Retailers Beware – Be Careful What You Ask Your Customers

When shopping in a retail store and presenting our credit card to the cashier, we have probably all been exposed to seemingly routine questions asked by a cashier such as "What's your phone number?" or "What's your address?" and then the cashier entered the information we provided into the cash register database. Often, sales personnel are required to ask these kinds of questions pursuant to a company's "telephone" or "address capture policy" or similar policies so as to allow the information to be used for follow-up marketing purposes. What the cashier (and his or her bosses) in our example probably did not know is that, in connection with a credit card purchase transaction, questions about a consumer's telephone number, address or other "personal identification information" are prohibited under California law. A number of other states impose similar restrictions on merchants, even though the laws of these states are generally less strict than California law.

Retailers often do not know about these statutory prohibitions and penalties (e.g., in California, USD250 for the first and USD1,000 for each subsequent violation). Suddenly, they find themselves as defendants in class actions — the preferred litigation vehicle to assert such violations — in which plaintiffs' attorneys demand payment of several hundred thousand or millions of dollars because they are representing a class of several hundred or more consumers who, together, engaged in thousands of credit card transactions in connection with which the retailers' sales personnel asked them "unlawful questions" such as the ones mentioned above.

§1747.08 of California's Song-Beverly Credit Card Act

California and other states have enacted laws that are designed, among others, to protect consumers' privacy in connection with credit card transactions and, specifically, to prevent retailers (and other companies accepting credit cards) from requesting a consumer's personal information (e.g., telephone number or address) and then matching it with their database information so as to be able to target the consumer with direct marketing. In California, the prohibition is embedded in the "Song-Beverly Credit Card Act of 1971" (the "Act") (Cal. Civ. Code §§1747-1748.7). §1747.08(a)(2) of the Act provides that companies that accept credit cards are not allowed to

"Request, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the person... accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise." (Emphasis added).

The word "request" was added in connection with a 1991 amendment of the provision and, thus far, the statute has been held to prohibit the mere "request" or "question" asked of a cardholder to provide personal information that will then be recorded in the retailer's computer system (or other database).[1]

In addition to imposing specific obligations and prohibitions on retailers (and other companies accepting credit cards), the Act also imposes specific duties on credit card issuers and cardholders.

General rule — What retailers cannot ask

The general rule is that retailers (or other companies that accept credit cards) cannot ask any "personal identification information" of consumers who use credit cards to pay for merchandise. The statute defines "personal identification information" as "information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder's address and telephone number." [2] While a telephone number and address constitute "personal identification information" as per the statute's definition, a California Court of Appeal recently held that said definition does not encompass a consumer's "ZIP Code".[3]

Exceptions — What retailers can ask

There are several exceptions to the general rule. Some transactions such as check or cash purchases are not encompassed by the statute. In addition, the statute itself provides for certain exceptions which allow the retailer to ask for "personal identification information" in connection with a credit card transaction. Moreover, recent case law has established some additional carve-outs. As a result, retailers in California can legitimately do the following (provided that no other applicable laws are violated):

 

• Ask for a consumer's telephone number, address and other "personal identification information" if:

–     the consumer pays in cash or by check;

–     that information is "required for a special purpose incidental but related to the individual credit card transaction" such as shipping, delivery, servicing, or installation of the purchased merchandise, or for special orders

–     the retailer is contractually obligated to provide that information to complete the credit card transaction (for instance, if the credit card issuer requires that information)

–     the transaction is a cash advance transaction

–     the credit card is being used as a deposit to secure payment in the event of default, loss, damage, or other similar occurrence, or 

–     the consumer returns merchandise for which he or she had paid by credit card.[4]

–     ask for a consumer's ZIP Code;[5] or

–     ask the cardholder for his or her driver's license (or other form of photo identification), provided that none of the information contained thereon is written down or otherwise recorded (unless the consumer does not make the credit card available upon request to verify the number, in which case the cardholder's driver's license number or identification card number may be recorded on the credit card transaction form or otherwise).

 Does §1747.08 apply to online transactions?

 §1747.08 does not make any reference to online credit card transactions and, as such, the statute could — theoretically — be applied to them just as equally as to credit card transactions that take place in "brick-and-mortar" stores.

However, on January 5, 2009, in a decision denying class certification, the United States District Court in San Diego ruled that §1747.08 does not apply to credit card transactions on the Internet. In that case (Don Saulic v. Symantec Corp.), [6] the plaintiff claimed that §1747.08 was violated because Symantec Corporation and its Internet reseller, Digital River, Inc., had required him and the other class members to enter their names, telephone numbers, and email addresses into the defendants' website prior to accepting credit cards for payment. The court, however, found that §1747.08 does not apply to online transactions because, among others, the language of the statute does not contain any references to Internet transactions, the legislative history does not reveal the legislature's intent to encompass such transactions, and because unique fraud concerns in online transactions require the provision of personal information for verification purposes so as to allow for a "flagging" of potentially fraudulent transactions. Also, with regard to Internet transactions, online merchants can typically claim statutory exceptions because the collection of personal identification information such as a consumer's address will usually be "required for a special purpose incidental but related to the individual credit card transaction" such as shipping, delivery, servicing, or installation of the purchased merchandise.

What can retailers do to protect themselves?

The following is a non-exclusive sample list of steps a retailer could take to minimize the risk of violating statutes such as §1747.08 of California's Song- Beverly Credit Card Act:

 

• Become familiar with the specific "Dos and Don'ts" pertaining to the collection of personal information from consumers in each state in which the retailer's sales force is gathering such information (consumer protection laws can vary from state to state);
• Review existing "information gathering" policies and procedures to analyze if they are in compliance with the respective laws in each state;
• Revise "information gathering" policies and procedures to ensure legal compliance, if and to the  extent necessary;
• Train experienced and new sales personnel regarding scope, content, and practical implementation of revised policies and procedures;
• Verify that any new policies and procedures have been implemented in all stores and are being followed by employees;
• Monitor consumer protection laws and adapt practices, if necessary; and
• Ensure that any follow-up marketing complies with applicable marketing laws (e.g., the "Do not call requirements" and the "CAN SPAM Act" with regard to email marketing).

Similar laws in other states

At least 14 other states including Delaware, Georgia, Kansas, Maryland, Massachusetts, Minnesota, New Jersey, New York, Ohio, Oregon, Pennsylvania, Rhode Island, Washington D.C., and Wisconsin, have enacted statutes similar to the California Song-Beverly Credit Card Act. However, the laws of these states are typically less restrictive than California law.

 

This article was originally prepared by Lothar Determann, Partner, San Francisco/Palo Alto, and is one of several that appear in Global Privacy Newsletter, June 2009.

--------------------------------------------------------------------------------

[1] See Florez v. Linens

[2] N'Things, Inc., 108 Cal. App. 4th 447 (2003).

[3] Cal. Civ. Code §1747.08(b).

[4] See Party City Corp. v. Superior Court, 169 Cal. App. 4th 497 (2008).

[5] Absher v. Autozone, Inc., et al., 164 Cal. App. 4th 332 (2008).

[6] See Party City Corp. v. Superior Court, 169 Cal. App. 4th 497 (2008).