A federal judge in the U.S. District Court for the Eastern District of California issued an opinion Dec. 17, 2012, that seems to answer definitively a question that has weighed on the minds of California merchants for the past several years: When - if ever - can a retailer ask customers for personal information, enabling future communications and marketing to customers after they leave the store?

U.S. District Court Judge Kimberly J. Mueller ruled in Tammie Davis v. Devanlay Retail Group, Inc., that merchants may ask for customers' personal information, but only after customers have received a receipt, objectively signaling the conclusion of the transaction. The judge ordered the dismissal of a class action filed against Devanlay Retail Group, Inc., operator of Lacoste® brand clothing stores, in the Sacramento federal court.

The question of when and how merchants could collect consumer information became important when a February 2011 ruling by the California Supreme Court in effect threw open courthouse doors around the state, inviting a stampede of class actions premised on alleged violations of the Song-Beverly Credit Card Act (Section 1747.08 of the California Civil Code). In Pineda v. Williams-Sonoma, Inc., the California Supreme Court held that, despite a prior lower court ruling to the contrary, merchant requests for consumers' zip codes in connection with retail credit card transactions violated the Act. The court held that zip codes should be included in the Act's definition of "personal information," in part due to evidence that they could be used to "reverse engineer" the identities and locations of consumers.

The court's ruling in Pineda unleashed a torrent of class actions against both brick-and-mortar and online merchants in California state and federal courts, asserting that the merchants had improperly requested consumer information in connection with credit card transactions in violation of the Act and seeking statutory damages of up to $1,000 for repeat violations.

After meticulously tracing the statutory and judicial history of the Song-Beverly Act, Judge Mueller concluded that the merchant's clear and well-documented policy directing its clerks to wait until after they hand customers a cash register receipt before requesting their personal information complied with the Act's requirements. The judge wrote:

[T]he crucial issue ... is not whether the transaction has reached an official end when the cashier requests personal information from the customer; it is whether under Devanlay's policy a customer would reasonably believe that providing the zip code is necessary to complete the transaction. ... Viewed objectively, Devanlay's policy of waiting until the customer has her receipt in hand conveys that the transaction has concluded and that providing a zip code is not necessary to complete the transaction.

The court also indicated that even if a particular clerk had failed to comply with the merchant's policy and asked for the customer's information before the receipt had been produced (as plaintiff claimed occurred in this case), the company's written procedures would be sufficient to comply with the "safe harbor" provisions of the Song-Beverly Act, protecting the merchant from liability.

The takeaways for retail merchants that wish to collect personal information from customers in connection with face-to-face credit card transactions include:

First, they should develop written policies and procedures that, at a minimum, require salespeople to delay making any requests for personal information until after the customer's transaction is completed, as evidenced by the delivery of a receipt to the customer. A better policy would be to require salespeople to inform customers that providing such information is completely voluntary (as did Devanlay's policy) and instruct them to wait until both the merchandise and receipt have been provided to the customer before requesting the information.

Second, retailers should institute training materials and programs, and document the completion of those programs, to ensure that employees are familiar with the procedures for collecting consumer information and understand that they must follow these procedures. These materials and training records will be invaluable in demonstrating the company's compliance with the Act and its "safe harbor" provisions.

Finally, merchants should not yet breathe too easily. As the California Supreme Court showed in Pineda, it will not hesitate to take positions on Song-Beverly that are inconsistent with those taken by other reviewing courts. Until the state's highest court actually addresses this issue, merchants cannot be 100 percent certain that their information collection methods are consistent with the Act's requirements. In the words of the late, great Yogi Berra, "It ain't over 'til it's over."

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.