The California Supreme Court held on February 4, 2013 that the
provision of the Song-Beverly Credit Card Act of 1971 (the
"Act") prohibiting retailers from requesting personally
identifying information as a condition to processing credit card
transactions does not apply to online purchases of electronically
downloadable items. (Apple v. Super. Ct., S199384, Case
No. B238097, available athttp://www.courts.ca.gov/opinions/documents/S199384.PDF.)
The Court agreed with Apple that online sales of electronically
downloadable products fall outside the coverage of the Act. The
Court's reasoning emphasized that the collection of some
personally identifying information is important in preventing
online fraud. Although the Act does not apply to the transactions
in question, the Court pointed out that online retailers are not
given free rein because other state and federal laws do apply to
place limits on the collection and use of personally identifying
Among the provisions of the Act, codified at California Civil
Code section 1747 et seq, is a prohibition in section 1747.08
against retailers' requesting or requiring a credit card
holder's personal identification information in order to
process a credit card transaction. The Court has previously held
that requesting and recording a Zip Code during a credit card
transaction in a brick-and-mortar store is forbidden under the Act.
Pineda v. Williams-Sonoma Stores, Inc., 51 Cal. 4th 524
(2011). The Court wrote in Apple that the plain meaning of
the statute's language was not decisive of the issue at hand,
and an analysis of the legislature's statutory scheme as a
whole was necessary. The Court also pointed out that section
1747.08 of the act makes no reference to online transactions, which
is unsurprising, given that the provision that later became section
1747.08 was enacted in 1990.
The plaintiff in the underlying trial court case alleged that
Apple requested or required his address and telephone number in
order to accept his credit card payment for electronically
downloadable items. Apple demurred to the Complaint, arguing that
online transactions fall outside the scope of the Act, and that
holding otherwise would undermine the prevention of online identity
theft and fraud. Although not addressed in the opinion, presumably,
Apple's payment card processor cross-checks the address
information provided by the customer with the payment card billpay
address as a method to verify the customer is the authorized
The Court noted in its Apple decision various
exceptions to the prohibition outlined in the Act, including where
the retailer is contractually required to provide personally
identifying information to complete the transaction, uses the Zip
Code solely to prevent fraud, is obligated to collect information
by a federal or state law, or collects the information for a
purpose incidental but related to the credit card transaction (like
shipping or delivery information). Furthermore, section 1747.08,
subdivision (d) specifically states that the Act does not prohibit
retailers from requiring safeguards, in the form of reasonable
forms of positive identification, as a precondition to a credit
The Court reasoned that since the law's exceptions and its
allowance to check IDs at the point of sale do not have practical
applicability in e-commerce transactions, it must be that the
legislators did not intend the law to apply to e-commerce
transactions at all. The Court seemingly was also influenced by a
desire to balance the protection of consumers from undesired
solicitation against the need to authenticate payment card
purchasers who are not physically present to show an ID or provide
their signature on a transaction form.
The Court explicitly did not identify specifically what types of
personally identifying information would be allowable to collect
for authentication purposes. The Court held only that section
1747.08 cannot have been intended to apply to online sales of
downloadable products because holding otherwise would foreclose
anti-fraud protections enabled by the collection of personal
information during e-commerce transactions.
In last year's BakerHostetler Incident Response Report, we reported the range of PCI DSS non-compliance fines as $5,000 – $50,000 and the per card amount of liability imposed to reimburse issuers of affected cards as $3-$25.
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
The Payment Card Industry Security Standards Council (PCI SSC) has released a new version of its data security standard for the protection of cardholder data, the Payment Card Industry Data Security Standard (PCI DSS).
The idea of cybersecurity may be foreign—or even frightening—to many attorneys. However, as evidenced in Part One of this series ("Cybersecurity: You Can't Afford to Ignore It Anymore," April 25) law firms appear to be the next great target for hackers. In light of that, as a risk management prevention tool, attorneys and firms need to be aware of how to protect themselves.
The academic and legal communities have long struggled with the notion of what constitutes a privacy injury giving rise to some right to legal protection – whether via legislation or regulation, or through the courts.
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).