What Apple’s Information Win Means For All Of eCommerce
"California Supreme Court Rules in Apple Inc. v. Superior Court That Online Retailers May Request Personal Identification Information from Purchasers of Electronic Downloads."
On February 4, the California Supreme Court issued its much-anticipated opinion Apple Inc. v. Superior Court, ruling that Apple’s request for telephone number and address information from customers in connection with the purchase of electronic downloads on its iTunes service — which reached its 25 billionth song download yesterday — does not violate California law. Specifically, the Court ruled that California’s Song-Beverly Credit Card Act of 1971 “does not apply to online purchases in which the product is downloaded electronically.”
Although the Court only addressed digital goods purchases, the decision should provide comfort to online merchants, retailers and other entities that gather personal information in online credit card transactions. The Court’s analysis, including its observation that the statute explicitly allows merchants to collect information to prevent fraud, should have broader application in other Song-Beverly cases involving online purchases of services and physical goods.
Enacted when payment cards accounted for only a small number of retail transactions, the Song-Beverly Act prohibits merchants from requesting or requiring a customer’s personal identification information (“PII”) as a condition of accepting a credit card payment. The statute defines PII as cardholder information not written on the credit card “including, but not limited to, the cardholder’s address and telephone number.” Although the statute has some specified exceptions, the prohibitory language of the Act is vast, and imposes significant liability — a civil penalty of up to $250 for the first violation and up to $1,000 for each subsequent violation.
Prior to this week’s decision, the Court made its most recent statement on the Act in a 2011 case called Pineda v. Williams-Sonoma Stores, Inc. In Pineda, the Court concluded that PII includes “not only a complete address, but also its components,” including a ZIP code, and that simply “requesting and recording a cardholder’s ZIP code, without more” is a violation of the statute.
Pineda launched a wave of class action litigation aimed at retailers, merchants, and credit card processors seeking civil penalties in hundreds of lawsuits filed on behalf of California consumers. Although Pineda involved an in-person transaction and said nothing about the Act’s application to online commerce, the resulting lawsuits have been targeted at both traditional brick-and-mortar retailers, as well as online businesses such as Amazon, PayPal, Craigslist, StubHub, and Microsoft.
The case against Apple, Krescent v. Apple Inc., was part of the post-Pineda wave of class actions aimed against California retailers. The plaintiff, David Krescent, alleged that Apple violated the Act when it made him provide his address and telephone number to pay for media downloads purchased on Apple’s iTunes service with a credit card. Apple asked the trial court to reject the complaint at the threshold, arguing that the Act does not apply to online transactions. The trial court refused, stating that it was “not prepared . . . to read the Act as completely exempting online credit transactions from its reach.” Apple eventually petitioned the California Supreme Court for review.
The California Supreme Court ruled in favor of Apple on February 4, 2013. Although the Court’s holding only addressed the specific factual scenario before it — i.e., whether the Act applies to purchases of electronically-downloadable products — the decision suggests that the Act was never intended to apply to online transactions, especially if doing so would prevent merchants from effectively preventing credit card fraud and identity theft.
The Court concluded “that the Legislature,” in drafting the Act, “did not contemplate commercial transactions conducted on the Internet.” According to the Court, the Act seeks to protect privacy but not “at the cost of creating an undue risk of credit card fraud.” Because online merchants, unlike offline merchants, cannot physically inspect cards presented by consumers, the Court discerned that the Act should not be read to put online merchants at a disadvantage to their offline brethren. Although the decision does not specify what information — e.g., full address, ZIP code, telephone number — a merchant might collect for fraud-prevention purposes, it explicitly holds that the Legislature intended for retailers to have “some mechanism by which retailers can verify that a person using a credit card is authorized to do so.”
The immediate impact of the Court’s decision is clear. Online merchants selling digital goods need not worry about the Act. But the ruling may have broader implications for eCommerce generally, and these implications are likely play out among the California trial courts faced with interpreting and applying the California Supreme Court’s ruling.
— Thomas Brown, Attorney, Paul Hastings LLP
Brown worked on an amicus brief on behalf of a coalition of online merchants and industry groups in connection with the case.