Well-Crafted PII Capture Policies Remain Important For Retailers
By Andrew B. Joseph, Meredith C. Slawe, Katherine L. Villanueva, Katie B. Garayoa and Elizabeth L. Coyne
Many retailers will recall the barrage of cases filed in California and Massachusetts from 2011–2013 relating to the collection of consumers’ ZIP codes as part of in-store credit card transactions. The California cases were brought under the Song-Beverly Credit Card Act of 1971 (the “Act”) following the California Supreme Court’s decision in Pineda v. Williams-Sonoma Stores, Inc., 51 Cal. 4th 524 (2011), in which it held that ZIP codes constitute personally identifiable information (PII). Though activity in this area has garnered less attention in recent years, some California plaintiffs continue to file putative class actions alleging that retailers’ ZIP code capture policies and practices violate their rights under the Act. See Doan v. Cort Furniture Rental Corp., No. 30-2017-00904345-XX-XX-CXC (Orange Cty. Sup. Ct.); Le v. LA Furniture, No. BC645110 (Los Angeles Cty. Sup. Ct.); Yeheskel v. Brighton Collectibles, LLC, 56-2016-00489019-CU-BT-VTA (Ventura Cty. Sup. Ct.); Hasselbring v. Room & Board Inc., No. 30-2016-00853813-CU-BT-CXC (Orange Cty. Sup. Ct.).
With this litigation climate in mind, and considering the present-day common practice of requesting customers’ ZIP codes—and email addresses—at the point of sale, retailers with a presence in California should continue to implement safeguards to ensure compliance.
Background and Legal Framework of the Song-Beverly Act
Designed to promote consumer protection, the Act regulates “credit card practices by prescribing procedures for billing, billing errors, dissemination of false credit information, issuance and unauthorized use of credit cards.” Pineda, 51 Cal. 4th at 538–39 (internal quotation marks and citation omitted). The Act is intended to be remedial, and courts construe its terms liberally to achieve the objective of protecting consumers, “which includes addressing ‘the misuse of personal identification information for, inter alia, marketing purposes.’” Pineda, 51 Cal. 4th at 532 (quoting Absher v. AutoZone, Inc., 164 Cal. App. 4th 332, 345 (2008)).
In 1990, the California legislature amended the Act to include protections for PII in cardholder transactions. Specifically, California Civil Code, Section 1747.08 prohibits entities that accept credit cards from requesting PII from a customer at the time of a transaction, and then recording that PII. Cal. Civ. Code § 1747.08(a) (“[N]o person, firm, partnership, association, or corporation that accepts credit cards for the transaction of business shall . . . (2) [r]equest, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide [PII], which the person, firm, partnership, association, or corporation accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise.”).1
The Act defines PII as “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.” Cal. Civ. Code § 1747.08(b). Significantly, in 2011, the California Supreme Court held that ZIP codes constitute PII for purposes of the Act. See Pineda, 51 Cal. 4th at 534. This decision opened the door for numerous lawsuits against retailers. In addition to asserting claims regarding retailers’ requests for ZIP code information at the point of sale, consumers have also alleged violations of the Act in connection with retailers’ requests for their telephone numbers, driver license numbers and, more recently, email addresses.
The plaintiffs class action bar took notice of Pineda and began investing in this area, seeking to leverage the class action device and the statutory damages provision. The Act provides for civil penalties of up to $250 for a first violation and $1,000 for each subsequent violation with no cap on aggregate damages.2
Guidelines for Compliant PII Requests
While the Act guards against the misuse of consumers’ information, it does not impose an absolute prohibition on requesting PII. What matters is “whether a consumer would perceive the store’s ‘request’ for information as a ‘condition’ of the use of a credit card.” Florez v. Linens ‘N Things, Inc., 108 Cal. App. 4th 447, 451 (2003). Thus, a violation of the Act only occurs where the business requests the PII “under circumstances in which the customer could reasonably understand that the [PII] was required to process the . . . transaction.” Harrold v. Levi Strauss & Co., 236 Cal. App. 4th 1259, 1268 (1st Dist. 2015). A request for the PII is improper if it is structured to appear like a condition of making a credit card purchase.
Importantly, the Act provides a complete defense to a retailer who can show that (i) the violation is the result of a bona fide error; and (ii) the retailer maintains procedures designed to avoid such an error. See Cal. Civ. Code § 1747.08(e). Therefore, retailers who craft policies designed to avoid customers’ perceptions that PII requests are mandatory will have a strong defense against consumer suits for violations of the Act. For example, in Harrold v. Levi Strauss & Co., California’s 1st District Court of Appeals explained that if the ZIP code, e-mail address or other PII is requested following the transaction, a customer could not reasonably believe that the provision of this information was a prerequisite to making a credit card payment. Harrold, 236 Cal. App. 4th at 1268.
The Southern District of California provided helpful guidance in Yeoman v. Ikea U.S.A. West, Inc., No. 11-0701, 2014 WL 7176401 (S.D. Cal. Dec. 4, 2014), vacated and remanded sub nom. Medellin v. IKEA U.S.A. W., Inc., No. 15-55174, 2017 WL 128112 (9th Cir. Jan. 13, 2017) (reversing and remanding on Article III standing grounds under Spokeo), by finding that a policy requiring cashiers to inform customers that they were requesting ZIP codes on a voluntary basis in order to determine where to build new stores did not violate the Act. Because the retailer in Yeoman maintained a clear policy specifically designed to avoid violations of the Act, the plaintiff could not show that it had violated it with respect to each member of the putative class. Yeoman, 2014 WL 7176401, at *6.
Crafting a PII-capture policy that is compliant with the Act remains important and, in an environment where everyday shoppers are aspiring class action plaintiffs, it will reduce litigation risk. To ensure compliance with the Act, retailers should implement practices such as waiting under after a credit card transaction is complete before requesting a customer’s PII, requesting PII at locations other than at the point-of-sale during the shopping experience or disclosing to customers that the provision of PII is not required as a condition of payment.
Regardless of the method, a well-designed procedure will train sales associates to make clear that the disclosure of PII is voluntary and give customers an opportunity to decline.
1 The prohibition against requesting PII, however, has the following exceptions: (1) if the credit card is being used as a deposit to secure payment in the event of default, loss, damage, etc.; (2) cash advance transactions; (3) if the business accepting the credit card is contractually obligated to provide PII in order to complete the transaction; (4) gas station transactions where the ZIP code is used solely for fraud prevention; (5) if the business accepting the card is obligated to collect and record the PII by federal or state law or regulation; and (6) if the PII is required for a special purpose incidental to the transaction, e.g. delivery or installation of purchased merchandise. Cal. Civ. Code § 1747.08(c). Moreover, the Act does not prohibit a retailer from requiring a cardholder to produce identification before the retailer accepts payment, provided that the information on the identification card is not recorded. Cal. Civ. Code § 1747.08(d).
2 The Act provides a bona fide error defense for those who can show that the violation was unintentional and made notwithstanding procedures adopted to avoid that error. Cal. Civ. Code § 1747.08(e).