Understanding Limitations on Collecting Personal Information

Julia B. Jacobson

Email

212-872-9832

Bio and Articles

Kyle R. Dull

Email

+1 305 577 2840

Bio and Articles

Collecting Personal Information During Checkout: Balancing Consumer Rights with Business Marketing

by: Julia B. Jacobson, Kyle R. Dull of Squire Patton Boggs (US) LLP - Privacy World

Tuesday, September 3, 2024

Print Mail Download info_icon_img

/>i

Building a customer base is time-consuming and expensive. Engaging existing customers is often easier and more profitable than acquiring new customers. In the US, email and other targeted marketing is a low-cost and high-ROI way to foster this engagement, which makes collecting customers’ email addresses (and other personal information) a high priority for marketers. But, marketers beware: laws in California and Massachusetts that limit the collection of email addresses (and other personal information) at the point of purchase are an increasingly popular source of class action legal risk. While the laws in California and Massachusetts are popular with plaintiffs’ counsel now, several other states have similar laws, applying to different categories of information (e.g., some state laws only apply to address and telephone number) and transactions and varying enforcement mechanisms (e.g., criminal penalties or state attorney general enforcement).

Key Takeaways

Ensure that retail location staff understand that the collection of a customer’s personal information that is not required to complete a transaction must be the customer’s choice. Requesting a customer email address or other contact data during the purchase process – such as for tailored discounts and rewards – is permitted as long as the customer knows it is voluntary, i.e., not required to complete the purchase transaction. Further, to avoid errors and discourage claims clearly delineate subscriptions from transactions by separating sign-ups from purchases.
Check that etailer (i.e., e-commerce stores) purchase transaction flows do not require additional personal information that is not necessary to complete the transaction and clearly disclose to customers what is and is not required.
Beware of personal information collection by cookies, pixels and similar technology active on purchase transaction web pages.
Implement written policies and procedures – whether online or off – to document what personal information collected is mandatory vs. voluntary.

Concerns about misuse of personal information collected during a credit card purchase led states to pass laws that prohibit sellers from requiring (or requesting in a manner that implies that the information is necessary) that the purchasing consumer provide personal information not required to effectuate the credit card purchase. Collection of personal information that consumers voluntarily provide during the purchase process is not, however, prohibited. Absent clear separation of marketing data collection from mandatory purchase transaction data collection, enterprising plaintiffs’ lawyers may claim that the ancillary data collection was not voluntary.

While the proliferation of state consumer privacy laws has focused attention on personal information practices generally, now is an especially good time for retailers and etailers to revisit their personal information collection practices in connection with credit card purchases. These laws spawned numerous class actions for years and then became less commonplace. They’rebaaaaack! Three new complaints accuse businesses of violating Massachusetts General Law Chapter 93 § 105(a) (“Massachusetts Law”) by requiring a customer to provide an email address when making a credit card purchase online. See Magnuson v. GameStop Corp., Mass. Super. Ct., No. 2484-CV-02058 (August 5, 2024); DeFelippis v. Bloomingdale’s Inc., Mass. Super. Ct., No. 2484-CV-02059 (August 5, 2024), and Carr v. BG Retail, LLC, Mass. Super. Ct., No. 2484-CV-02060 (August 5, 2024). Plaintiff’s lawyers are also floating a new theory in these new lawsuits: tracking technologies like cookies or pixels when associated with checkout pages collect personal identification information during, but not necessary for, payment processing.

The Massachusetts Law prohibits businesses from asking for or recording “personal identification information” from customers during credit card transactions unless that information is required by the credit card issuer or necessary for shipping, delivery, installation of purchased items, or for warranty purposes. The term “personal identification information” is broadly defined: “Personal identification information shall include, but shall not be limited to, a credit card holder’s address or telephone number.” Personal identification information also includes the credit card holder’s address or telephone number, as well as zip code. Tyler v. Michaels Stores, Inc., 464 Mass. 492, 984 N.E.2d 737 (2013).

Like the Massachusetts Law, California’s Song-Beverly Credit Card Act, Cal. Civ. Code § 1747.08, (“Song-Beverly Act”) prohibits businesses from requesting “personal identification information” before or during a credit card purchase and recording that personal information on the receipt or elsewhere in a customer record. Like the Massachusetts Law, the term “personal identification information” is broadly defined as “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to the cardholder’s address and telephone number.” Class actions alleging violations of the Song-Beverly Act also were filed this year based on the collection of personal identification information – including IP address – during e-commerce transactions.

The following are answers to key questions for retailers and etailers:

What customer personal identification information is protected?

It would be safe to assume that personal information includes data that relates to an identified or identifiable individual is personal identification information. But for the most part, litigation has been focused on specific types of personal information, such as zip code and email address. Pineda v. Williams-Sonoma Stores, Inc., 51 Cal.4th 524 (2011) found that ZIP codes constitute personal identification information, much like in the Massachusetts decision in Tyler. The typical complaint against the collection of this personal identification information revolves around consumers receiving unsolicited and unwanted marketing materials.

As alleged in the Magnuson complaint, Magnuson purchased a device through the defendant’s website and, as part of the checkout process, GameStop required his email address. Email address was not required to complete the transaction, as it was not required for shipping, delivery, installation, or any other purpose. Shortly after completing his purchase, Magnuson alleged that he began receiving spam marketing emails from GameStop. Although CAN-SPAM permits email marketing until the recipient opts out, Magnuson alleged that GameStop violated Massachusetts law because Magnuson never signed up for or otherwise consented to receive marketing emails during the purchase process. Similar complaints were made the same day against Bloomingdale’s and BG Retail. Earlier this year in June, a similar complaint was made against another national retailer, suggesting a new trend.

These laws were enacted before the e-commerce boom, which, according to an August 19, 2024 Census Bureau report, accounted for about 16% of total retail sales.

What is not resolved, however, is whether courts will decide that these laws target tracking technologies (i.e., cookies and pixels) that passively collect (the U.S. is opt-out of sale/share/targeting cookies, but plaintiff’s attorneys have relied on other privacy laws to allege that the practice of automatically firing some pixels was a violation of the California Invasion of Privacy Act (CIPA) and similar laws in other states) personal information during e-commerce transactions. Recently, plaintiffs’ lawyers have added Song-Beverly claims, though it is far from clear if the type of data collected by tracking technologies (e.g., cookie ID) is the type of personal identification information Song-Beverly and the Massachusetts Law intend to regulate.

Do these laws leave room for businesses to offer customers the option to provide their personal identification information or is any request prohibited?

The Massachusetts Law prohibits any person or business entity “that accepts a credit card for a business transaction” from the following actions: “write, cause to be written or require that a credit card holder write personal identification information, not required by the credit card issuer, on the credit card transaction form.” The verb “write” can be interpreted as inscriptions made by hand on a receipt or by typing the information into a customer record. Similarly, “credit card transaction form” may refer to electronic or paper transaction forms, which include electronic customer records frequently used by businesses to maintain a list of current customers.

As noted above, this requirement does not, however, prevent the business from requesting information necessary for shipping, delivery, or installation, or for services or warranty purposes when such information is provided voluntarily by a credit card holder. According to Tyler, the Massachusetts Law only prohibits the collection of additional personal information when the consumer believes that the personal information is required to complete the retail transaction, not when the collection is voluntary.

For example: If a business is shipping a product to a customer — whether the purchase was made online or in-store but requires shipping— then collecting personal information (name, address, phone number, email address) is arguably necessary to complete the transaction. However, if the consumer is purchasing an in-stock product in-store, then this information is not required in order to complete the transaction. The purpose of the Massachusetts Law is to address the misuse of personal information for marketing purposes. However, if the personal information is voluntarily provided by the consumer, in such a way that they do not believe they need to provide it to complete the transaction, then that is permissible under these state laws.

How can a business determine whether it is appropriately requesting and recording personal identification information?

Businesses are not prohibited from collecting personal identification information for ancillary purposes such as marketing and loyalty programs under these laws. However, implementing proper procedures (preferably written) and ensuring they are followed during the retail transaction is essential to minimize risk. For example, a retailer could collect the personal identification information used for marketing purposes after the transaction or notify the consumer what information is necessary to complete the transaction and what is voluntary to receive marketing communications or enroll in loyalty programs. Etailers, on the other hand, should consider at least implementing affirmative consent (e.g., non-prechecked boxes) for marketing emails and affirmative opt-ins to certain tracking technologies in order to reduce risk under these laws.

Looking at California’s Song-Beverly Act, we can see the evolution of the clarification on the importance of the order of operations when requesting personal information, as well as how the word “request” has been intended and interpreted. In Florez v. Linen ‘N Things, Inc. (2003) 108 Cal.App.4th 447, the Court of Appeal noted that what matters is whether the consumer would perceive the store’s “request” for information as a “condition” of the use of a credit card. The Court concluded that the addition of the word “request” to section 1747.8 bars a preliminary request for personal identification information if immediately preceded the credit card transaction.

Notably, in Absher v. Autozone, Inc. (2008) 164 Cal.App.4th 332, the California Court of Appeal confirmed that the Legislature’s stated purpose of the amendment to the Song-Beverly Act was to clarify that merchants “may neither require nor request, as a condition to accepting the credit card, the taking or recording of personal identification information from the cardholder.” Thus, California’s law does not prohibit businesses from requesting such information entirely.

Similarly, the legality of a consumer’s voluntary provision of personal information during a retail transaction was supported by Harrold v. Levi Strauss & Co. (2015) 236 Cal.App.4th 1259, which found that the Song-Beverly Act “is not intended to forbid merchants from obtaining such information voluntarily, if the customer understands that the information need not be disclosed in order to use a credit card.” In Harrold, Levi had a written policy concerning “when and how store clerks should request from customers their e-mail address for inclusion into the [e-mail marketing] program.” Under the policy, email addresses were not to be requested until after the credit card transaction had been completed. The plaintiff, on the other hand, testified that she did not recall whether the request was made before or after she signed for her purchase. In denying the plaintiff’s class certification, the Court found that no other evidence was submitted to show that Levi departed from its written policy and because the Song-Beverly Song Act “is violated only if the request is made under the circumstances in which the customer could reasonably understand that the [personal identification information] was required to process the credit card transaction,” a consumer could not reasonably understand that a request made after the transaction has been concluded meant that the requested personal identification information was required to process the transaction, and thus the Song-Beverly Act was not violated. This decision demonstrated that the collection of personal identifiable information is not prohibited once a credit card transaction has been concluded.

Do other states have laws similar to the Massachusetts Law or Song-Beverly Act?

Several other states also have laws that prohibit businesses from requiring or requesting additional personal information (e.g., email addresses, zip codes, phone numbers) when that personal information is not required to complete the transaction. These laws apply to different categories of information, apply to varying forms of transactions, and have different obligations and enforcement mechanisms, including, in some instances, criminal penalties. See, e.g., Delaware (Del. Code. Ann. Tit. 11, § 914(b)(1)(b)) (criminalizing the recording of address and/or telephone number, subject to exceptions); Maryland (Md. Code Ann., Com. Law § 13-317(b)(1)(ii)) (prohibiting the recording of address and/or telephone number, subject to exceptions); and New Jersey (N.J. Stat. Ann 56:11-17) (prohibiting the recording of personal identification information, subject to exceptions).

Similar laws are in force in other jurisdictions (e.g., District of Columbia, New York, Kansas, Oregon, Pennsylvania, and other states) and thus we recommend that businesses with retail locations in multiple states carefully analyze the scope of these credit card information privacy laws to determine the personal information recordation practices that are expressly prohibited with respect to credits card transactions in applicable jurisdictions. Etailers, on the other hand, may wish to consider a strategy that applies both the Massachusetts Law and the Song-Beverly Act requirements to all purchasers and also monitor the tracking technology cases described above as they make their way through the courts.