February 05, 2013
California Supreme Court: Retail Privacy Statute Doesn't Apply to Download Transactions – Apple v Superior Court (Krescent)
[Post by Venkat Balasubramani with comments from Eric]
Apple v. Superior Court ex rel Krescent, S199384 (Cal. Sup. Ct. Feb. 4, 2013)
In a divided ruling, the California Supreme Court held that California’s privacy statute restricting retailers from collecting personal information as part of credit card transactions (the Song-Beverly Credit Card Act) does not apply to online sales of downloadable materials.
Plaintiff was an apple customer who purchased digital goods. He alleged that Apple collected both a street address and a telephone number while accepting credit cards, and that neither data category fell under the statutory exception for the collection of information. The statutory scheme is set forth in section 1747, et seq., and had most recently been applied by the court in Pineda, where the court found that collection of a zip-code by a bricks and mortar retailer violated the statute. While the statute provides for several exceptions allowing the collection of some personal information during credit card transactions (certain types of transactions; when the retailer is “contractually obligated” to collect the information; transactions at the pump), none of those statutory exceptions explicitly applied to an online sale. The statute also provides for the collection of a driver’s license or “positive identification” but where the customer does not make the card available on request.
Majority opinion: the majority says that the statute—which pre-dated online commerce—does not provide a clear answer. However, the court says that the legislature was concerned with consumer privacy, but also built in flexibility to allow merchants to take fraud control measures. The court also says that fraud control mechanisms that are available to bricks and mortar retailers (e.g., inspecting the customer’s ID) are not available to online retailers. Accordingly, the court says:
[w]e cannot conclude that if the Legislature . . . had been prescient enough to anticipate online transactions involving electronically downloadable products, it would have intended section 1747.08(a)’s prohibitions to apply to such transactions despite the unavailability of section 1747.08(d)’s safeguards.
Plaintiff acknowledged that Apple could at least require his address as a verification mechanism and that Apple's collection of this information does not clearly fall under any statutory exception. In fact, the statute says that the address is a type of identification that retailers are not allowed to collect, unless incident to fulfilling the transaction (which does not apply when a download is involved and there is nothing to ship).
Plaintiff also argued that a 2011 amendment (excluding the collection of zip-codes in pay-at-the-pump transactions) shows that the statute overall applies to online transactions. According to plaintiff, this narrow exception would only be necessary if the statute applies to all remote transactions. The court says no. The amendment was enacted in response to Pineda, which held that zip-codes were personal information, and to insulate gas stations who had been collecting this information for ages, under the mistaken belief that it was not prohibited by the statute.
Finally, the court points to other legislation as adequately protecting plaintiffs. The California Online Privacy Protection Act is, according to the court, a good backstop for regulating the transfer of consumer information in online transactions. Similarly, the TCPA also offers some protection against unsolicited telephone calls.
In closing, the court says that in light of the legislative purpose and structure of the statute, it’s not clear that it applies to online sale of downloads. Obviously, if the legislature wants, it can revisit the issue.
Justice Kennard: Justice Kennard tees off on the majority’s internet exceptionalism and says this is what is driving the conclusion. He is particularly unpersuaded by the fact that the transaction should be treated differently because it is a “card not present” transaction, saying that these transactions (mail order) existed well before the internet, and the legislature did not build in any exceptions for mail or telephone into the statute. Justice Kennard also says that sellers of downloadable products can take preventative measures against fraud. They can record the buyer’s driver’s license number or other ID number. They can also collect personal identification if “contractually obligated” to do so.
Justice Baxter: Justice Baxter also dissents, saying that applicability of the statute to online retailers flows from the statute, isn’t absurd, and promotes the legislative objectives. Justice Baxter says that the purpose of the statute is to protect consumer privacy, and to the extent there is any anti-fraud purpose behind the statute, it’s to protect consumers, and not retailers, from fraud. Justice Baxter also focuses on mail order and telephone transactions and says that there’s no reason why the legislature would intend these transactions to not be excluded but somehow intend internet transactions to be excluded. He also says that whether the information was collected for fraud protection purposes is a factual matter anyway that shouldn’t be resolved against plaintiff on a demurrer. Finally, Justice Baxter says that California’s Online Privacy Protect Act does “nothing to restrict an online retailer’s use of a consumer’s personal identification information . . . .”
This lawsuit vaguely brings to mind the debate about FACTA's credit card receipt truncation requirements and whether these applied to online transactions (answer: no). As meritless as these lawsuits may seem, I have to admit that the dissents made some pretty good points. The majority's statutory interpretation seemed tortured. In particular, the fact that remote transactions have pre-dated the internet, would (to me) point to the fact that the lack of an express carve-out in the statute for online transactions means that these transactions would be presumed to be covered. Also persuasive was the argument that even if the address is justifiable as a fraud-prevention mechanism, the phone number not so much. (As a sidenote, online retailers deal with a set of byzantine rules when it comes to fraud prevention and for the most part are on the hook for fraudulent transactions.)
Interestingly, the majority cites to California's online privacy statutes as a backstop that offers protection to consumers, but judicial interpretations of harm, or lack thereof, have rendered those statutes as ineffectual weapons--at best--in the hands of consumers. (See, e.g., Boorstein v. Men's Journal.)
Although other federal courts and lower state courts have declined to apply the statute to online transactions as a whole, the court's opinion here repeatedly mentions downloadable transactions. It's interesting that the court did not take the extra step to just exclude online transactions as a whole. As Eric notes below, this is a fairly narrow holding.
I would chalk this decision up to a dose of internet exceptionalism coupled with distrust towards privacy class actions that are based on statutory causes of action. It puts the ball squarely in the legislature's court.
Although the dissents and the media coverage have tried to play up the importance of this ruling, it's actually a pretty narrow ruling. The majority opinion says that the Song-Beverly statute doesn't restrict the collection of personal information during credit card sales of downloadable files. That's all it does. Plus, the personal information in those transactions may be regulated by dozens of other statutes, legal doctrines, industry guidelines, contracts and technology. So saying this statute doesn't apply to these limited transactions hardly opens up a huge privacy hole. The majority opinion made this point and the dissents basically ignore it--to their detriment.
It's easy to criticize the California Supreme Court for its messy decisions here (their debates about technological facts were wince-inducing--they reminded me of their embarrassing Intel v. Hamidi debate about what an "intranet" is), but the California legislature is really the one to blame. Simply put, the Song-Beverly Act is a terrible piece of legislation. Among other reasons:
* the act was a specific solution to a specific problem. The act bans certain common retailer practices from the 1980s. But obviously retailer practices evolve over time, requiring constant legislative attention to address new practices. When that doesn't happen (i.e., always), those laws don't age well. This would have been a great statute to contain a sunset provision that forced the legislature to revisit it after a certain length of time.
* worse, the act encodes unexpressed assumptions about credit card technologies and retailer practices. Not surprisingly, judges have a tough time dealing with legislation like that.
Overall, I see Song-Beverly litigation as just one class in the superset of stupid privacy litigation, designed to advance the interests of the lawyers, not the interests of the class of consumers they purportedly represent. I've criticized this phenomenon in my The Irony of Privacy Class Action Litigation article.
California Supreme Court Rules That a ZIP Code is Personal Identification Information -- Pineda v. Williams-Sonoma
Ninth Circuit: FACTA Does not Cover Emailed Receipts -- Simonoff v. Expedia
Men's Journal Beats Lawsuit Alleging Violation of California’s “Shine the Light” Privacy Statute -- Boorstein v. Men’s Journal
"Electronically Printed" Does not Include Automated Merchant Email -- Shlahtichman v. 1-800 Contacts