A federal judge in the U.S. District Court for the Eastern
District of California issued an opinion Dec. 17, 2012, that seems
to answer definitively a question that has weighed on the minds of
California merchants for the past several years: When - if ever -
can a retailer ask customers for personal information, enabling
future communications and marketing to customers after they leave
U.S. District Court Judge Kimberly J. Mueller ruled in Tammie Davis v. Devanlay Retail Group, Inc., that
merchants may ask for customers' personal information, but only
after customers have received a receipt, objectively signaling the
conclusion of the transaction. The judge ordered the dismissal of a
class action filed against Devanlay Retail Group, Inc., operator of
Lacoste® brand clothing stores, in the Sacramento
The question of when and how merchants could collect consumer
information became important when a February 2011 ruling by the
California Supreme Court in effect threw open courthouse doors
around the state, inviting a stampede of class actions premised on
alleged violations of the Song-Beverly Credit Card Act (Section
1747.08 of the California Civil Code). In Pineda v.
Williams-Sonoma, Inc., the California Supreme Court held that,
despite a prior lower court ruling to the contrary, merchant
requests for consumers' zip codes in connection with retail
credit card transactions violated the Act. The court held that zip
codes should be included in the Act's definition of
"personal information," in part due to evidence that they
could be used to "reverse engineer" the identities and
locations of consumers.
The court's ruling in Pineda unleashed a torrent of
class actions against both brick-and-mortar and online merchants in
California state and federal courts, asserting that the merchants
had improperly requested consumer information in connection with
credit card transactions in violation of the Act and seeking
statutory damages of up to $1,000 for repeat violations.
After meticulously tracing the statutory and judicial history of
the Song-Beverly Act, Judge Mueller concluded that the
merchant's clear and well-documented policy directing its
clerks to wait until after they hand customers a cash register
receipt before requesting their personal information complied with
the Act's requirements. The judge wrote:
[T]he crucial issue ... is not whether the transaction has
reached an official end when the cashier requests personal
information from the customer; it is whether under Devanlay's
policy a customer would reasonably believe that providing the zip
code is necessary to complete the transaction. ... Viewed
objectively, Devanlay's policy of waiting until the customer
has her receipt in hand conveys that the transaction has concluded
and that providing a zip code is not necessary to complete the
The court also indicated that even if a particular clerk had
failed to comply with the merchant's policy and asked for the
customer's information before the receipt had been produced (as
plaintiff claimed occurred in this case), the company's written
procedures would be sufficient to comply with the "safe
harbor" provisions of the Song-Beverly Act, protecting the
merchant from liability.
The takeaways for retail merchants that wish to collect personal
information from customers in connection with face-to-face credit
card transactions include:
First, they should develop written policies and procedures that,
at a minimum, require salespeople to delay making any requests for
personal information until after the customer's transaction is
completed, as evidenced by the delivery of a receipt to the
customer. A better policy would be to require salespeople to inform
customers that providing such information is completely voluntary
(as did Devanlay's policy) and instruct them to wait until both
the merchandise and receipt have been provided to the customer
before requesting the information.
Second, retailers should institute training materials and
programs, and document the completion of those programs, to ensure
that employees are familiar with the procedures for collecting
consumer information and understand that they must follow these
procedures. These materials and training records will be invaluable
in demonstrating the company's compliance with the Act and
its "safe harbor" provisions.
Finally, merchants should not yet breathe too easily. As the
California Supreme Court showed in Pineda, it will not
hesitate to take positions on Song-Beverly that are inconsistent
with those taken by other reviewing courts. Until the state's
highest court actually addresses this issue, merchants cannot be
100 percent certain that their information collection methods are
consistent with the Act's requirements. In the words of the
late, great Yogi Berra, "It ain't over 'til it's
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
In an instructive opinion on how intangible harms can cause injuries sufficient to confer standing on plaintiffs—and a rare example of the U.S. Supreme Court's latest ruling on standing aiding plaintiffs—a West Virginia federal court ruled June 30 that computer-dialed telemarketing calls caused concrete, particularized privacy invasions.
The headlines are out there. You've seen them. On one hand, government agencies are ramping up enforcement efforts and dishing out heavier fines. On the other hand, data breaches are occurring at an exponential rate.
The European Commission formally adopted the EU-US Privacy Shield on Tuesday, ending months of legal uncertainty with a new framework for governing transatlantic data transfers after the Privacy Safe Harbor framework was invalidated in 2015.
The first European Union-wide rules on cybersecurity have been adopted by the European Parliament. Approved on July 6, 2016, the Directive on Security of Network and Information Systems (NIS Directive) creates new risk management and incident reporting obligations for both digital service providers and operators of essential services such as banking or transportation.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).