(Article originally featured on O’Melveny & Myers LLP website)
On February 10, 2011, the California Supreme Court issued its decision in Pineda v. Williams-Sonoma Stores, Inc[1]. The decision addresses whether the Song-Beverly Credit Card Act of 1971 (the “Act”) (Cal. Civ. Code § 1747 et seq.) prohibits businesses from requesting and recording a customer’s ZIP code during a credit card transaction. Pineda concludes that a ZIP code constitutes “personal identification information” and that requesting and recording this information during a credit card transaction, without more, violates the Act. This holding exposes retailers, merchants, and credit card processors to liability for potentially huge civil penalties, and it seems certain to launch a new wave of credit card litigation aimed at retailers.
The Song-Beverly Credit Card Act of 1971
Enacted when payment cards accounted for a small sliver of retail transaction, the Song-Beverly Credit Card Act makes it illegal for a business that accepts credit cards to request personal identification information from a consumer in connection with a credit card transaction. Although the Act contains a number of exceptions, the prohibitory language of the Act is quite broad, and retailers that violate the Act face potentially ruinous liability.
Under the Act, “no person, firm, partnership, association, or corporation that accepts credit cards for the transaction of business shall . . . [r]equest, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the person, firm, partnership, association, or corporation accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise”[2]. The Act defines personal identification information as “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.”
The Act provides for four exceptions to its broad prohibition: (1) if the credit card is being used as a deposit to secure payment; (2) in cash advances; (3) if the merchant is contractually or legally obligated to collect personal identification information; and (4) if the information “is required for a special purpose incidental but related to the individual credit card transaction, including, but not limited to, information relating to shipping, delivery, servicing, or installation of the purchased merchandise, or for special orders”[3].
The Act imposes potentially onerous penalties. A merchant can face a civil penalty of up to $250 for the first violation of the Act and up to $1,000 for each subsequent violation. Courts have consistently rejected constitutional challenges to these civil penalties. The California Supreme Court has rejected constitutional objections to the Act’s civil penalties on the ground that the statute “does not mandate fixed penalties; rather, it sets maximum penalties.” According to the California Supreme Court, the fact that courts can exercise discretion protects the civil penalty regime from constitutional attack[4].
The Pineda Opinion
Pineda arose out of a visit that the plaintiff, Jessica Pineda, made to one of the many Williams-Sonoma stores in California. When Ms. Pineda approached the cash register and presented her card, the cashier asked for her ZIP code, which he then recorded. Ms. Pineda later sued Williams-Sonoma, claiming that Williams-Sonoma used her name and ZIP code to perform a reverse data search in order to locate her home address and send her marketing material. Ms. Pineda’s complaint alleged that by requesting and recording her ZIP code, Williams-Sonoma violated the Act. Williams-Sonoma sought to deflect the claim by arguing that a ZIP code is not personal identification information. The trial court agreed. The Court of Appeal upheld this decision relying on an earlier appellate court case[5]. The Supreme Court granted review of Ms. Pineda’s claim.
Its decision in Pineda reverses the lower court’s decisions. Pineda holds that a cardholder’s zip codes falls within the Act’s definition of personal identification information. The decision justifies this conclusion based on the broad language of the Act. It notes that Act’s definition contains open ended language such as “concerning” and “any”[6]. It also rejects Defendant’s claim that a ZIP code cannot be “personal identification information” because it applies to a group of individuals. The decision observes that a ZIP code is part of an address, and it dismisses as irrational the contention that the Act should be to apply to the whole of an address but not its parts.
The decision also reads into the Act a policy justification for the ban on the collection of information from credit card using customers. Pineda explains that a cardholder’s address, telephone number, and ZIP code all “constitute information unnecessary to the sales transaction.” According to the decision, retailers collect such information “for the retailer’s business purposes” such as compiling marketing data or selling the information to other businesses[7]. With a nod to the Act’s legislative history, Pineda holds that the Act to prohibit retailers from soliciting this kind of “unnecessary” information from their customers “for, inter alia, marketing purposes[8].
Impact on Retailers, Merchants, and Processors
The Court’s holding in Pineda is explicitly retrospective[9]. To the extent that firms have collected zip codes from customers in the past, they should be prepared for a wave of class action lawsuits aiming to capitalize on the Pineda decision.
Although Pineda represents a dramatic extension of the Act’s prohibition, firms facing such suits will have some defenses. The decision does not, for example, speak to whether the Act should be read to prevent a merchant from prompting a consumer for their ZIP code for legitimate verification purposes before processing a transaction or whether such conduct will fall within one of the statutory exceptions. Retailers and other merchants may succeed in arguing that some collection of ZIP codes and other personal information falls within the Act’s “special purpose incidental” exception[10].
Pineda is also silent about the extent to which the Act applies to online transactions. One federal court case, Saulic v. Symantec, has held that the Act does not cover online transactions[11]. Saulic explains that “[n]either the language of the Act nor its legislative history suggests the Act includes online transactions[12]. Saulic also recognizes that such transactions raise “unique fraud concerns.” For both reasons, it holds that the Act does not apply in online environments[13]. Although Saulic provides some comfort, it is far from clear that the California Supreme Court will find persuasive Saulic’s justifications for limiting the Act to brick-and-mortar retailers.
In addition to preparing for battles over past practices, firms that accept credit cards and that attempt to gather personal information from customers, as well as the many firms that provide card and information processing, must immediately evaluate their business practices. In order to avoid potentially huge penalties, such firms should look to see whether their practices can be restructured to avoid tripping the Act’s prohibition.
[1] __ Cal.Rptr.3d __, 2011 WL 446921, No. S178241 (Cal. Feb. 10, 2011).
[2] Cal. Civ. Code § 1747.08(a)(2).
[3] Id. § 1747.08(c).
[4] Pineda, 2011 WL 446921, at *7 (quoting Linder v. Thrifty Oil Co., 23 Cal.4th 429, 448 (2000)).
[5] Party City Corp. v. Superior Court, 169 Cal.App.4th 497 (2008) (holding that a zip code is not “personal identification information” within the meaning of section 1747.08 because it is not facially individualized information).
[6] Pineda, 2011 WL 446921, at *3.
[7] Id. at *4.
[8] Id. (quoting Absher v. AutoZone, Inc., 164 Cal.App.4th 332, 345 (2008)).
[9] Id. at *7.
[10] See Cal. Civ. Code § 1747.08(c)(4).
[11] 596 F.Supp.2d 1323, 1336 (C.D. Cal. 2009)
[12] Id. at 1333-34.
[13] Id. at 1336.
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More