Ten years ago, a California Court of Appeal determined that the Song-Beverly Credit Card Act of 1971 (also the Act), an act that prohibits retailers from requiring consumers' personally identifiable information (PII) as a condition for accepting payment via a credit card, did not apply to the online purchase of physical merchandise subsequently picked up in store. Ambers v. Beverages & More, Inc., 186 Cal. Rptr. 3d 533 (Cal. App. 2d Dist. 2015) (BevMo). Citing a California Supreme Court case, the BevMo court explained that "while consumer privacy protection was a primary purpose of the Credit Card Act, the legislative history also reflected an effort to balance that purpose against the need to protect both consumers and retailers from the risk of fraud." Id. at 537. Because the transaction took place online, the court reasoned that "BevMo had no means, without obtaining plaintiff's PII, of verifying that plaintiff was an authorized user of the credit card number entered on BevMo's Web site before the purchase transaction was completed." Id. at 538. Accordingly, the court refused to apply the Act to the plaintiff's online purchase of merchandise subsequently picked up in store.
Regardless of the California courts' reluctance to apply the Act to online transactions, there has been a recent influx of Song-Beverly Credit Card Act claims brought against online retailers. In two such cases, the defendants have demurred to the claims, resulting in contradictory decisions in the California superior courts. Both cases involve online purchases of goods shipped to a customer's home, where the customers allege the retailer required them to provide PII including full names, home addresses, email addresses, telephone numbers, ZIP codes and IP addresses. In the first case, McClure v. Anova Applied Electronics, Inc., the Superior Court of California, County of San Francisco, overruled the defendant's demurrer, reasoning that BevMo did not conclude that the Act is inapplicable to online transactions as a whole, but rather applied the fraud prevention rationale in evaluating the particular transaction before it. No. CGC-24-615351 (Cal. Super. Feb. 13, 2025). "Faced with a case of first impression," the court declined to "adopt a rigid, literal, and textual reading" of the Act, opting instead to apply the fraud prevention rationale espoused in BevMo once the court was "presented with a full evidentiary record." Id.
Only two months later, the Superior Court of California, Alameda County, took a bolder approach, concluding that the reasoning in BevMo "regarding the balance between antifraud needs and privacy issues, including Legislative intent of the SBCCA's statutory scheme as applied to online transactions," applies with "equal force" to the online purchase of physical merchandise shipped to the plaintiff. Wing v. Alpinestars USA, Inc., No. 24CV079312, 2025 WL 1219260 at *7 (Cal. Super. Apr. 9, 2025). The court further rejected the plaintiff's argument that "even if email addresses and telephone numbers serve an antifraud purpose, they are not necessary to combat fraud in this case, and, even if they were, Alpinestars does not in fact use the PII here to combat fraud but uses them for marketing." Id. The court pointed out that the California Supreme Court rejected the argument "that 'necessity' was a factual issue or assumption improperly resolved by the court," holding instead that the Act did not apply to this type of transaction. Id. And the court reasoned that even if the Act did apply to this type of online transaction, the defendant would have been permitted to collect the plaintiff's email address and telephone number because such information is "required for a special purpose incidental but related to the credit card transaction," an exception under the Act. Id. at *8. Collecting email addresses and telephone numbers is "required to communicate with the buyer when necessary to service the transaction," including to transmit receipts and order confirmations. Id. And as far as IP addresses are concerned, the court analogized the automatic collection of an IP address between respective computers and networks to "a customer who exposes a facial image when walking into a store." Id. at *9. Because the Act "does not prohibit the voluntary disclosure of PII made independently of a credit card transaction," the Act does not prohibit the collection of IP addresses. Id.
Whether a higher court will adopt Alpinestars'holding that the Act does not apply to online transactions of physical goods shipped to customers' homes remains an open question.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.