The Law and Business of Social Media
February 07, 2013 - Privacy, Litigation

You Can’t Make a Square Peg Fit in a Round Hole: California Supreme Court Holds Online Purchases of Electronically Downloadable Products Outside Scope of Song-Beverly Act

Handing a victory to online retailers, on February 4, 2013, the California Supreme Court held in a split decision that online transactions involving electronically downloadable products fall outside the scope of the Song-Beverly Credit Card Act (Apple v. Superior Court (Krescent), S199384). Despite acknowledging the unique fraud issues present in online transactions, the Court refused to decide the broader issue of whether the Act applies to online transactions that do not involve electronically downloadable products or to any other “card not present” transactions that do not involve in-person, face-to-face interaction between the purchasing customer and the retailer. That said, given the Court’s analysis, it is hard to imagine a different outcome for online transactions as a whole.

This opinion comes nearly two years after the California Supreme Court’s February 2011 decision in Pineda v. Williams-Sonoma Stores, Inc., which held that for purposes of the Song-Beverly Act, ZIP codes constitute “personal identification information” (PII). The Pineda decision opened a floodgate for lawsuits based on retailers’ collection of ZIP codes, resulting in hundreds of cases against brick-and-mortar retailers. Some online retailers were swept up in the post-Pineda litigation frenzy as well and, since then, online retailers and others involved in e-commerce have been waiting to see if the Act, which prohibits businesses from requesting and recording customers’ PII during credit card transactions, applies to online transactions. Although the majority explicitly limited its holding to online purchases of electronically downloadable products, the Court’s 4-3 decision is consistent with the trend in California trial courts (state and federal), which have concluded that online transactions are exempt from the Act.

The “electronically downloadable” transactions at issue in this case involved digital media, i.e., audio and video files customers can purchase and download from the Internet onto their personal computers. The Court held that “this type of transaction does not fit within the statutory scheme,” reasoning that the Legislature did not “intend[] to bring the enormous yet unforeseen advent of online commerce involving electronically downloadable products—and the novel challenges for privacy protection and fraud prevention that such commerce presents—within the coverage of the [Act].” The Court supported this reasoning through an extensive examination of the Act’s text, purpose, and history.

Initially, the Court found that the text was not decisive of the issue. Turning to the history and purpose of the Act, the Court explained that “while the Legislature indeed sought to protect consumer privacy, it did not intend to do so at the cost of creating an undue risk of credit card fraud.” For example, the Court focused on the safeguards against fraud provided by Section 1747.08(d) of the Act, which allows retailers to require customers to provide positive identification as a condition of accepting a credit card as payment. Section 1747.08(d) also permits retailers to record certain PII (the customer’s driver’s license number) in “card not present” transactions, which are transactions in which the customer does not make the credit card available for verification. These safeguards evidence the “Legislature’s concern that there be some mechanism by which retailers can verify that a person using a credit card is authorized to do so.” Because application of the Act to electronically downloadable products would provide no mechanism for online retailers to protect against fraud, the Court concluded that the Legislature could not have intended the Act to apply to such products.

The Court also rejected arguments that the 2011 amendment to the Act, which created an exception allowing gasoline retailers to collect ZIP codes in “pay-at-the-pump” transactions, somehow shows that the Act applies to online transactions. In particular, the Court rejected the notion that the narrow exception would be unnecessary surplusage if the Act was not intended to apply to remote (or “card not present”) transactions in the first place. Here, the Court focused on the specific problem the Legislature intended to address by amending the Act: to provide relief to gasoline retailers who had been collecting ZIP codes pre-Pineda for fraud prevention purposes. Finding the plaintiff’s view—that the Legislature would have created a fraud prevention exception for gasoline retailers while leaving online retailers unprotected—counterintuitive, the Court observed that online retailers “have at least as much if not more need for an exemption to protect themselves and consumers from fraud.”

Although online purchases of electronically delivered goods are unquestionably outside the scope of Song-Beverly, the Court declined to close the door—at least in this decision—to online transactions in general. The Court’s concerns about credit card fraud, however, are hardly unique to electronically downloadable products; the same analysis applies with equal force to online transactions generally (as well as other “card not present” transactions). While the logic of the decision suggests that these transactions should also be outside the scope of the Act, we expect that some enterprising plaintiff’s lawyer may take up the issue left undecided and pursue claims either against catalog merchants, telephone order companies, or even online retailers selling tangible goods. We think retailers have the stronger argument.