A class-action lawsuit filed last month alleges that Wal-Mart’s video recording technology at its self-service checkout kiosks collects “personal identification information” in violation of the California Song-Beverly Act Credit Card Act of 1971 (“Song-Beverly Act”). The Song-Beverly Act, like analogous statutes in several other states, generally prohibits businesses from recording customers’ “personal identification information” as
Businesses should take note of this week’s decision in Gormley v. Nike, Inc., a lawsuit under California’s Song-Beverly Credit Card Act, in which plaintiffs allege that Nike violated the Act by requesting ZIP codes from them during credit card transactions in Nike’s retail stores. Judge Susan Illston of the Northern District of California denied…
In a recent decision, the Supreme Judicial Court of Massachusetts (“SJC”) broadly interpreted a statute that governs the personal information that may be collected by a merchant during a credit card transaction. The decision, Tyler v. Michaels Stores, Inc., SJC-1145 (Mass. March 11, 2013), was issued in response to three questions that had been certified to the SJC by a federal district judge in Boston, in connection with a lawsuit alleging violation of Mass. Gen. Laws, ch. 93, §105(a), the Massachusetts analogue to California’s Song-Beverly Act.
Section 105(a) provides that “[n]o business entity that accepts a credit card for a business transaction shall write, cause to be written or require that a credit card holder write personal identification information, not required by the credit card issuer, on the credit card transaction form.” “Personal identification information,” in turn, “shall include, but shall not be limited to, a credit card holder’s address or telephone number.” Violations of Section 105(a) are treated as “unfair and deceptive trade practices” under Mass. Gen. Laws. ch. 93A, §§ 2, 9, which provides “injured” persons a private right of action against any entity that commits an unfair or deceptive trade practice.
The plaintiff in Tyler alleged that Michaels Stores violated §105(a) by requesting her ZIP code during a credit card transaction at one Michaels Stores retail location. The district court agreed that the plaintiff had sufficiently pled a violation of that statute, but nonetheless dismissed the complaint because she had failed to allege a cognizable injury stemming from the violation, which is required to bring an action under Massachusetts’s unfair and deceptive trade practices statute. The court explained that the purpose of §105(a) was to prevent identify fraud, and suggested a plaintiff would need to allege that fraud had occurred because of the alleged violation of §105(a).
On Monday, the California Supreme Court, by a slim 4-3 majority, held that California’s Song-Beverly Credit Card Act of 1971 (“Song-Beverly”) does not apply to online purchases in which a product is downloaded electronically, finding that Apple was not liable under the statute for collecting plaintiff Krescent’s telephone number and address in order to complete credit card purchases of various digital downloads from the iTunes store.
In a lengthy opinion that considered the statutory text and legislative history, the Court overturned a lower court’s finding that Song-Beverly prohibited Apple from collecting personal identification information (“PII”) in connection with an online transaction. Song-Beverly generally prohibits retailers from requesting or requiring as a condition to accepting credit card payment, that the cardholder be required to provide PII upon a credit card transaction form or otherwise. In Pineda v. Williams Sonoma Stores—decided in early 2011—the California Supreme Court held that ZIP codes were PII, and that the defendant had violated Song-Beverly by requesting the plaintiff’s ZIP code during a credit card transaction that took place in a traditional brick-and-mortar retail store, a decision that spurred a wave of Song-Beverly litigation in California.
In Krescent, the California Supreme Court determined that Song-Beverly was enacted by the California legislature with the intent of safeguarding consumer privacy while also protecting consumers and retailers from undue risk of fraud. It then reasoned that online purchases are different from brick-and-mortar purchases:
The safeguards against fraud that are provided in section 1747.08(d) are not available to the online retailer selling an electronically downloadable product. Unlike a brick-and-mortar retailer, an online retailer cannot visually inspect the credit card, the signature on the back of the card, or the customer‘s photo identification. Thus, … the key antifraud mechanism in the statutory scheme . . . has no practical application to online transactions involving electronically downloadable products.”
Nearly two years ago, the California Supreme Court held that requesting a customer’s ZIP code in connection with a credit card transaction violated the Song-Beverly Credit Card Act of 1971, a statute that prohibits businesses from recording a customer’s “personal identification information” (“PII”) as a condition of accepting a credit card payment. On Wednesday, the…
According to court documents filed last week, Netflix has agreed to change its data storage practices and pay about $9 million to settle allegations that it unlawfully retained and disclosed customers’ video-viewing histories. Specifically, Netflix agreed to decouple viewing history from identification information once users have been inactive for a year; to pay $30,000 to the class representatives; to pay up to $2.25 million to class counsel; and to give the remaining funds to nonprofit organizations that provide privacy-related education. The proposed settlement agreement has been submitted to the court for preliminary approval.
The injunctive remedies, cy pres relief, and sizable award to class counsel in In re Netflix Privacy Litigation are consistent with settlements reached in earlier privacy-related lawsuits. For example:
Just under a year has passed since the California Supreme Court ruled that asking for a customer’s ZIP code during a credit card transaction violates California’s Song-Beverly Credit Card Act. According to media reports, the court’s decision in Pineda v. Williams-Sonoma Stores, Inc. has spurred more than 200 suits against California retailers. A roundup of recent developments in Song-Beverly Act litigation:
- A case against Brookstone had been dismissed in May 2010 on the ground that a ZIP code is not “personal identification information” within the meaning of Song-Beverly, but a state appellate court ruled [PDF] that the subsequent contrary decision in Pineda applied retroactively and that the suit against Brookstone could therefore proceed.
- Both state and federal courts in California have now reaffirmed that Song-Beverly does not apply to online transactions (Gonor v. Craigslist, Inc. [PDF]; Salmonson v. Microsoft Corp. [PDF]). According to Mehrens v. Redbox Automated Retail LLC [PDF], Song-Beverly does not apply to transactions conducted at self-service kiosks either. The courts recognized that fraud prevention justifies the collection of ZIP codes in online and kiosk transactions.
- A California federal court preliminarily approved a settlement under which Tiffany and Co. agreed to provide a voucher for either $10 off or free engraving to an estimated class of 90,000 customers; $142,000 in attorneys’ fees to class counsel; and $2,000 to the class representative.