Online retailers do not violate California's credit card privacy law by requiring consumers to provide personal information, including their addresses and phone numbers, as a condition of accepting credit card payments for electronic downloads, the California Supreme Court ruled Feb. 4, 2013. A split court issued the ruling in Krescent v. Apple Inc., a putative class action against Apple by a consumer who purchased downloads from Apple's iTunes Store. The court held that California's Song-Beverly Credit Card Act does not apply to online credit card purchases that are delivered electronically. The ruling stands in contrast to the court's 2011 ruling in Pineda v. Williams-Sonoma Stores, Inc., in which the same court concluded that ZIP codes constitute personal identification information within the meaning of the statute and that the Act prohibits retailers from requesting or recording this information as a condition of credit card sales for physical goods during face-to-face transactions at "a traditional brick-and-mortar business."
Plaintiff David Krescent sued Apple, individually and on behalf of a putative class of similarly situated individuals, for alleged violations of the Act, alleging that he purchased media downloads from Apple on various occasions and that, as a condition of completing the credit card transactions and receiving those downloads, Apple required him to provide his telephone number and address. Krescent also alleged that Apple records customers' personal information, but that the company is not contractually or legally obligated to collect customers' telephone numbers or addresses in order to complete credit card transactions and does not require this information for any special purpose incidental but related to credit card transactions, such as shipping or delivery. The complaint also alleged that even if credit card processing companies did require a valid billing address or credit card identification number to complete a transaction, under no circumstance would they require plaintiff's telephone number to complete his transaction, and therefore Apple did not need plaintiff's phone number to complete a media download transaction.
Apple sought to have the case dismissed, arguing that the Act did not apply to online transactions and for the court to hold otherwise would undermine fraud detection and prevention efforts. The lower court declined to adopt Apple's argument. Acknowledging that Apple's argument with respect to preventing credit card fraud had appeal, the trial court noted that the Act is silent on exempting online credit card transactions and the court was therefore not prepared, at this preliminary stage, to read the Act as completely exempting online credit transactions from its reach. While the lower court suggested that resolution of the issue by an appellate court might materially assist the resolution of the litigation, the Court of Appeal, the intermediate appellate court, denied Apple's petition for review. The California Supreme Court then granted the company's petition for review.
After reviewing the statute, the California Supreme Court concluded that the language did not conclusively resolve the issue, noting that the legislature enacted the Act in 1990 and did not contemplate online or Internet transactions at that time, and that an examination of the entire statutory scheme was necessary to determine whether it is "applicable to a transaction made possible by technology that the legislature did not envision." According to the court, the purpose of the Act clearly is to protect consumer privacy - to prevent retailers from collecting information not otherwise necessary for credit card transactions, because of existing fraud protection procedures, leading consumers to believe that this personal information was required to complete the transactions and then be used for unsolicited marketing purposes later. In the case of online purchases, however, those identification and fraud protection mechanisms are not available to the retailer. "Unlike a brick-and-mortar retailer, an online retailer cannot visually inspect the credit card, the signature on the back of the card, or the customer's photo identification." As a result, the court could not conclude that if the legislature in 1990 had been able to anticipate online transactions involving electronically downloadable products, it would have intended the Act's prohibitions to apply to those transactions, despite the unavailability of those safeguards.
Because the statutory scheme and legislative history make clear that the legislature's concern was that retailers have some mechanism by which to verify that a person using a credit card is authorized to do so, and because no mechanism would exist in the context of online purchases of electronically downloadable products if the Act applied to those transactions, the court concluded that the legislature could not have intended the Act to apply to these transactions.
Addressing the three dissenting justices, who argued that the ruling represents "a major win for these sellers but a major loss for consumers, who in their online activities already face an ever-increasing encroachment upon their privacy," the four justices in the majority countered that "[t]hese ominous assertions, though eye-catching, do not withstand scrutiny." Specifically citing the California Online Privacy Protection Act and the federal Telephone Consumer Protection Act and related regulations, the court reasoned that existing state and federal privacy laws limited the collection and use of personally identifiable information for unwanted commercial solicitation.
In sum, the California Supreme Court concluded: "Having thoroughly examined [the Act's] text, purpose, and history, we are unable to find the clarity of legislative intent or consistency with the statutory scheme necessary to conclude that the legislature in 1990 intended to bring the enormous yet unforeseen advent of online commerce involving electronically downloadable products - and the novel challenges for privacy protection and fraud prevention that such commerce presents - within the coverage of the Credit Card Act." According to the court, the legislature intended to safeguard consumer privacy while also protecting retailers and consumers against fraud, and "this accommodation of interests" would not be achieved if the court read the Act to apply to online transactions involving electronically downloadable products. "Because we cannot make a square peg fit a round hole, we must conclude that online transactions involving electronically downloadable products fall outside the coverage of the statute."