On February 4, 2013, the California Supreme Court issued its much-anticipated opinion in Apple Inc. v. Superior Court. The decision holds that the Song-Beverly Credit Card Act of 1971 ("Song-Beverly" or "the Act")1 "does not apply to online purchases in which the product is downloaded electronically."2 Although the holding only addresses the purchase of digital goods, the decision should provide substantial comfort to many online merchants, retailers and other entities that gather personal information and accept credit card information over the internet. The Court's analysis, including its observation that the statute explicitly permits merchants to collect information to prevent fraud, should have broader application in other Song-Beverly cases involving online purchases of services and physical goods.

The Song-Beverly Act and Pineda v. Williams-Sonoma Stores, Inc.

Enacted when payment cards accounted for only a small number of retail transactions, the text of Song-Beverly prohibits merchants from requesting or requiring a customer's personal identification information ("PII") as a condition of accepting a credit card payment.3 The statute defines PII as "information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder's address and telephone number."4

The Act provides exceptions to its otherwise broad prohibition in circumstances where the merchant is contractually or legally obligated to collect personal identification information.5 The Act also includes an exception for information that "is required for a special purpose incidental but related to the individual credit card transaction, including, but not limited to, information relating to shipping, delivery, servicing, or installation of the purchased merchandise, or for special orders."6 More recently, a 2011 amendment to the Act created an exception for pay-at-the-pump gas station transactions where ZIP codes are collected "solely for prevention of fraud, theft, or identity theft."7 Despite the existence of these statutory exceptions, the prohibitory language of the Act is vast, and those found to have violated the Act face potentially ruinous liability. A merchant can face a civil penalty of up to $250 for the first violation and up to $1,000 for each subsequent violation.8

The Court's most recent statement on the Act was in 2011 in Pineda v. Williams-Sonoma Stores, Inc. 9 In Pineda, the Court concluded that PII includes "not only a complete address, but also its components," including a ZIP code, and that simply "requesting and recording a cardholder's ZIP code, without more" is a violation of the statute.10

Pineda launched a wave of class action litigation aimed at retailers, merchants, and credit card processors seeking civil penalties in hundreds of lawsuits filed on behalf of California consumers. Although Pineda involved an in-person transaction and said nothing about the Act's application to online commerce, the resulting lawsuits have been targeted at both traditional brick-and-mortar retailers, as well as online businesses such as Amazon, PayPal, Craigslist, StubHub, and Microsoft. In many of these cases, the defendants have argued that the Act does not apply to online transactions, and that the information collected from customers who purchase goods and services online using credit cards is necessary for fraud-prevention purposes.

Apple Inc. v. Superior Court (Krescent)

Mr. Krescent's case against Apple, Krescent v. Apple Inc.,11 fits this mode. Mr. Krescent, alleged that Apple violated the Act when it required him to provide his address and telephone number as a condition to accepting a credit card as payment for media downloads purchased on Apple's iTunes service. Apple asked the trial court to reject the complaint at the threshold, arguing in a demurrer that the Act does not apply to online transactions. The trial court rejected this argument, stating that it was "not prepared, at the pleading stage, to read the Act as completely exempting online credit transactions from its reach."12 Apple asked the California Supreme Court to review this decision. Its petition teed up a relatively narrow question for the Court—whether the Act prohibits online retailers from requesting or requiring PII from customers as a condition to accepting credit card payments for online purchases.

On appeal, Apple argued that the Legislature never intended the Act to apply to internet commerce, which did not even exist when the statute was created in 1990-91. According to Apple, a contrary reading of the statute would facilitate credit card fraud and identity theft because online retailers have no way of verifying a customer's identity without asking for information whose collection is prohibited under the Act. Apple pointed out that the purpose of the statute was not only to protect consumer privacy, but also to facilitate fraud-prevention mechanisms for merchants.

Mr. Krescent argued that Apple had no legitimate purpose for requesting his address and phone number because he purchased digital goods, which did not need to be shipped to his physical address. Mr. Krescent also relied on the 2011 amendment creating an exception that permitted gas stations to collect ZIP codes at automated gas pumps. According to Mr. Krescent, the Legislature's failure to provide a similar exception for other "remote transactions," including online purchases, meant that the Act's broad prohibition was intended to cover e-commerce transactions.

Various groups filed amicus curiae briefs in the case, including eBay Inc., represented by Paul Hastings LLP. eBay led a coalition of e-commerce merchants including Walmart.com USA LLC, NetChoice, and the California Retailers Association that filed an amicus brief explaining in detail how the application of the Act to online transactions would undermine the efforts of e-commerce merchants to protect consumers and themselves from credit card fraud.

After hearing argument in the case on November 7, 2012, the Court ruled in favor of Apple on February 4, 2013. Although the Court's holding only addressed the specific factual scenario before it—i.e., whether the Act applies to purchases of electronically-downloadable products—the decision suggests that the Act was never intended to apply to online transactions, especially if doing so would prevent merchants from effectively preventing credit card fraud and identity theft.

The Apple Opinion

The decision opens with an examination of the statutory text. The examination concludes that the plain language of the statute does not answer the precise question before the Court, recognizing "that the Legislature, at the time it enacted [an earlier version of the Act], did not contemplate commercial transactions conducted on the Internet." But it does identify in the text an effort on the part of the Legislature to strike a balance between protecting privacy and reducing fraud. According to the Court, the Act seeks to protect privacy but not "at the cost of creating an undue risk of credit card fraud."

The Court's reading of the Act pivots on a section of the statute that permits brick-and-mortar retailers to require cardholders to show a driver's license or other "reasonable forms of positive identification" as a condition of accepting a credit card, and to record the driver's license number if the cardholder refuses to make the card available for verification.13 The decision describes this provision as a "key antifraud mechanism" in the brick-and-mortar world and reads into it a legislative judgment that consumers and retailers "have an interest in combating fraud."

Having discerned in the Act an effort to balance fraud prevention with privacy, the decision concludes that the Act should not be read to put online merchants at a disadvantage to their offline brethren. It explains that online merchants, unlike offline merchants, cannot physically inspect cards presented by consumers. Although the decision does not specify what information—e.g., full address, ZIP code, telephone number—a merchant might collect for fraud-prevention purposes, it explicitly holds that the Legislature intended for retailers to have "some mechanism by which retailers can verify that a person using a credit card is authorized to do so."

The decision rejects the claim that the 2011 amendments support a more expansive reading of the Act. The decision labels this argument "counterintuitive," explaining that it would seem odd for the Legislature to protect the ability of gas station owners to prevent fraud while leaving the "multibillion dollar" online retail industry without similar means of protecting themselves and consumers from fraud.

In response to the arguments by the dissenting Justices that the Court's reading of the Act pays insufficient interest to privacy, the decision notes that several other state and federal statutes fill any perceived gaps. As the decision explains, existing statutory protections, including the California Online Privacy Protection Act of 200314 and the federal Telephone Consumer Protection Act of 1991,15 protect consumers' interests with regard to the collection and use of personal information.

Impact of the Opinion

The immediate impact of the Court's decision is quite clear. Online merchants selling digital goods do not need to worry about the Song-Beverly Act.

But the Court's decision may have much broader implication for online sellers of services and physical goods. The Court concludes by suggesting that the Act may not apply to any online transaction:

Having thoroughly examined section 1747.08's text, purpose, and history, we are unable to find the clarity of legislative intent or consistency with the statutory scheme necessary to conclude that the Legislature in 1990 intended to bring the enormous yet unforeseen advent of online commerce involving electronically downloadable products—and the novel challenges for privacy protection and fraud prevention that such commerce presents—within the coverage of the Credit Card Act.

Footnotes

1 Cal. Civ. Code § 1747 et seq.

2 Apple Inc. v. Superior Court, S199384 (Cal., Feb. 4, 2013)

3 Cal. Civ. Code § 1747.08.

4 Cal. Civ. Code § 1747.08(b).

5 Cal. Civ. Code § 1747.08(c)(3)(A) and (C).

6 Cal. Civ. Code § 1747.08(c)(4).

7 Cal. Civ. Code § 1747.08(c)(3)(B).

8 Cal. Civ. Code § 1747.08(e).

9 51 Cal. 4th 524 (2011).

10 Id. at 527-28 and 531.

11 Krescent v. Apple Inc., Los Angeles Superior Court Civil Case BC 463305.

12 After the Court of Appeal denied Apple's petition for writ of mandate seeking review of the trial court's order, the California Supreme Court granted Apple's petition for review.

13 Cal. Civ. Code § 1747.08(d).

14 Cal. Bus. & Prof. Code § 22575 et seq.

15 47 U.S.C. § 227.

The content of this article does not constitute legal advice and should not be relied on in that way. Specific advice should be sought about your specific circumstances.