It’s Illegal For Offline Retailers To Collect Email Addresses–Capp v. Nordstrom
The California Supreme Court issued a decision a couple of years ago holding that a zip code is “personal identification information” under the Song-Beverly Credit Card Act of 1974, making it illegal for retailers to ask consumers to provide zip codes in connection with credit card transactions. (See “California Supreme Court Rules That a ZIP Code is Personal Identification Information — Pineda v. Williams-Sonoma.”) Extending that precedent, this case holds that retailers can’t ask for email addresses during credit card transactions. (Note: the statute does not apply to online or other “card-not-present” transactions, so online retailers are off the hook.)
Plaintiff alleged that Nordstrom requested his email address as a condition of completing the sale. Nordstrom allegedly asked plaintiff his email address so it could email him the receipt. According to plaintiff, this resulted in promotional emails from Nordstrom “on a nearly daily basis” as well as a general increase in email traffic.
An Email Address is Personal Identification Information: The statute prohibits retailers from “request[ing] or requir[ing] as a condition to accepting the credit card as payment . . . the cardholder to provide personal identification information.” Personal identification information is defined as information concerning the cardholder, “including but not limited to, the cardholder’s address and telephone number.”
In Pineda, the California Supreme Court held that this statute should be construed broadly, given the statute’s protective purpose. Nordstrom argued that Pineda is distinguishable because an email address is something arbitrarily chosen by the holder of the email address and can frequently changed. The court disagrees, noting that someone’s email address “permits direct contact and implicates the privacy interests of a cardholder.”
Nordstrom also argued, citing to Apple v. Superior Court, that as a new technology that was unlikely to be anticipated by the legislature at the time of enactment, the definition of personal identification information should not cover email addresses. The court says that although the California Supreme Court in Apple concluded that the same statute did not apply to internet transactions, the court’s holding was not premised on the legislature’s inability to anticipate these transactions but rather on the fact that zip codes could be collected for fraud-prevention purposes.
Nordstrom also raised the argument that defining the statute to encompass email addresses worked an undue surprise on retailers and was unfair, but this argument gets no traction with the court.
Plaintiff’s allegations were sufficient: Nordstrom argued that the plaintiff’s allegations were not sufficient to show that the plaintiff was required to cough up the email address, but the court says that at the pleadings stage, the allegations suffice. Moreover, while there is an “incidental purpose” exception to the statute, this exception does not envision collection of an email address in order to email a receipt to a purchaser.
Nordstrom also raised a First Amendment argument, but predictably this fails. The court says that collection of an email address is conduct and not speech.
Preemption: Nordstrom also argued that the plaintiff’s claim was preempted by CAN-SPAM. CAN-SPAM preempts state law that “expressly regulates the use of [email] to send commercial messages.” The court says that this means that the only state laws that are preempted are those that expressly regulate the use of email addresses. This statute does not expressly speak to email and concerns the collection of an email address rather than the transmission of email. Additionally, the court says that it’s possible to comply with both statutes. Complying with one statute does not generate the risk of not complying with the other. Finally, the court says that preemption would also be contrary to the purposes of CAN-SPAM, which is concerned with curbing the transmission of unwanted email.
Yikes. Something tells me that an enterprising class action lawyer will use this decision to target something we all see as a convenience and innovation of the retail experience: the Apple store. Please don’t. It’s so great to have the option of getting receipts emailed to you. I never understood why paper receipts were mandated by law, but I love electronic receipts. For what it’s worth I use a throwaway email address for this purpose but don’t seem to notice any uptick in email, at least not from Apple. Admittedly, a retailer can exploit this information in a variety of ways, including to bridge the on and off-line gap when building a consumer’s profile. Nevertheless, to me, the use of an email address to avoid a paper receipt is a great convenience. [I haven’t thought through what this decision means for retailers who use Square, but in my experience they also typically ask if you would like your receipt emailed to you; I think Square stores an email address once it has been associated with a credit card, so retailers technically do not have to request it.]
Unlike junk mail, which is what something like your zip code ostensibly generates and that is not addressed by another statute, in this case, we have statutes expressly dealing with the ills that are caused by the collection of email addresses: California’s anti-spam statute and CAN-SPAM. This shouldn’t necessarily be the court’s primary consideration in construing the credit card statute or answering the preemption question, but it’s worth noting.
This is one of many decisions answering the question of whether a bit of data is personal identification information. We’ve had rulings addressing zip-codes, IP addresses, and now email addresses. The decision demonstrates courts’ willingness to construe personal information broadly, and the lack of a binary “personal” versus “non-personal” distinction when it comes to data. (See generally Prof. Paul Ohm’s work: “Data Anonymization and Re-identification Lecture Featuring Paul Ohm, SCU, April 7“.)
(1) Is it clear yet to you that the Song-Beverly Act isn’t aging well? It was written for a different era, and its application to the modern retailing environment is nonsensical. It seems quaint, but not in a good way, to be “protecting” email addresses only offline given how much commerce has moved offline. The offline exceptionalism is indefensible, and its application to a shopping feature (the emailed receipt) not contemplatable in the 1980s shows how the language creates unexpected barriers to new technological developments that consumers like and value. Who would like to work with me in an-almost-certain-to-fail effort to repeal the Song-Beverly law?
(2) What drives me absolutely batty is that the California legislature KEEPS MAKING THE SAME DRAFTING MISTAKES!!! Their tsunami of new privacy laws show the legislature hase learned absolutely nothing from the mistakes they made a couple decades ago–including, most damningly, still making technologically rooted laws that won’t age well. See, e.g., the huge number of drafting ambiguities in the online eraser bill.
(3) Decisions like this typically act as green lights for massive numbers of new lawyer-driven lawsuits that do nothing to help consumers. Yay.
Update: More on the case from David Bertoni.
Case citation: Capp v. Nordstrom, Inc., No. 2:13-cv-00660 (E.D. Cal. Oct. 21, 2013)