California Continues to Shape Privacy Standards: Song-Beverly Act Extended to Email Addresses
Executive Summary: California retailer restricted from requiring a customer email address as part of a credit card transaction. We knew that asking for zip codes is intrusive personal questioning, and now asking for email has been added to the list.
California’s Song-Beverly Credit Card Act (Cal. Civ. Code Sec. 1747 et seq.) (“Song-Beverly Act” or “Act”) restricts businesses from requesting, or requiring, as a condition to accepting credit card payments that the card holder provide “personal identification information” that is written or recorded on the credit card transaction form or otherwise. “Personal identification information” means “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the card holder’s address and telephone number.” The California Supreme Court has previously ruled that zip codes are also “personal identification information” under the Song-Beverly Act. See Pineda (Jessica) v. Williams-Sonoma Stores, Inc., 2011 Cal. LEXIS 1502 (Cal. Feb. 10, 2011).
Recently, a United States federal district court in California expanded “personal identification information” to include email addresses in a decision denying retailer Nordstrom’s motion to dismiss claims it violated the Song-Beverly Act. The plaintiff sued Nordstrom for collecting his email address as part of a credit card transaction at one of its California stores in order to email him a receipt, then subsequently using his email address to send him frequent, unsolicited marketing emails. See Capp v. Nordstrom, Inc., 2013 U.S. Dist. LEXIS 151867, 2013 WL 5739102 (E.D. Cal. Oct. 21, 2013).
Raising a case of first impression under California law, Nordstrom claimed that email addresses are not “personal identification information” under the Song-Beverly Act, so the Act did not apply. The court disagreed with Nordstrom and found the opposite based on the California Supreme Court’s earlier ruling in Pineda. Nordstrom’s argument that email addresses can readily be changed, unlike zip codes, and consumers can have multiple email addresses was not persuasive. The court held that an email address regards a card holder in a more personal and specific way than a zip code. Unlike a zip code that refers to the general area where a card holder works or lives, email permits direct contact with the consumer and implicates their privacy interests. The court concluded that the collection of email addresses is contrary to the Song-Beverly Act’s purpose to guard against misuse of personal information for marketing purposes. In particular, the plaintiff’s allegation that his email address was collected to send him a receipt and then used to send him promotional emails directly implicates the protective purposes of the Act as interpreted in Pineda.
Pineda held that zip codes are personal information for purposes of the Song-Beverly Act, and therefore a brick and mortar retailer violated the Act when it requested and recorded such data. In the Pineda decision, the California Supreme Court found that zip codes, like the card holder’s address expressly called out as “personal identification information” under the Act, were unnecessary to completing the credit card transaction and inconsistent with the protective purpose of the Act. This is especially true when a zip code is collected to be used with the card holder’s name in order to locate the card holder’s address, permitting a retailer to locate indirectly what it is prohibited from obtaining directly under the Act.
Nordstrom also argued that the plaintiff’s claims under the Song-Beverly Act were preempted by the federal “Controlling the Assault of Non-Solicited Pornography and Marketing Act” (better known as the CAN-SPAM Act), but the court disagreed. While the CAN-SPAM Act contains a preemption provision, it only preempts state laws that regulate the manner in which email messages are sent and their content, both of which are not regulated under the Song-Beverly Act.
Retailer tip: The federal court issuing this most recent decision recommends waiting to request an email address (or a zip code) until after the consumer has the receipt from their credit card transaction in hand, and then sending the consumer emails only in conformance with the CAN-SPAM Act.
In the wake of Pineda, retailers faced class action lawsuits for requesting consumer zip codes at check out. This new decision could have a similar effect.