[co-author: Desiree Hunter-Reay]

The California Song-Beverly Credit Card Act (the “Act”) – an act intended to protect the personal privacy of individuals during credit card transactions – may very well become the new trend in California privacy litigation. On Wednesday, three prominent privacy class action firms filed five nearly identical complaints against large retailers predicated on the use of web-tracking technologies during online credit card transactions, which the plaintiffs allege improperly collect and record consumers’ personal identification information.[1] Specifically, the plaintiffs allege that the defendants improperly require consumers to provide their “first and last name, home address, e-mail address, ZIP code, and IP address, in connection with every credit card transaction," which the defendants subsequently use for “sophisticated, undisclosed, and targeted marketing efforts including, but not limited to, through social media marketing companies and the use of tracking technologies” without consumers’ knowledge or consent, in violation of the Act.

The Act, which took effect in 1971, long before the rise of e-commerce, governs credit card transactions for goods and services.[2] Generally, the Act prohibits retailers from requesting from consumers’ “personal identification information” during or before the credit card transaction and creating a record of that transaction (generally, a receipt) that includes the personal identification information provided.[3] In the past, application of the Act was relatively straightforward. For the most part, one needed only to look at the receipt to determine whether a potential violation had occurred.

This new surge in web-tracker litigation could make application of the Act far more complex. There can be no dispute that in most online transactions, requesting and obtaining “personal identification information” is a necessary part of the transaction, given that retailers generally have to verify that the person using the credit card is actually authorized to use the credit card and such transactions normally require some form of shipping. Collection of personal identification information for either of those reasons is lawful under the Act.[4]

The question raised in these new suits is whether the collection of additional information (i.e., IP addresses) that is arguably not necessary to complete any action expressly permitted by the Act (i.e., verification or shipping) renders that collection unlawful.

As an initial matter, the Act prohibits the collection of “personal identification information” only.[5] The Act defines “personal identification information” as any information concerning the cardholder not set forth on the credit card, including the cardholder’s address and telephone number.[6] Clearly, an IP address is “not set forth on the credit card,” but does it actually “concern the cardholder”? As several courts have noted, IP addresses do not necessarily identify individuals. For example, IP addresses can be “dynamic” or “static.”[7] For dynamic IP addresses, which are usually used for “residential internet connections, whether broadband or dial-up” (i.e., by consumers), “a person using that address one month may not have been the same person using it the next.”[8] In fact, “[i]n order to use a dynamic IP address to identify the name and residential address of its user, a court order must ask the owner of that IP address, i.e., the internet service provider (ISP), who used the particular IP address on the date in question.”[9] Put another way, an IP address, in most instances, cannot be used to identify a consumer. Therefore, can an IP address really be deemed to “concern a cardholder” under the Act?

While this argument may have some appeal, it likely is not, in and of itself, the death knell of these new claims. Numerous courts have found that an IP address can provide the general location of a consumer,[10] much like a ZIP code can, and courts have found that requesting a ZIP code in connection with a credit card transaction can be violative of the Act.[11]

Beyond the “concerning a cardholder language,” there is a question of whether IP addresses are personally identifiable information in the first place. Courts have struggled to answer this question, albeit in the context of different statutes. For example, in In re Nickelodeon Consumer Priv. Litig., 827 F.3d 262 (3d Cir. 2016), the Third Circuit found that an IP address did not constitute personally identifiable information in the context of the federal Video Privacy Protection Act, 18 U.S.C. § 2710. One year later, the U.S. District Court for the Central District of California found the opposite in In re Vizio, Inc., Consumer Priv. Litig., 238 F. Supp. 3d 1204 (C.D. Cal. 2017).

Finally, there is a practical problem with these new claims: An online retailer cannot operate a website without obtaining a consumer’s IP address. As the U.S. District Court for the District of Minnesota explained, absent “recording the IP information sent to” website operators, “the Internet could not function because standard computer operations require recording IP addresses so parties can communicate with one another over the Internet.”[12] In other words, while collection of an IP address is not necessarily “required for a special purpose incidental but related to the individual credit card transaction,” it is necessary to even allow the consumer to visit the website at all.

Ultimately, whether this new theory of liability holds water is unclear. What is clear, however, is that plaintiffs are pushing, and will continue to push, the bounds of privacy litigation in California. And, not surprisingly, their means of doing so generally comes with the threat of statutory damages.

[1] Fritszche v. Eero, LLC, Superior Court of the State of California County of Contra Costa; Semain v. Patagonia, Inc., Superior Court of the State of California County of Ventura; Hopton v. Lamps Plus, Inc., Superior Court of the State of California County of San Diego; Sawyer v. Vuori, Inc., Superior Court of the State of California County of San Diego; Montgomery v. ThirdLove Inc., Superior Court of the State of California County of San Francisco.

[2] Cal. Civ. Code § 1747.08(a).

[3] Cal. Civ. Code § 1747.08(a).

[4] The Act permits retailers to request personal identification information in connection with a credit card transaction where (1) the retailer “is contractually obligated to provide personal identification information in order to complete the credit card transaction” or (2) the collection “is required for a special purpose incidental but related to the individual credit card transaction, including, but not limited to, information relating to shipping, delivery, servicing, or installation of the purchased merchandise, or for special orders.” Cal. Civ. Code § 1747.08 (c)(3)(A), (C).

[5] Cal. Civ. Code § 1747.08(a).

[6] Id. at 1747.08(b).

[7] State v. Shields, No. CR06352303, 2007 WL 1828875, at *6 (Conn. Super. Ct. June 7, 2007), aff’d, 124 Conn. App. 584, 5 A.3d 984 (2010), aff’d, 308 Conn. 678, 69 A.3d 293 (2013).

[8] Id.

[9] Id.

[10] In re Strike Three Holding, LLC Cases v. Doe, No. 118CV00596MCEGGH, 2018 WL 2949825, at *2 (E.D. Cal. June 13, 2018) (“An IP address provides only the location at which one of any number of computer devices may be deployed, much like a telephone number can be used for any number of telephones.”).

[11] See Hernandez v. Restoration Hardware, Inc., 4 Cal. 5th 260, 264 (2018).

[12] Capitol Recs. Inc. v. Thomas-Rasset, No. CIV 06-1497(MJD/RLE), 2009 WL 1664468, at *3 (D. Minn. June 11, 2009).

[View source.]