Introduction
In the latest iteration of privacy claims, California plaintiffs have begun filing lawsuits against online retailers using online tracking technologies to collect IP addresses under a new theory—plaintiffs allege such practice is a violation of California’s Song-Beverly Credit Card Act (the “Act”).
The Act, originally passed in 1971 and amended in the early 1990s, was drafted in a time before smart watches, QR code menus, and ecommerce. The Act was not intended to cover new technologies, and the courts have struggled to interpret the Act in light of such advancements. Now courts have been called to decide, among other concepts, whether and how the Act applies to online transactions and whether IP addresses, a concept likely unknown to the legislators at the time of drafting (and its amendment), are considered “personal identification information” for purposes of the Act.
Specifically, the plaintiffs’ bar recently filed several suits against online retailers for allegedly violating the Act by collecting IP addresses during online transactions.1 This is the first time IP addresses have been asserted to be personal identification information (“PII”) under the Act. To assert a successful claim under the Act, plaintiffs need to prove (1) an IP address is PII to qualify under the Act; and then (2) the automatic collection of an IP address is a condition of the transaction. Separately, the courts will need to decide whether the Act is applicable to the ecommerce space, specifically online transactions, and, if so, whether it encompass all online transactions.
What is the Song-Beverly Credit Card Act?
The Act prohibits businesses from requesting or requiring PII to complete a transaction and subsequently recording such PII, subject to certain exceptions.2 PII is defined as information “concerning the cardholder, other than information set for the on the credit card, and including, but not limited to, the cardholder’s address and telephone number.”3 The Act includes statutory damages of $250 for the first violation and $1,000 for each subsequent violation.4
The Act includes several exceptions that allow business to record PII, including for fraud prevention. Written in a time when credit card transactions were in person and where inspecting a person’s ID could be done visually, the Act allowed a store cashier to inspect reasonable forms of identification and record the cardholder’s driver license number or identification number.5 In the cases at hand, should the courts choose to apply the Act to transactions, the courts might also need to determine what amount of PII collected is reasonable and necessary to prevent fraud when a credit card is not physically presented.
Previous Cases
The Act’s 50-year history provides ample case law defining PII:
- ZIP Codes: In Pineda v. Williams-Sonoma Store, the California Supreme Court found ZIP codes to be PII when a consumer was shopping in person and the defendant clerk asked for the plaintiff’s ZIP code during the checkout process.6 The defendant then performed a reverse address lookup using the plaintiff’s name and ZIP code to send marketing materials.7 The court found the Act’s wording, “concerning the cardholder” to broadly encompass information that can be combined with the cardholder’s name to find their address.8 The Court was guided by legislative purpose: “to address the misuse of personal identification information for [...] marketing purposes, finding that there would be no legitimate need to obtain such information from credit card customers as it was not necessary to the completion of the credit card transaction.”9Pineda makes it clear that information that can be combined to find a consumer’s address is PII.
- Email Addresses: The Eastern District Court of California found emails to be PII in Capp v. Nordstrom.10 The plaintiff was shopping in person at Nordstrom and gave his email for a digital receipt but was later sent unsolicited marketing emails.11 The court reasoned that email permits direct contact with the consumer and implicates privacy interests, similar to how an address or telephone number provides direct contact.12 Indeed, the misuse of PII for marketing purposes is what the Act is trying to prevent, according to the court’s analysis of the Act’s legislative purpose.13 While an email address is different from an address and telephone cited to in the Act, it represents the Act’s foray into new digital technologies. Read our previous article on Nordstrom here.
Case law points to online transactions being exempted from the Act:
- Purchases of Digital Downloads: The California Supreme Court, in a break from expanding the Act, found that the Act does not apply to digital download transactions in Apple v. Superior Court.14 The plaintiff purchased music on iTunes from Apple, who required a telephone number and address to complete the transaction.15 The court found that the Act was intended to protect consumer privacy and protect against fraud.16 The Act’s fraud protection provisions includes physically inspecting and recording a person’s ID if necessary.17 The court concluded that traditional identity verification contemplated by the Act cannot apply to digital purchase transactions, and therefore the legislature did not consider the Act to cover online transactions of this type.18 The court thereby exempted the Act from all digital download transactions. Moreover, the court cites to the California Online Privacy Protection Act of 2003 (CalOPPA) to cover online transactions, including requiring disclosure of what PII is collected by a business and how it used, reasoning that a consumer may read the policy and choose not to complete the transaction, if they do not want their PII collected.19
- Online Transactions of Shipped Goods: In Ambers v. Buy.com20 the Central District Court of California expanded the interpretation in Apple to also exclude online transactions of shipped goods from the scope of the Act. In Ambers, the plaintiff purchased DVDs online and was required to provide his telephone number.21 The plaintiff argued that requiring a telephone number violated the Act. Buy.com argued the Act does not apply to online transactions based on the Apple reasoning of collecting PII to verify a consumer. The district court agreed, reasoning they could not distinguish the facts from exempting digital download transactions in Apple from an online transaction of shipped goods in Ambers. Indeed, the Ambers court noted that because the goods are shipped, collecting PII for fraud protection purposes is even more important.22 The Ambers court established dicta that the California Supreme Court would likely hold that the Act does not apply to online transactions.
- Online Sales of Goods Picked Up: In Ambers v. Beverages & More, Inc., the California Appellate Court found the Act “does not apply to [plaintiff’s] online purchase of merchandise subsequently retrieved at one of the [defendant’s] retail store.”23
Current Allegations
The plaintiffs’ bar is making the argument that the collection of IP addresses during online transactions is “recording PII” as contemplated by the Act. The lawsuits allege various online retailers require and record the IP address, telephone number, and email of a consumer during a transaction and subsequently use the collected PII for targeted advertising, including unsolicited emails and tracking through various pixel technologies, in violation of the Act.24 This is an important variation given that the California Supreme Court in Pineda found the legislative purpose of the Act was to prevent the misuse of personal information for marketing purposes.
To determine if an IP address is PII, the court will need to assess if an IP address is information “concerning the cardholder, other than information set forth on the credit card, and including, but not limited to the card holder’s address and telephone number”. The Pineda court reasoned that a ZIP code is PII, because a ZIP code is part of an address that could be combined with other known information to reverse engineer a user’s full address.25 Email addresses are not apart of an address line but were found to be PII in Nordstrom. The Nordstrom court reasoned that an email is PII, because an address permits direct contact for marketing purposes such as a telephone number of street address. The court may use Pineda and Nordstrom to expand PII to encompass IP addresses by arguing an IP address may be combined with other information to permit direct contact for marketing purposes. The court may expand the definition of PII to include an IP by looking to other data privacy laws. For example, an IP address under the California Consumer Privacy Act qualifies as “personal information” as the IP address identifies, relates to, describes, or is “capable of being associated with,” or “could be reasonably linked” with a particular person.26 IP addresses on their own do not necessarily reveal a user’s precise address, but may be combined with other information to find a user’s location, address, or email for marketing purposes. The Act’s broad language and prior decisions leave much up to interpretation as the Court decides if IP addresses are PII.
Under the Act, companies are prohibited from collecting personal information from a consumer as a condition of a credit card transaction, unless such information is required to process the transaction, or an exemption applies. The user, however, may voluntarily provide personal information either before a transaction occurs or once the transaction has been completed. As such, answering the question of what constitutes a “transaction” is a key component of successfully bringing a claim under the Act. In Harrold v. Levi Strauss & Co., the court also concluded that the prohibition applies before and during a credit card transaction, but such prohibition does not continue after the transaction is complete.27 The Levi Strauss court defined the end of a credit card transaction as when the customer receives their receipt, the credit card is accepted, and the merchandise is given to the consumer. Other courts have interpreted the transaction to begin based on a consumer’s perception. Asking for a consumer’s PII while walking around a store may or may not be a condition of a transaction,28 but asking for PII when the customer approaches the cashier is.29 In the context of ecommerce and online tracking technologies, the court will likely have to make some determination when the online transaction begins and ends in order to assess the point at which the Act would be triggered. This determination would then help identify when and whether the collection and recordation of IP addresses for marketing purposes would be a violation of the Act. Making such determination, however, could be challenging in the online context. For instance, does the transaction begin when a user starts the digital “checkout” process at the checkout page? Does the transaction end when the individual receives the order confirmation? If the individual leaves the checkout page and returns to the main website, is the transaction considered ongoing? Defining what constitutes a “transaction” is not only critical for purposes of determining potential Act applicability but could also create a significant operational challenge for businesses trying to comply with the Act given that IP addresses are typically collected for various purposes during the entire user online experience.
Ideally, there would be a decision by the courts ruling that online transactions are exempt from the Act, in line with the Apple decision in which the court signaled that privacy laws such as CalOPPA already protect California consumers. In Apple, the California Supreme Court noted that online retailers are already required to post a privacy policy that is viewable before the consumer chooses to proceed with an online transaction, and “if a consumer is not satisfied with the policy of a particular retailer, he or she may decline to purchase a product from that retailer.”30
Why This Matters
A ruling for the plaintiffs, even if narrow in scope, will likely affect any retailer or ecommerce business operating in California that collects IP addresses during an online transaction, potentially subjecting them to class actions and high figure settlements.
In addition, several states have similar laws, with each state having varying interpretations of PII, exceptions, and statutory damages.31 Given the landscape, it is quite possible for the plaintiffs’ bar to expand its reach and test the presentation theory in other states that include more favorable definitions of PII or greater statutory damages, similar to what we have seen in the wiretap cases.
1Fritszche v. Eero, LLC, Superior Court of the State of California County of Contra Costa; Semain v. Patagonia, Inc., Superior Court of the State of California County of Ventura; Hopton v. Lamps Plus, Inc., Superior Court of the State of California County of San Diego; Sawyer v. Vuori, Inc., Superior Court of the State of California County of San Diego; Montgomery v. ThirdLove Inc., Superior Court of the State of California County of San Francisco.
2 Cal. Civ. Code §§ 1747.08 (a) (1-2).
3Id. § 1747.08 (b).
4Id. § 1747.08 (e).
5Id. § 1747.08 (d).
6 Pineda v. Williams-Sonoma Stores, Inc., 51 Cal.4th 524 (Cal., 2011).
7Id. at 528.
8Id. at 531.
9Id. at 533 citing (Assem. Bill No. 2920 (1989–1990 Reg. Sess.) § 1) (quoting Absher v. Autozone, 164 Cal.App.4th 332, 345, 78 Cal.Rptr.3d 817 (2008)).
10 Capp v. Nordstrom, Inc., 2013 WL 5739102 (E.D.Cal., 2013).
11Id.
12Id. at 6.
13See Absher v. AutoZone, Inc., 164 Cal.App.4th 332, 345 (Cal.App. 2 Dist., 2008).
14 Apple, Inc. v. Superior Court of Los Angeles County, 56 Cal. 4th 128 (Feb. 4, 2013).
15Id. at 134.
16Id. at 143.
17Id.
18Id.
19Id. at 148, 149.
20 Ambers v. Buy.com, Inc., 2013 WL 1944430 (C.D.Cal., 2013).
21Id. at 1.
22 Ambers v. Buy.com, Inc., 617 Fed. Appx. 728, 730 (C.A.9 (Cal.), 2015).
23 Ambers v. Beverages & More, Inc., 236 Cal.App.4th 508, 539 (Cal.App. 2 Dist., 2015).
24 Compliant, 7, Aaron Semain v. Patagonia, Inc., 2024CUBT024729 7.
25Pineda, 51 Cal.4th at 531.
26 Cal. Civ. Code § 1798.140 (v)(1).
27 Harrold v. Levi Strauss & Co., 236 Cal.App.4th 1259 (Cal.App. 1 Dist., 2015). See also Capp v. Nordstrom, Inc., 2013 WL 5739102 (E.D.Cal.,2013).
28 Adjamian v. L'Oreal USA S/D, Inc., 2015 WL 4400119 (Cal.App. 2 Dist., 2015).
29 Florez v. Linens 'N Things, Inc., 108 Cal.App.4th 447 (Cal.App. 4 Dist.,2003).
30Apple, 56 Cal. 4th at 149.
31See e.g., Massachusetts, Mass. Gen. Law Ann. Ch. 93, Sec. 105; Washington D.C., DC CODE § 47-3153; and Wisconsin WI ST 423.401.