The plaintiffs’ bar has added a new tool to its arsenal to target cookies, pixels, and similar online tracking tools and the businesses that use them: the California Song-Beverly Credit Card Act of 1971 (“Act”). This pre-internet California state law was amended in 1995 to protect customer privacy during credit card transactions. Over the past six months, plaintiffs have revived the Act and filed a wave of lawsuits against online retailers alleging their use of online tracking tools violates this decades-old law.
This post summarizes the Act, unpacks the plaintiffs’ theory in these lawsuits, and offers practical takeaways to help mitigate risk surrounding online tracking tools.
The Song-Beverly Credit Card Act of 1971
The Act prohibits businesses from requesting or requiring certain personal identification information (“PII”), such as an address or a phone number, from an individual as a condition of completing a credit card transaction. The Act also prohibits businesses from recording this information (generally on a receipt) unless it’s necessary for specific purposes like shipping, to fulfill contractual obligations, or to prevent fraud. Act violations carry statutory damages that start at $250 for the first offense and rise to $1,000 for subsequent violations.
Plaintiffs seek to apply the Act to online transactions.
The Act has historically applied to traditional brick-and-mortar retail environments. Recently, however, plaintiffs driven by the prospect of statutory damages have argued that ecommerce businesses are improperly collecting IP addresses—and other PII—during online credit card transactions and that this information is then used to target marketing efforts to consumers, in violation of the Act. Their claims focus on widely-used web-tracking technologies that automatically collect this PII from customers who visit these businesses’ websites and allege that customers cannot complete their online credit card transactions without the businesses collecting this PII. The plaintiffs allege, therefore, that the businesses violate the Act every time a customer completes an online purchase.
Claims Under the Act Face an Uphill Battle.
Existing caselaw from the California courts suggests that these claims face an uphill battle. In 2013, for example, the California Supreme Court ruled in Apple Inc. v. Superior Court that the Act does not cover online purchases involving downloadable products. 292 P.3d 883, 884 (Cal. 2013). In Apple, the Court carefully reviewed the Act’s legislative history and determined that the Act was intended to help protect consumer privacy, but not at the cost of exposing retailers and customers to fraud. To that end, the Court took issue with the Act’s lack of explicit exceptions for fraud prevention when verifying identity through traditional means (like a photo ID) isn’t possible. The Court also pointed to the California Online Privacy Protection Act (“CalOPPA”) as demonstrating that the California legislature “knows how to make clear that it is regulating online privacy and that it does so by carefully balancing concerns unique to online commerce.”
Apple’s holding was limited to online transactions involving a downloadable product, but other courts have similarly refrained from extending the Act to other types of online transactions. In Ambers v. Beverages & More, Inc., 186 Cal. Rptr. 3d 533, 538 (Cal. Ct. App. 2015), for instance, the California Court of Appeals refused to apply the Act to a transaction in which a customer completed a purchase online but picked it up in-store. Similarly, in Ambers v. Buy.com, Inc., 617 Fed. Appx. 728, 730 (9th Cir. 2015), the Ninth Circuit Court of Appeals refused to apply the Act when a plaintiff was asked to provide his phone number when he ordered a set of DVDs online to be shipped to his home. Relying on the reasoning in Apple and Ambers v. Beverages & More, Inc., the Ninth Circuit Court of Appeals found the Act inapplicable to online credit-card transactions where merchandise is shipped directly to the customer, and theorized that the California Supreme Court “probably would decline to extend the Act to apply to online transactions.”
IP addresses are an awkward fit for the Act.
In the latest wave of lawsuits regarding online tracking technologies, Plaintiffs allege that these tools collect IP addresses in violation of the Act. It’s far from clear, however, that IP addresses constitute PII under the Act. The Act prohibits the collection of “personal identification information,” which means any information concerning the cardholder that does not appear on their credit card (e.g., address, phone number, zip code, or email). IP addresses do not, standing alone, necessarily identify an individual. And to date, no court has decided that an IP address constitutes “information concerning the cardholder” under the Act.
Further, many web tracking tools collect users’ IP addresses the moment they land on a particular webpage, regardless of if that user makes a purchase. The Act, however, only prohibits a retailer from requesting or requiring PII “as a condition” of the transaction. In an effort to satisfy that test, plaintiffs have alleged that a customer cannot progress to the credit card transaction screen without the tools collecting their IP address. But whether California courts would consider that design feature to make collection of the IP address “a condition of” the transaction remains to be seen.
Don’t forget about state wiretap laws or the VPPA.
Although the weight of authority and the practical considerations would seem to limit the Act’s applicability to the collection of IP addresses in online transactions, this latest wave of suits is only the most recent example of plaintiffs seeking to apply laws that were passed to address offline behavior to modern online activities. Over the past two years, plaintiffs have also brought dozens of class action lawsuits against businesses alleging that cookies, pixels, and other online tracking tools violate state wiretap laws and the Video Privacy Protection Act (“VPPA”). These new lawsuits serve as a good reminder that these online tracking tools remain in the plaintiffs’ crosshairs.
It is time to inventory your website’s data collection practices.
As the lawsuits under the Act continue to make their way through the courts, businesses can take the following proactive steps to limit their risk related to online tracking tools:
- Understand what technology is running on your organization’s website. Are you relying on cookies, pixels, or other online tracking tools?
- Ensure your privacy policy is up-to-date and accurately discloses what information your website is collecting, and how you are using and sharing that information.
- Where appropriate, include opt-out and consent mechanisms to ensure that your users are aware of and agree to your use of cookies, pixels, and other similar tools.
