Collecting 'Personal Identification Information' During Credit Card Transactions -- Latest Developments
In March 2013, we published an article concerning the then latest wave of class action litigation arising under the Massachusetts Consumer Protection Act (Chapter 93A) in the wake of Tyler v. Michaels Stores, Inc., 464 Mass. 492 (2013). As we explained, the Massachusetts Supreme Judicial Court (SJC) concluded in Tyler that, to state a claim for relief under Chapter 93A, a consumer had to plead and prove some harm or injury separate and distinct from the underlying statutory violation to assert a Chapter 93A damages claim (and to recover statutory fees and costs). The Chapter 93A violation in Tyler arose from the retailer’s collection of customer ZIP codes (allegedly in violation of Chapter 93, Section 105(a)) (Section 105(a)) and the later use by the retailer of those ZIP codes to obtain consumer physical mailing addresses and (1) sending unwanted marketing materials to those consumers at those addresses or (2) otherwise selling consumer “personal identification information” (PII) (i.e., the necessary separate and distinct harm caused by the violation of Section 105(a)).
Since the March 2013 Alert, many retailers doing business in Massachusetts have responded to Chapter 93A demand letters and defended actual litigation alleging that a retailer’s point-of-sale and marketing practices ran afoul of Section 105(a)/Chapter 93A in connection with collecting and using customer ZIP codes. Recently, some plaintiffs' class-action lawyers have been using the Tyler decision to challenge retailers’ e-mail collection practices as well. This, no doubt, marks an attempt to further expand the reach of Section 105(a) and develop another theory to seek class-wide relief against retailers under Chapter 93A.
In doing so, some plaintiffs’ lawyers rely on a decision arising under California’s Song-Beverly Credit Card Act of 1974 (Song-Beverly) (a statute similar to Section 105(a)) from the United States District Court for the Eastern District of California, entitled Capp v. Nordstrom, Inc., No. 2:13-cv-00680-MCA-AC. In Capp, Nordstrom allegedly requested and recorded plaintiff Capp’s email address for the purpose of sending him an electronic receipt of his transaction. Shortly after the sale, however, Capp allegedly received unsolicited marketing materials by e-mail from Nordstrom in addition to his e-receipt. The District Court denied Nordstrom’s motion to dismiss Capp's complaint, which was based on the argument that (1) an e-mail address was not PII under Song-Beverly and (2) the CAN-SPAM Act of 2003 preempted Capp's Song-Beverly claim. Although dealing with these issues under Fed. R. Civ. P. 12(b)(6), the District Court concluded that an e-mail address constituted PII because retailers could use the e-mail address along with a customer's credit card information to locate the customer's physical mailing address (which, like Section 105(a), does constitute PII under Song-Beverly). In addition, the alleged act of asking for an e-mail address for one arguably proper purpose, then allegedly using it for another, according to the District Court, directly implicated the purpose of Song-Beverly as articulated by the California Supreme Court in Pineda v. Williams-Sonoma Stores, Inc., 51 Cal. 4th 524 (2011). Next, the District Court in Capp concluded that CAN-SPAM did not preempt Song-Beverly based on an express "savings clause" in preserving the reach of state statutes that are not specific to e-mails. In doing so, the District Court explained that Song-Beverly can be reconciled with CAN-SPAM as a retailer:
can easily conform its conduct to the proscriptions in both acts . . . by [waiting] until “after the customer has already received her [written] receipt” to request the customer's email address . . . and then send[ing] commercial e-mail messages to conform to the prescriptions of CAN-SPAM without the prospect of liability under either statute.
Notwithstanding whether (1) the SJC would conclude that an e-mail address is PII under Section 105(a), (2) sending e-mails in compliance with CAN-SPAM would even violate Chapter 93A (unlike Song-Beverly, Chapter 93A has an express exemption clause for transactions “otherwise permitted” under federal law, i.e., Mass. Gen. Laws ch. 93A, § 3), or (3) sending an unsolicited commercial e-mail message would constitute a separate and distinct harm underTyler, retailers should review their e-mail collection policies and practices to make sure that, among other things, e-mails are requested and collected outside of credit card transactions and the reason for the request (i.e., to send marketing emails and not just e-receipts) is disclosed to consumers. This should assist in limiting the need to respond to and defend Tyler-like demand letters and litigation in Massachusetts. Finally, beyond California and Massachusetts, many other states have laws governing the collection of personal identification information. Retailers doing business in other states should review local laws to ensure compliance.