Settlement in Zip Code Collection Case

    Fintech

    On January 11, the U.S. District Court for the Northern District of California approved a settlement between a retailer and a class of customers to resolve allegations that the retailer violated the California Song-Beverly Credit Card Act by collecting customer zip codes as part of credit card purchase transactions and storing that information in a customer databases. Burdewick v. Kohl’s Dep’t Stores, Inc., No. 12-119, Final Order and Judgment (Jan. 11, 2013). The settlement is the most recent in a series following the California Supreme Court’s 2011 decision in Pineda v. Williams-Sonoma Stores Inc. that zip codes constitute "personal identification information" under the Act. In this case, class members can submit claims to obtain a gift card from a common $650,000 fund. The exact amount of the gift card will depend upon the number of valid claims, but actual payments are expected to far exceed the $10-$20 amounts typically provided by most similar settlements to date. Moreover, the settlement places no restriction on the use or transferability of the cards. The court also approved a $215,000 award to class counsel, and a $7,500 incentive award to the class representative.

    Song-Beverly Credit Card Act Privacy/Cyber Risk & Data Security

Upcoming Events