On Monday, May 16, 2016, the Supreme Court of the United States issued its highly anticipated opinion in Spokeo, Inc. v. Robins, a case that examined the question of whether a plaintiff who ...25 May 2016
Online Retailers Can Collect Personal Data Under Song-Beverly Where Products Downloaded, Says California Supreme Court
Class actions alleging a violation of the Song-Beverly Credit Card Act have targeted not only traditional “brick-and-mortar” retailers like Williams Sonoma but also online retailers. In Apple the consumer alleged that he had been required to provide his address and telephone number as a condition of accepting his credit card as payment for an electronic download via the Internet in violation of the Act. However, four of the seven justices held in the majority opinion that the Act did not apply to such a transaction.
Analyzing the text of the Act, including statutory exceptions to the ban on collecting PII, the majority noted that the provision in question was adopted in 1990, prior to online commercial transactions becoming widespread, so that there was no express statement by the Legislature as to whether online transactions were included or not. Since the plain meaning of the Act’s text was not decisive, the majority looked at the entire statutory scheme, including the protection of consumer privacy balanced by the desire to avoid exposing consumers and retailers to undue risk of fraud.
The majority opinion noted that an online retailer, unlike a brick-and-mortar retailer, cannot inspect the credit card or the customer’s photo identification. The majority held that the Legislature could not have intended that the Act would ban the collection of PII by online retailers selling electronically downloadable products to protect against credit card fraud. Most importantly, the majority opinion noted that no decision was being made regarding the applicability of the Act to online transactions not involving electronically downloadable products or to mail order or telephone order transactions where the credit card of the consumer was not physically present. The majority invited the Legislature, should it wish, to revisit the issue of consumer privacy and fraud prevention in online credit card transactions.
Two vigorous dissenting opinions took issue with the majority’s analysis, expressing concern that the Act’s “robust” consumer protection “is now largely relegated to the dust heap” and that online retailers will be “free to collect and use the personal information of credit card users as they wish.” One can expect further legal battles over the reach of the Act in online commercial transactions not involving downloadable products, as well as in mail or telephone order transactions. Given the narrow scope of the ruling and the divided Court, the California Legislature may also take action to address unanswered questions regarding the scope of the Act, as it previously did in 2011 to insulate gasoline retailers from liability for using ZIP codes to prevent fraud in “pay-at-the-pump” transactions (CA Civil Code Section 1747.08(c)(3)(B)).
The French Data Protection Authority (CNIL) has announced its inspections program topics for 2016, with health data, flight passengers’ data, and data used for marketing and Internet...20 May 2016