A decades-old law protecting personal information during California credit card transactions is fueling a new wave of privacy litigation that could challenge how online retailers do business.
The Song-Beverly Credit Card Act, passed in California in 1971, limits retailers’ collection of personal information during in-person transactions unless its necessary to process the credit card transaction. More than a dozen lawsuits filed since April against major retailers Patagonia Inc., Macy’s Inc. and others, accuse them of violating the law by collecting data, including IP addresses, when those same credit card transactions occur online.
The wave of Song-Beverly cases is the latest in a quest by plaintiffs’ attorneys to apply laws designed for a pre-internet age to the online economy. The litigation poses questions as to what constitutes “necessary data” that can be collected under the law and whether its definition has expanded in the last 50 years.
“It’s taking new methods and old laws, and seeing if there’s a potential fit,” said Alysa Hutnik, a partner at Kelley Drye & Warren LLP.
The theory they pose is “open season” on online retailers that twists a law designed for the analog age, she said.
More than a dozen lawsuits filed in California over the past six months are still in pleading stages. There have also been four similar lawsuits filed in Massachusetts under the states Song-Beverly equivalent, the Massachusetts Consumer Privacy in Commercial Transactions Act.
Much like the wave of pixel-tracking cases over the past two years citing California wiretap laws, the new Song-Beverly disputes ask if companies are strictly acting as service providers without monetizing collected data, and if it’s essential to solving business needs, said Hutnik.
IP Problems
The new wave of complaints accuses companies of violating the law by requiring defendants to provide personal information—including IP telephone number, and their IP address—prior to purchases.
The information is then used for online tracking through technologies such as Facebook, Google. and PayPal pixel software. Statutory damages for illicit data collection are $250 for the first violation and $1,000 for each subsequent violation.
Previous Song-Beverly cases against brick-and-mortar stores focused on retailers’ collection of ZIP codes to target customers in snail mail marketing campaigns.
In Pineda v. Williams-Sonoma Stores Inc., the California Supreme Court ruled that the retailer went too far by coupling customer ZIP codes and names to reverse-search for their addresses in order to send them marketing materials.
“Now plaintiffs are saying that the online space is fair game, as well,” said Stephanie Sheridan, chair of the retail of e-commerce practice at Benesch, Friedlander, Coplan & Aronoff LLP.
The California Supreme Court exempted digital downloads from the act in a 2013 case against
The Court of Appeal for the State of California, Second Appellate District, also ruled in 2013 in Flores v. Chevron U.S.A. that the collection of ZIP codes solely for fraud prevention fell under the the act’s “special purposes” clause.
Neither case, however, weighed in on IP addresses and whether they are personally identifiable information, or PII.
That’s where courts and California law take a much more situational approach. California’s privacy law only considers an IP address PII if it can be linked to an individual or household.
“Courts have come to different conclusions, although in general, I would say courts accept that IP addresses are personal information,” said Myriah Jaworski, an attorney at Clark Hill.
The lawsuits fail to recognize a major exception to the law for fraud prevention, attorneys also noted.
“The statute has always included among the exceptions fraud prevention-type measures,” said Amy P. Lally, apartner at Sidley Austin LLP.
“These are orders being placed where the retailer can’t verify in person,” said Lally, noting that in-store verification could include checking an ID.
Song-Beverly requires data to be collected as a requirement to completing a credit card transaction, though websites collect an online user’s IP address as soon as a website is accessed.
“Every website needs to collect IP addresses in order to function,” Sheridan said. “It’s an example of trying to squeeze square pegs into round holes to try to force old laws to apply to new technology.”
Old Law, New Cases
Lally called the new wave of suits “a mash up” of Song-Beverly Credit Card Act and pixel tracking cases.
“I think that one of the reasons that the pixel claims are added in is when you take the claims out, the claims probably fall apart,” said Lally. “There’s a reason why we didn’t see Song-Beverly cases in awhile.”
Jaworski and Hutnik noted that both the pixel tracking and Song-Beverly went well in excess of the California Consumer Privacy Act, the state’s flagship privacy law, which allows sharing data with third parties under certain circumstances.
Whether the complaints continue to flood in will largely depend on the outcomes of cases filed this summer.
“We would expect in the next 12 months to 18 months to get some real substantive decisions from courts as to whether there really is a merit violation here, and whether these cases are really capable of being certified on a class wide basis,” said Jaworski.
While it’s too early to tell how courts will respond to these new Beverly-Song theories, companies can help shield themselves against litigation by carefully examining their data-sharing practices, Hutnik said.
“It’s not just about having a good reason to capture sensitive information,” she said. “You may have a good reason but how you’re doing it matters.”
Retailers should also evaluate financial companies’ integration with their check-out processes. Abercrombie and Vera Bradley are among brands that have been sued in a separate wave of litigation under California wiretapping laws over sharing personal data with third-party fraud detection services.
“The integration with financial companies is being scrutinized in very critical ways,” Hutnik said, adding that plaintiffs are “questioning if they’re just collecting the data for business purposes.”
To contact the reporter on this story:
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.