The California Supreme Court ruled on February 4, 2013 that the provisions of the Song-Beverly Credit Card Act, which prohibits the collection of "personal identification information" as a condition of credit card payment, does not apply to online retailers selling products that are downloaded electronically.
The case is Apple, Inc. v. Superior Court of Los Angeles County (Krescent). In it, Mr. Krescent purchased media downloads from Apple online, and he alleges that Apple required him to provide his address and telephone number as a condition of accepting his credit card as payment. He sued Apple on behalf of himself, and on behalf of a class of similarly situated individuals, for violations of the Act.
Apple disputed that the Act even applied to online transactions, and argued that finding otherwise would undermine their ability to prevent identity theft and fraud.
Justice Goodwin Liu, writing for the majority, analyzed the text of the Act, and specifically, two provisions of the Act:
- California Civil Code section 1747.08(a)(1), which prohibits retailers from requesting, or requiring as a condition to accepting the credit card as payment the cardholder to write any personal identification information upon the credit card transaction form or otherwise, and
- California Civil Code section 1747.08(a)(2), which prohibits retailers from requesting or requiring the cardholder to provide personal identification information, which the retailer writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise.
Justice Liu first noted that the text of the statute made no reference to the Internet or online transactions, which was not surprising given that it was enacted in 1990. "In 1990, the idea of computerized transactions involving the sale and purchase of virtual products was beyond any legislator's imagination. Such technology was not even a twinkle in Steve Jobs's eye; at the time, Jobs had just begun to experiment with the concept of--interpersonal computing," wrote Liu.
However, he noted that laws adapt and can be applied to later developed technologies.
Looking at the statutory scheme as a whole, he noted that the Legislature was balancing two competing concerns. "While it is clear that the Legislature enacted the Credit Card Act to protect consumer privacy, it is also clear that the Legislature did not intend to achieve privacy protection without regard to exposing consumers and retailers to undue risk of fraud."
Moreover, the legislative history indicated that the provisions were only enacted after carefully considering and rejecting the possibility that the collection of personal identification information by brick-and-mortar retailers could serve a legitimate purpose such as fraud prevention. Brick-and-mortar retailers had other means to verify the identity of the purchaser using the credit card, such as, comparing the signature on the receipt to the back of the card, contacting the credit card center for approval, or requiring customers to show their driver's license, provided the information was not written down. Thus, with these tools available, collecting personal information was not necessary to prevent fraud. The goal of the legislation was to prohibit retailers from convincing customers that the collection of information was necessary to complete the transaction, when in fact it was not, and was instead being used for business purposes, such as marketing.
On the other hand, Justice Liu was not convinced that the Legislature would make the same policy decision if it were faced with the type of transaction in which the standard mechanisms for verifying a cardholder's identity were not available.
"Unlike a brick-and-mortar retailer, an online retailer cannot visually inspect the credit card, the signature on the back of the card, or the customer's photo identification." As such, Justice Liu could not see applying the prohibitions against collecting information to online retailers, when the safeguards against fraud are not available to them.
Loss of Consumer Protection?
Justice Kennard and Justice Baxter wrote separately in dissent raising concerns that the opinion removed significant protections for consumers, and "leaves online retailers free to collect and use the personal identification information of credit card users as they wish" (dis. opn. by Baxter, J., at p. 1).
If these measures seem inadequate, Liu wrote, then it is for the Legislature to craft additional protections. "It is not our role to opine on this important policy issue. We merely hold that section 1747.08 does not govern online purchases of electronically downloadable products because this type of transaction does not fit within the statutory scheme."
Further, he clarified that the Court was not holding that any specific type of information was necessary to combat fraud and identity theft, just that there must be "some mechanism" for online retailers to verify that a person using a credit card is authorized to do so.
Although the Court found that the prohibitions in the Act did not apply to online retailers, it did so only in the context of transactions involving downloadable products. The Court did not decide whether the Act applies to online transactions not involving downloadable products, or any other transactions that do not involve in-person, face-to-face interaction between the customer and retailer, such as mail or telephone orders.
Given the strenuous objections by Justices Kennard and Baxter, and Justice Liu's invitation for the Legislature to review the issue, a legislative response to this decision may soon be forthcoming.