Privacy Issues Galore Crop Up In California Supreme Court E-Commerce Ruling
Written by Mark RaschAttorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.
On Monday (Feb. 4), the California Supreme Court revisited the question of whether online retailers are permitted to collect certain personal information when engaging in a credit-card transaction. A 1974 statute seems to say “no,” but the California Supreme Court says “yes.” Although the case is a victory for online retailers, the way the court came to its decision may open up consumers to much more use of personal information. In the end, that possibility may cause the State Legislature to clamp down on new forms of database misuse for both online and offline retailers.
In the 1970s, California passed the Song-Beverly Act. It prohibited merchants (there were no online merchants back then) from requiring, as a condition for accepting a credit card, consumers to provide certain personal information. The legislature was worried about merchants using the pretext of accepting a credit card to mandate that consumers pony up their names, addresses and other personal information. Of course, the credit card itself already has some information—cardmember’s name, card number, CVV and expiration date, but not much more. The purpose of the Sony-Beverly Act was to protect consumers’ privacy when they bought something by credit card. Sure, if you needed something shipped or a warranty card filled out or other “order fulfillment” type things, the merchant could ask for your address. But if retailers just wanted the data to profile you, to market to you, or just because they were nosy, the Act prohibited that.
Sony-Beverly also had an “anti-fraud” provision that allowed a merchant to look at, but not to “write down,” a consumer’s driver’s license number and photograph and mailing address to ensure that consumer was, in fact, the cardmember. This approach could be used to prevent fraud. Well, to prevent some fraud, anyway.
A few years ago, Williams-Sonoma (NYSE:WSM) fell afoul of the statute. It demanded brick-and-mortar customers provide their Zip code, in addition to their credit-card number. The retailer then used that Zip code to determine consumers’ addresses (only one Millard Fillmore in Zip code 14052) and to then use the names and addresses to send catalogues and other marketing materials. That is a no-no, according to the California Supreme Court; even a mere Zip code is “personal information” under the Song-Beverly Act.
But then, the Internet came.
With the advent of E-Commerce, online merchants taking credit cards had no effective way to ask to see (without recording) a driver’s license. For anti-fraud purposes, most credit-card processors demand not only the consumer’s credit card number but also the associated name, address and Zip code. But what about the law?
That’s what David Krescent thought when he signed up for an Apple (NASDAQ:AAPL) iTunes account in California. Apple required Krescent to not only give his credit-card number but provide a bunch of other information (name, address, Zip code, etc.) to make digital purchases of music. Because the commodity delivered was itself digital, and downloaded, Krescent argued, Apple didn’t need his address or Zip code to process the transaction.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
