CAN-SPAM Doesn’t Preempt CA Privacy Law–Powers v. Pottery Barn
by Ethan Ackerman
On Sept. 19th, a California state appellate court held that CAN-SPAM doesn’t categorically trump state laws that may address email. Defendant retail store Pottery Barn was hoping it would agree with the initial ruling of the California trial court and hold that the federal CAN-SPAM law preempted the state law at issue, the Song-Beverly Credit Card Act.
The Song-Beverly Credit Card Act (apparently the enemy of corporate defense attorneys everywhere judging from google search results) generally prohibits the collection of certain personal information as a condition of processing a credit card transaction. Powers sued Pottery Barn under this law over its practice of collecting email addresses at the time of payment. Faced with these fairly uncontested facts, Pottery Barn argued at the trial court that the federal CAN-SPAM Act, regulating the sending and content of email, should preempt the state law.
Putting aside the obvious difference between a law that governs the collecting of personal information and a law that governs the sending and content of commercial email, the California Court of Appeals took the arguably easier route in addressing the issue – it read the preemption exceptions contained in the federal statute.
Readers interested in the details and holding logic can read the actual opinion. My short summary:
The California court read the preemption exceptions in CAN-SPAM and rightfully held that since the federal statute itself said it didn’t preempt general state laws not specific to email, Song-Beverly wasn’t preempted by CAN-SPAM.
“By its terms CAN-SPAM does not pre-empt state statutes which are not specific to e-mail and have only such incidental impact on e-mail use. (Tit.15, U.S.C. § 7707(b)(2).)”
In thinking of just how weak the preemption argument is, it’s not hard to come up with other instances of state law addressing the collection or use of email addresses that aren’t specific to “the use of electronic mail to send commercial messages.” Indeed, the court rules of all state courts in California address the redaction of certain types of personal information (although not ultimately email addresses in the rules’ present version.) I suspect the state’s freedom of information laws have similar provisions addressing personal identifiers. I don’t imagine that defendant’s counsel would have relished acknowledging that the logical extension of defendant’s argument was that the courts own filing rules were preempted.
Tom O’Toole at BNA has more.
[Eric's comment: while I agree with Ethan that the court correctly concluded that the Song-Beverly law isn't preempted by CAN-SPAM, I remain a little confused and troubled by the implications of the plaintiffs' arguments. It seems to me like the logical extension of their arguments is that it is illegal to collect email addresses when accepting credit card payments online. If this is the direction the case heads, then this case could have disconcerting implications for virtually the entire e-commerce industry. UPDATE: Ethan has pointed out that Saulic v. Symantec and some other cases have constrained the application of the Song-Beverly law to online commerce, a point I had forgotten. I hope that precedent will help put this lawsuit to rest, but it does make me wonder why the defendant accelerated CAN-SPAM preemption argument, a weaker one, to the front of the line,]