Photo of Purvi Patel

The California Attorney General continued its series of public forums regarding the California Consumer Privacy Act (CCPA), with forums last week in Riverside (January 24, 2019) and
Los Angeles (January 25, 2019). As in the previous forums, there were a significant number of attendees, but few elected to speak publicly regarding their views on the Act. You can read our reports on the public forums held earlier this month in San Francisco and San Diego.

Lisa Kim, Deputy Attorney General for the AG’s Privacy Unit, provided opening remarks at both forums and identified the areas of the AG’s rulemaking on which speakers should focus their comments, specifically those areas of the Act that call for specific AG rules.  Ms. Kim encouraged interested parties to provide written comments and proposed regulatory language during this pre-rulemaking phase. Consistent with the prior forums, she noted that the AG’s office would be listening, and not responding, to comments made in Riverside and Los Angeles.

Of note, the presentation slides made available at the forum (and available here) state that the AG anticipates publishing proposed rules in Fall 2019,and that after that there will be a period for public comment and additional public hearings.

Continue Reading California AG Hosts Two More Public Forums on CCPA in Riverside and Los Angeles

In anticipation of preparing rules to implement the California Consumer Privacy Act, the California Attorney General recently announced six public forums that he will host in January and February 2019 across California.  On January 8, 2019, the AG hosted the first of these forums in San Francisco.  The following provides an overview of the forum and the comments made at the forum.

Overview of the January 8, 2019, San Francisco Forum 

Stacey Schesser, the Supervising Deputy Attorney General for the AG’s Privacy Unit, provided opening remarks.  Ms. Schesser confirmed that the AG’s office is at the very beginning of its rulemaking process.  Although the AG’s office will solicit formal comments after it prepares proposed rules, the AG is interested in receiving detailed written comments from the public with proposed language during this informal period.

These forums appear to be designed to inform the AG’s rulemaking and potentially streamline the process, by allowing public input before rules are drafted.  In this regard, Ms. Schesser clarified that she and other AG representatives in attendance at the San Francisco forum were there only to listen to the public comments and would not respond to questions or engage with speakers.  As a result, if the remaining forums follow a similar approach, it is unlikely that the forums will elicit meaningful intelligence regarding the AG’s anticipated approach to, or the substance of, the anticipated rulemaking.

Continue Reading California Attorney General Holds First California Consumer Privacy Act Public Forum

Massachusetts appears to have followed California’s lead in opening a litigation floodgate over ZIP code collection at the point of sale. In 2011, the California Supreme Court held in Pineda v. Williams-Sonoma Stores, Inc., 246 P.3d 612 (Cal. 2011), that a retailer illegally collects personal identification information (PII) when it requests and records ZIP codes from customers paying by credit card. More than 240 class action lawsuits followed.

The Massachusetts Supreme Judicial Court’s recent opinion in Tyler v. Michaels Stores, Inc. (No. SJC-11145) could bring a similar wave of litigation. The Tyler opinion strongly suggests retailers operating in Massachusetts should end the practice of collecting ZIP codes during credit card transactions, and foreshadows future litigation based on this practice. Like the Pineda court, the Massachusetts Supreme Court concluded that a ZIP code constitutes PII under Massachusetts’s credit card PII statute, G.L. c. 93, § 105(a) (“the Credit Card law”). More important for retailers, however, is the Court’s ruling that a plaintiff may bring an action for violation of privacy rights absent identity fraud. This ruling could make Massachusetts the next venue for an explosion of “ZIP code” litigation, and, as we note below, provide reason for retailers to review PII collection policies nationwide.

Massachusetts’s Credit Card law, which closely tracks California’s Song-Beverly Act, prohibits businesses “that accept[] a credit card for a business transaction” to “write, cause to be written or require that a credit card holder write [PII], not required by the credit card issuer, on the credit card transaction form.” PII is defined as including, but is not limited to, a credit card holder’s address or telephone number. Similar to California’s statute, the Credit Card law does not apply where a business asks for PII for “shipping, delivery or installation of purchased merchandise or services or for a warranty when such information is provided voluntarily.” A violation of the Credit Card law constitutes an unfair and deceptive trade practice, as defined in G.L. c. 93A, § 2.

The March 11, 2013 opinion came in response to three questions certified by the United States District Court for the District of Massachusetts, where the Tyler case was pending. Plaintiff Melissa Tyler brought the putative class action claiming, among other things, that Michaels collected her ZIP code and then used her name and ZIP code to figure out her address for marketing purposes. While the district court granted Michaels’s motion to dismiss, the court agreed to certify three questions to the Massachusetts Supreme Court:

  1. Does a ZIP code constitute PII under the Credit Card law?
  2. Can a plaintiff bring an action for such a privacy right violation absent identity fraud under the Credit Card law?
  3. Do the words “credit card transaction form” refer equally to an electronic or paper transaction form under the Credit Card law?

Looking at the text of the statute and its legislative history, the Massachusetts Supreme Court determined that the principal purpose of the Credit Card law “is to guard consumer privacy in credit card transactions,” and answered all three certified questions in the affirmative (Slip Opn. At 4,6). Like the California Supreme Court in Pineda, the Massachusetts Supreme Court reasoned that a ZIP code is PII because a ZIP code, when combined with the consumer’s name, provides retailers with enough information to identify the consumer’s address or telephone number, “the very information [the law] expressly [prohibits]”(Id. at 4).

The Massachusetts Supreme Court’s answer that a plaintiff may bring an action for violation of the Credit Card law absent identity fraud is important for retailers, as it opens the door to litigation based on a wide range of injuries (or lack of actual injuries). To bring a claim, the Court instructed plaintiffs to allege a “separate and identifiable ‘injury’ resulting from the allegedly unfair or deceptive conduct,” and provided two examples of such injuries: (1) “actual receipt by a consumer of unwanted marketing materials as a result of the merchant’s unlawful collection of the consumer’s [PII]” and (2) “the merchant’s sale of a customer’s [PII] or the data obtained from that information to a third party”(Id. at 5-6). These examples flowed directly from the Court’s conclusion that the primary purpose of the statute is to protect consumer privacy, not to protect against identity fraud.

While these types of injuries may now suffice to justify actions in Massachusetts state court, it remains to be seen whether they will satisfy Article III, which governs standing in federal court. Regardless, the Tyler decision creates a definite litigation risk for retailers in Massachusetts for alleged violations of the Credit Card law, which provides for damages and reasonable attorneys’ fees to successful plaintiffs. Even if the aftermath of Tyler puts retailers in the same position as Pineda put retailers in California, there are strategies under Massachusetts law that retailers can deploy to minimize exposure.

While two state decisions hardly make for a trend, the writing certainly appears to be on the wall that courts may view ZIP codes as PII, particularly given the rise of privacy litigation in recent years. Because many states have statutes on the books like California’s Song-Beverly Act and Massachusetts’s Credit Card law, the time may be right for retailers and other businesses to review ZIP code (or PII) collection policies more widely.

Handing a victory to online retailers, on February 4, 2013, the California Supreme Court held in a split decision that online transactions involving electronically downloadable products fall outside the scope of the Song-Beverly Credit Card Act (Apple v. Superior Court (Krescent), S199384). Despite acknowledging the unique fraud issues present in online transactions, the Court refused to decide the broader issue of whether the Act applies to online transactions that do not involve electronically downloadable products or to any other “card not present” transactions that do not involve in-person, face-to-face interaction between the purchasing customer and the retailer. That said, given the Court’s analysis, it is hard to imagine a different outcome for online transactions as a whole.

This opinion comes nearly two years after the California Supreme Court’s February 2011 decision in Pineda v. Williams-Sonoma Stores, Inc., which held that for purposes of the Song-Beverly Act, ZIP codes constitute “personal identification information” (PII). The Pineda decision opened a floodgate for lawsuits based on retailers’ collection of ZIP codes, resulting in hundreds of cases against brick-and-mortar retailers. Some online retailers were swept up in the post-Pineda litigation frenzy as well and, since then, online retailers and others involved in e-commerce have been waiting to see if the Act, which prohibits businesses from requesting and recording customers’ PII during credit card transactions, applies to online transactions. Although the majority explicitly limited its holding to online purchases of electronically downloadable products, the Court’s 4-3 decision is consistent with the trend in California trial courts (state and federal), which have concluded that online transactions are exempt from the Act.

The “electronically downloadable” transactions at issue in this case involved digital media, i.e., audio and video files customers can purchase and download from the Internet onto their personal computers. The Court held that “this type of transaction does not fit within the statutory scheme,” reasoning that the Legislature did not “intend[] to bring the enormous yet unforeseen advent of online commerce involving electronically downloadable products—and the novel challenges for privacy protection and fraud prevention that such commerce presents—within the coverage of the [Act].” The Court supported this reasoning through an extensive examination of the Act’s text, purpose, and history.

Initially, the Court found that the text was not decisive of the issue. Turning to the history and purpose of the Act, the Court explained that “while the Legislature indeed sought to protect consumer privacy, it did not intend to do so at the cost of creating an undue risk of credit card fraud.” For example, the Court focused on the safeguards against fraud provided by Section 1747.08(d) of the Act, which allows retailers to require customers to provide positive identification as a condition of accepting a credit card as payment. Section 1747.08(d) also permits retailers to record certain PII (the customer’s driver’s license number) in “card not present” transactions, which are transactions in which the customer does not make the credit card available for verification. These safeguards evidence the “Legislature’s concern that there be some mechanism by which retailers can verify that a person using a credit card is authorized to do so.” Because application of the Act to electronically downloadable products would provide no mechanism for online retailers to protect against fraud, the Court concluded that the Legislature could not have intended the Act to apply to such products.

The Court also rejected arguments that the 2011 amendment to the Act, which created an exception allowing gasoline retailers to collect ZIP codes in “pay-at-the-pump” transactions, somehow shows that the Act applies to online transactions. In particular, the Court rejected the notion that the narrow exception would be unnecessary surplusage if the Act was not intended to apply to remote (or “card not present”) transactions in the first place. Here, the Court focused on the specific problem the Legislature intended to address by amending the Act: to provide relief to gasoline retailers who had been collecting ZIP codes pre-Pineda for fraud prevention purposes. Finding the plaintiff’s view—that the Legislature would have created a fraud prevention exception for gasoline retailers while leaving online retailers unprotected—counterintuitive, the Court observed that online retailers “have at least as much if not more need for an exemption to protect themselves and consumers from fraud.”

Although online purchases of electronically delivered goods are unquestionably outside the scope of Song-Beverly, the Court declined to close the door—at least in this decision—to online transactions in general. The Court’s concerns about credit card fraud, however, are hardly unique to electronically downloadable products; the same analysis applies with equal force to online transactions generally (as well as other “card not present” transactions). While the logic of the decision suggests that these transactions should also be outside the scope of the Act, we expect that some enterprising plaintiff’s lawyer may take up the issue left undecided and pursue claims either against catalog merchants, telephone order companies, or even online retailers selling tangible goods. We think retailers have the stronger argument.