The California Supreme Court recently issued a landmark ruling in Apple Inc. v. Superior Court (formerly Krescent v. Apple Inc. in trial court proceedings), a case with wide-reaching implications for consumer privacy in e-commerce. The issue before the Court was whether California’s Song-Beverly Credit Card Act (the Act), which generally prohibits retailers from collecting or requesting personal identification information (PII) as a condition of accepting credit card payments, should apply to online retailers. The Act, which defines PII to include customer addresses and telephone numbers, has traditionally been applied to “brick and mortar” businesses.
In Apple Inc., the Court rejected the plaintiff’s effort to expand the Act, holding that—based on the statute’s text, structure and purpose—the Act does not apply to web-based credit card transactions involving electronic or downloadable purchases.
The Court began by noting that because the law was enacted in 1990, when Internet commerce “was not even a twinkle in Steve Jobs’s eye,” its text alone could not be conclusive on the issue. Instead, the Court looked to the purpose of the Act, namely, consumer protection. The Court was persuaded by arguments—identical to those advanced by Perkins Coie on behalf of some of its e-commerce clients—that web merchants and consumers alike would be at unreasonable risk of fraud without the ability to collect some personal information during the transaction for verification. Noting that the heightened need for identity verification in the digital age created some tension with the statute’s privacy aims, the Court explained that “[w]hile it is clear that the Legislature enacted the . . . Act to protect consumer privacy, it is also clear that the Legislature did not intend to achieve privacy protection without regard to exposing consumers and retailers to undue risk of fraud.”
The Court also relied heavily on a provision in the law that allows retailers to request positive identification and even to record identification information in transactions where the card is not physically present. This proviso, the Court wrote, “demonstrates the Legislature’s intent to permit retailers to . . . combat fraud and identity theft—objectives that not only protect retailers but also promote consumer privacy.” The Court reasoned that this supported interpreting the statute to not bar collection of PII during online transactions.
The decision is also notable for what it does not include—the court expressly did not resolve what types of information may be essential for verification purposes online. The court held only that there must be some mechanism by which retailers can verify that a person using a credit card is authorized to do so. In the court’s view, “[n]o such mechanism would exist in the context of online purchases of electronically downloadable products if the statute were read to apply to such transactions.”
The Court also expressly indicated that it was not deciding whether the Act applied to the online sales of physical goods or to other transactions (such as mail or telephone orders) in which there is no face-to-face interaction between customer and retailer. In dicta, however, the Court observed that it “[did] not think such transactions, which often involve shipping [or] delivery . . . of the purchased merchandise . . . are readily likened to online purchases of electronically downloadable products with respect to possible means of preventing or detecting fraud.”
Ultimately, the Court resolved that because attempting to apply the decades-old statute to e-commerce was like trying to “make a square peg fit a round hole, [it] must conclude that online transactions involving electronically downloadable products fall outside the coverage of the statute.”
Contact counsel to discuss how this decision affects your legal rights and responsibilities as an online merchant, and check back here for more updates on this and related issues.