On Monday, the California Supreme Court, by a slim 4-3 majority, held that California’s Song-Beverly Credit Card Act of 1971 (“Song-Beverly”) does not apply to online purchases in which a product is downloaded electronically, finding that Apple was not liable under the statute for collecting plaintiff Krescent’s telephone number and address in order to complete credit card purchases of various digital downloads from the iTunes store.
In a lengthy opinion that considered the statutory text and legislative history, the Court overturned a lower court’s finding that Song-Beverly prohibited Apple from collecting personal identification information (“PII”) in connection with an online transaction. Song-Beverly generally prohibits retailers from requesting or requiring as a condition to accepting credit card payment, that the cardholder be required to provide PII upon a credit card transaction form or otherwise. In Pineda v. Williams Sonoma Stores—decided in early 2011—the California Supreme Court held that ZIP codes were PII, and that the defendant had violated Song-Beverly by requesting the plaintiff’s ZIP code during a credit card transaction that took place in a traditional brick-and-mortar retail store, a decision that spurred a wave of Song-Beverly litigation in California.
In Krescent, the California Supreme Court determined that Song-Beverly was enacted by the California legislature with the intent of safeguarding consumer privacy while also protecting consumers and retailers from undue risk of fraud. It then reasoned that online purchases are different from brick-and-mortar purchases:
The safeguards against fraud that are provided in section 1747.08(d) are not available to the online retailer selling an electronically downloadable product. Unlike a brick-and-mortar retailer, an online retailer cannot visually inspect the credit card, the signature on the back of the card, or the customer‘s photo identification. Thus, … the key antifraud mechanism in the statutory scheme . . . has no practical application to online transactions involving electronically downloadable products.”
In reaching its decision, the majority writing for the California Supreme Court also considered the entirely different online environment at the time the key Song-Beverly provision at issue was passed in 1990, almost a decade before online commercial transactions became widespread. The Court wrote, “We cannot conclude that if the Legislature in 1990 had been prescient enough to anticipate online transactions involving electronically downloadable products, it would have intended Song-Beverly’s prohibitions to apply to such transactions despite the unavailability of [fraud prevention] safeguards.”
The Court went out of its way to note that the decision does not address whether Song-Beverly applies to online transactions that do not involve electronically downloadable products or to any other transactions that do not involve in-person, face-to-face interaction between the customer and retailer. Most lower courts to consider the issue, including Saulic v. Symantec Corp, have held that Song-Beverly does not apply to other types of online transactions.
The problems that come with attempting to apply outdated legislation to today’s online environment have been the subject of recent congressional attention, as we have seen in connection with recent amendments to the Video Privacy Protection Act, described here, and a continued focus on the need for ECPA reform, summarized here.