Decision Of U.S. District Court Judge AliceMarie H. Stotler

DON SAULIC, individually and on )SA CV 07-610 AHS (PLAx)behalf of others similarly )situated, )
Defendants. ))
On April 7, 2008, plaintiff Don Saulic (“plaintiff” or “Saulic”) filed a Motion for Class Certification (“the Motion”) and Request for Judicial Notice. On April 21, 2008, defendant Symantec Corporation (“Symantec”) filed opposition. The same day, defendant Digital River, Inc. (“Digital River”) (Symantec and Digital River collectively, “defendants”), filed opposition and a Request for Judicial Notice. On May 5, 2008, plaintiff filed a reply thereto. On May 12, 2008, Digital River filed Objections and a Motion to Strike Evidence in reply. On May 19,
2008, the matter was heard by the Court and taken under submission. On May 22, 2008, plaintiff filed a Notice of Issuance of Court of Appeal Opinion. On May 29, 2008, Symantec filed a Notice of Later-Decided Supplemental Authority in Opposition to the Motion to Certify. On December 23, 2008, Digital River filed a Notice of Later-Decided Supplemental Authority in Opposition to the Motion to Certify.
Plaintiff is a consumer of defendants’ products, which it sells online. This class action suit challenges defendants’ use of a credit card form with a preprinted space for a customer’s personal identifying information (“PII”) in the consummation of its online sales as a violation of the Song-Beverly Credit Card Act, California Civil Code § 1747.08 (“section 1747.08”). The Song-Beverly Act imposes on businesses three substantive prohibitions:
(a) Except as [otherwise] provided . . . no person, firm, partnership, association, or corporation that accepts credit cards for the transaction of business shall do any of the following:

(1) Request, or require, as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to write any personal identification information upon the credit card transaction form or
(2) Request, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the . . . corporation accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise.

(3) Utilize, in any credit card transaction, a credit card form which contains preprinted spaces specifically designated for filling in any personal identification of the cardholder.

Cal. Civ. Code § 1747.08(a).
The Act provides for civil penalties of $250.00 for the first violation and $1,000.00 for each subsequent violation. See id. § 1747.08(e).
Plaintiff alleges Symantec, using Digital River as its online retailer, violates the statutory requirements of section 1747.08 in the following ways: (1) defendants use credit card forms with preprinted spaces specifically designed for filling in PII of the cardholder in violation of section 1747.08(a)(3); (2) defendants request or require PII as a condition of accepting
credit card payments in violation of section 1747.08; and (3)
these violations are ongoing.
A. Plaintiff’s Motion
1. Motion for Certification
On January 26, 2007, plaintiff made an online purchase
of Norton AntiVirus 2007 (“NAV”) from a website owned and/or
operated by defendants and entitled The
purchase allowed him to download NAV to his computer but did not
involve the physical shipment of a product. At the purchase
screen, Saulic was presented with a credit card form with spaces
for filling in PII, and it required that he disclose both his
address and telephone number. Using his credit card, which also
functions as a debit card, plaintiff completed the purchase and
downloaded NAV.
On or about March 12, 2008, plaintiff made a renewal purchase of NAV through, which is owned by Symantec and operated by Digital River. Saulic was again presented with a form on which to fill in his credit card information and his address and phone number. He filled in this information and completed the purchase of the renewal rights. The transaction did not involve shipment of a product.
Defendants’ use of a computer screen form with spaces for filling in PII and a request for and/or requirement of the disclosure of such information in the context of credit card transactions is in violation section 1747.08(a)(1) and (2). Plaintiff brings the action on behalf of himself and others
similarly situated in North and/or South America who have made purchases of goods and/or services from defendants within the prior three years or applicable statute of limitations period.
Plaintiff seeks the following relief: (1) civil penalties pursuant to section 1747.08(e) “not to exceed two hundred fifty dollars ($250.00) for the first violation and one thousand dollars ($1,000.00) for each subsequent violation”; (2) entry of a preliminary injunction followed by a permanent injunction to bar defendants’ continued violations of section 1747.08; and (3) attorney’s fees and costs.

a. Certification under Rule 23
Plaintiff brings the action on behalf of himself and others similarly situated as stated above, the proposed class to be limited to those persons: (1) who downloaded defendants’ products from the Internet without a physical product being sent to them; (2) who used a credit card as payment; (3) whose transactions fall under California law; and (4) from whom defendants required or requested PII and/or used a credit card form in violation of section 1747.08.

i. Numerosity
The class is so numerous as to make joinder impracticable. The numerosity requirement is clearly satisfied because there are millions of class members throughout the United States, Canada, and Latin America. Certification will serve judicial economy.
ii. Commonality/Typicality
Plaintiff’s claims, even though there are two defendants, are common and typical because there is a core of
salient facts. While Saulic purchased the Symantec NAV from a website that Digital River operated, Saulic was the victim of a “common corporate practice” that extends from Symantec to its agents at Digital River. See Dukes v. Wal-Mart, Inc., 509 F.3d 1168, 1180 n.4 (9th Cir. 2007) (a common corporate practice exists where there is a “corporate culture of uniformity”). Consequently, every putative class member need not have shopped at the same store or been subjected to the same manager-agent. The Symantec and Digital River agreement demonstrates a shared practice based on centralized decision-making. This agreement provides that Symantec has control over content, requires the recordation, transmittal of PII to Symantec, and requires that the website have the “look and feel” such that customers will believe they are dealing directly with Symantec. Symantec directs its agent, Digital River, to collect several items of PII in each transaction and from each customer. (Ex. 16, the Agreement, pp. 22, 27, 28.)
Questions of law and fact are common to the class. There is a system-wide practice employed by and centralized with Symantec that results in the violation of the Act. Under an online sales agreement, Digital River is Symantec’s agent. It is therefore appropriate to pursue relief from both parties.
Saulic’s claim is typical of the class. Although he purchased NAV through Digital River, the same practice of requesting personal information in violation of the Act is practiced across all Symantec sales hosts at Symantec’s direction. //

iii. Adequacy of Representation
Saulic is an adequate representative. He is familiar with the gravamen of the claim and has monitored the action. He also has no conflict of interest and, therefore, will represent members of the class fairly.
Moreover, Saulic’s attorneys are well qualified to conduct the proposed litigation. They have more than ninety years combined experience, including multiple prior class action representations.
b. Certification under Rule 23(b)(2)
Certification pursuant to Rule 23(b)(2) is permissible where injunctive relief predominates the claims, even where money damages are sought. Here, plaintiff seeks injunctive relief because there would be no end to defendants’ unlawful practices without it. Moreover, where monetary relief does not depend upon individualized computations and is easy to calculate, courts have found it secondary to injunctive relief.
c. Certification under Rule 23(b)(3)
Alternatively, the Court may certify this action under Rule 23(b)(3) because common issues predominate. Violation of section 1747.08 is the primary issue, and the amount of civil penalties awarded is merely a question of determining their amount and calculating them on behalf of the class.
Class treatment is preferable to individual suits because each plaintiff has incurred only a small amount of damages. There is no need to engage in separate prosecution where the damages award is not more than $1,000.00 per violation. Attorneys will be able to manage the class through the Internet,
and defendants’ customer e-mail lists will enable notice and class communication.

d. Defining the Class
The class should be defined as all who live in North America/South America and who have made purchases from defendants within the last three years or the applicable statute of limitations period. California law applies to these transactions by either operation of law, the agreement between the customer and defendants, or the transfer of products to California residents. The class is limited to those who used a credit card as payment in full or in part and for whom defendants requested PII as defined in section 1747.08.
B. Defendants’ Opposition
1. Symantec
a. Certification under Rule 23(b)(2) Is Unavailable
Under Rule 23(b)(2), a court should not certify a class where a plaintiff is ineligible for injunctive relief. Here, section 1747.08 provides that only the attorney general may seek injunctive relief, and thus, plaintiff’s claim fails. A separate section of the statute provides for penalties for private persons. Thus, injunctive relief is not an available remedy for plaintiff. See Religious Tech. Ctr. v. Wollersheim, 796 F.2d 1076, 1082 (9th Cir. 1986). Also, California Code of Civil Procedure § 526, the state statute that permits injunctive relief, does not allow for injunctive relief in this circumstance. It is clear that plaintiff’s objective is monetary damages, which precludes certification under Rule 23(b)(2).
While Rule 23(b)(3) does permit certification for a class seeking damages, it does not apply here because Saulic fails the “superiority” requirement. If the Court certifies the class, the defendants’ potential liability would be enormous and completely out of proportion to any harm plaintiff suffered. London v. Wal-Mart Stores, Inc., 340 F.3d 1246, 1255 n.5 (11th Cir. 2003). Denying certification would keep with the rationale of many other cases in similar areas of law. Plaintiff admits he suffered no harm, but the potential damages against defendants would be in the hundreds of millions. Thus, certification of the class should be denied.
b. This Class Cannot Be Certified under Rule 23(a) Because Saulic Is Not Typical of the Proposed Class
Saulic cannot seek certification under Rule 23(a) because he lacks standing and is subject to unique defenses. For certification to be appropriate, a class representative must have a claim and injury related to each defendant. Saulic’s transactions do not relate to Symantec, only Digital River. Saulic attempts to circumvent this defect by arguing an unfounded interpretation of the statute and claiming that Symantec would ultimately receive the information. The statute, however, cannot be applied so broadly, and Digital River is Symantec’s independent contractor. Thus, Saulic does not demonstrate typicality.
Class certification also is inappropriate when the putative class representative is subject to unique defenses. Saulic tried to manufacture his claims rather than just purchase
a product as a regular consumer, which makes him unique and renders him an inadequate class member.
c. The Proposed Class Is Not Ascertainable
Saulic’s proposed class is vague as to time and membership, which causes it to fail. Plaintiff seeks to certify people in numerous countries and apply California law to all of them, which overlooks principles of due process and comity. Saulic does not establish a legally cognizable basis to extend California’s regulation of credit card transactions to the rest of the world.
2. Digital River
a. The Injunctive Relief Sought Is Unavailable and Secondary
Section 1747.08 does not permit a private plaintiff to sue for injunctive relief. Under principles of statutory construction, if the statute does not include a provision, it is excluded. Because injunctive relief is addressed in a different subsection than civil penalties, it is not available to plaintiff. Moreover, the claim is not among the limited forms of injunctive relief enumerated in California Code of Civil Procedure § 526(a). Lastly, injunctive relief is unavailable because plaintiff is not exposed to continuing adverse effects. He was not injured when he made the purchase and, therefore, cannot be experiencing harm that an injunction could cure.

b. The Putative Class Lacks Commonality and Predominance
At least two categories of transactions must be excluded from plaintiff’s purported class as a matter of law:
corporate cards and debit cards. This is because section 1747.08 applies only to credit cards. Hundreds of thousands of mini-trials would be required to determine which claims are proper, which is made more difficult because strict encryptions are placed on all customers’ card information. As such, commonality and predominance are absent. Moreover, plaintiff fails to specify the time period of the proposed class, and claims under section 1747.08 are subject to a one-year statute of limitations. See Cal. Code Civ. Proc. § 340(a).
c. A Class Action Is Not Superior Because of the Gross Disproportionality
Plaintiff suffered no harm and provides no evidence that any putative class members have suffered harm. To determine if any of the putative class members were harmed, more mini-trials would be required. Without any determinable harm, the imposition of civil penalties would greatly outweigh that harm.

d. Choice of Law Issues Predominate
Section 1747.08 can only apply to putative class members’ transactions if choice of law principles allow it. There are several distinct groups of transactions for which the Court must determine choice of law. For example, Minnesota law expressly governs the majority of purchases made after February 12, 2008, based on the terms and conditions accepted at the time of purchase. Additionally, California law does not apply to Digital River because, contrary to plaintiff’s argument, Symantec’s End User License Agreement does not apply to the sale transaction and Digital River is not a party to that contract. See Cal. Civ. Code §§ 1550, 1558, 1580. Further, customers who
contracted for the extended download service agreed to Minnesota law at the time of purchase. Consequently, the Court would be required to inquire into each putative class member’s purchase to adequately determine choice of law.
It would be improper and unconstitutional to apply California law to extraterritorial purchases. Plaintiff relies on Wershba v. Apple Computer, Inc., 91 Cal. App. 4th 224, 242, 110 Cal. Rtpr. 2d 145 (2001), to argue that California law should apply. That case is inapplicable because none of the prerequisites necessary are found here. For example, unlike Wershba, Digital River is a Minnesota company with its principal place of business there.
Plaintiff also fails to meet his burden of demonstrating a suitable and realistic plan for trial of the class claims. Plaintiff does not explain how each of the states and countries included in the putative class balance their interests in preventing fraud and identity theft with California’s concern of protecting PII. This failure also defeats certification.

e. Plaintiff Is Atypical and Inadequate
Plaintiff lacks standing because he made his purchase with a debit card. The majority of the class used a credit card, and plaintiff’s interests are antagonistic to the other putative class members. Plaintiff made a second online purchase with another card but did so only to shore up his standing. A person cannot establish injury and standing by spending money solely to pursue litigation. See Buckland v. Threshold Enters., Ltd., 155 Cal. App. 4th 798, 815, 66 Cal. Rptr. 3d 543 (2007). Plaintiff
is also subject to an unclean hands defense, which makes his claims atypical from those of the purported class. If plaintiff is successful, it will promote credit card fraud and identity theft.

f. Counsel Are Inadequate as Class Counsel
Plaintiff’s counsel are inadequate because they lack class action experience. They fail to argue tenable legal positions, fail to provide an adequate class definition, and fail to provide a realistic plan to manage the case. Thus, counsel are inadequate to perform as class counsel.
C. Plaintiff’s Reply
1. This Action Should Be Certified under Rule 23(b)(2)
The Court should certify under 23(b)(2) because that provision does not require class notice or opt-outs. Also, the injunctive remedy predominates where damages are easily calculated by a uniform measure across the class. DeMarco v. Nat’l Collector’s Mint, Inc., 229 F.R.D. 73, 81 (S.D.N.Y. 2005). Thus, injunctive relief predominates here because damages will be uniform. Plaintiff seeks injunctive relief because defendants continue their illegal practices. Even if Minnesota law applies, it too has a statute that bans collection of PII. Thus, if Minnesota law applies to some of the class, the class definition may be adjusted accordingly.
Certification under 23(b)(2) is not limited to civil rights cases. Courts certify many consumer class actions. Plaintiff has the right to pursue an injunction under California law under California Code of Civil Procedure § 526, and section
1747.08 is not as narrow as defendants read it. If the legislature intended to restrict section 1747.08 in that fashion, it would have written the law in that language.
2. Certification Is Proper under Rule 23(b)(3)
Plaintiff has no conflict of interest with the class and will vigorously prosecute the matter. Plaintiff’s renewal of his subscription was not illegal, and his prior experience as a plaintiff makes him better able to participate in the case. Additionally, plaintiff suffered an injury: not being able to withhold his PII, which is what he testified to at deposition. Plaintiff’s interests also are not contrary to the class because there is no exception in section 1747.08 for the prevention of fraud.
Symantec designed the website, which Digital River manages, to look like it is controlled by Symantec, and plaintiff made his purchases in essence from both; moreover, plaintiff’s debit card functions as both a debit card and credit card, and, thus, he has standing to bring suit against both defendants. Because a violation occurs upon the mere presentation of a credit card form that asks for PII, any consumer subjected to such a violation has standing to enjoin a future occurrence for the same illegal act. Friends of the Earth, Inc. v. Laidlaw Env’t Serv., Inc., 528 U.S. 167, 168, 120 S. Ct. 693, 145 L. Ed. 2d 610 (2000). Plaintiff is typical of the class because defendants’ conduct constitutes a uniform practice directed against all customers on their web sites. // //
3. Common Issues of Law and Fact Predominate
Defendants admit they employ a uniform practice of requesting and requiring customers to disclose their personal information, which is sufficient alone to prove commonality. This vitiates the need for mini-trials to determine whether a plaintiff used a particular type of card. Additionally, defendants cannot attempt to avoid a class suit merely because their own encryption process makes it more difficult to determine the class members. Six Mexican Workers v. Ariz. Citrus Growers, 904 F.2d 1301, 1306-07 (9th Cir. 1990). The Court can accept defendants’ statements that over 90% of their purchases are credit card transactions, which would obviate any speculative need for mini-trials.
Moreover, defendants fail to conclusively prove that there is a choice of law issue. Defendants must show a conflict between California law and those of other states, which they did not do. There is no choice of law impediment to certifying the class.
4. Discretion To Award Penalty Does Not Render Class Inferior
There is no danger here of “annihilating” damages because section 1747.08 provides for a fixed minimum penalty. Ninth Circuit law holds that class action complaints seeking statutory penalties should not be denied certification for concern of annihilating damages. See id., at 1309-10. The due process doctrine should not be used to frustrate class action certification. //
5. The Class Is Adequately Defined
The statute of limitations is unquestionably three years and does not prevent class certification. Additionally, defendants acknowledge that over 90% of the transactions are by credit card, so the class is ascertainable. The purchase of extended download service is irrelevant to determining class members because those customers were still requested to provide PII. Lastly, the class must include all purchasers who are California residents, and defendants’ choice-of-law concerns cannot limit the class because they made their product available broadly.
A. Legal Standard for Plaintiff To Bring Suit against Defendants
The Court of Appeals for the Ninth Circuit has held that standing may be addressed before class certification where, as here, the court is not considering a global class settlement. Easter v. Am. W. Fin., 381 F.3d 948, 962 (9th Cir. 2004) (holding that the Supreme Court’s decision in Ortiz v. Fibreboard Corp., 527 U.S. 815, 119 S. Ct. 2295, 144 L. Ed. 2d 715 (1999), did not require considering class certification before standing); see also Lee v. Oregon, 107 F.3d 1382, 1390 (9th Cir. 1997) (“Standing is a jurisdictional element that must be satisfied prior to class certification.”).
To establish standing, a plaintiff must show, among other things, he has suffered an injury in fact, defined as “an invasion of a legally protected interest which is (a) concrete
and particularized and (b) actual or imminent, not conjectural or hypothetical.” Lujan v. Defenders of Wildlife, 504 U.S. 555, 560, 112 S. Ct. 2130, 119 L. Ed. 2d 351 (1992). The “injury in fact” requirement under Article III “turns on the nature and source of the claim asserted,” and in some cases, an injury in fact “may exist solely by virtue of ‘statutes creating legal rights, the invasion of which creates standing. . . .'” Warth v. Seldin, 422 U.S. 490, 500, 95 S. Ct. 2197, 45 L. Ed. 2d 343 (1975) (quoting Linda R.S. v. Richard D., 410 U.S. 614, 617 n.3, 93 S. Ct. 1146, 35 L. Ed. 2d 536 (1973)). “Essentially, the standing question in such cases is whether the constitutional or statutory provision on which the claim rests properly can be understood as granting persons in the plaintiff’s position a right to judicial relief.” Id.
1. Plaintiff’s Standing under the Act
The Act has no separate or additional standing requirement. It merely requires that a consumer engaged in a credit card transaction in which PII was requested or required in violation of the Act. See Cal. Civ. Code § 1747.08(a).
Plaintiff alleges defendants violated the statute with regard to him first on January 26, 2007, when he made an online purchase of NAV and was required to submit his address and telephone number as a condition of completing an online transaction, and second on March 12, 2008, when he renewed his NAV product online and was again required to submit his address and telephone number. (See Mot. Ex. 17, Saulic Decl., pp. 3-4, ¶¶ 10-14.) //
2. Plaintiff’s Standing to Sue Symantec
Symantec argues plaintiff lacks standing as against it because plaintiff never purchased anything from Symantec. While the purchases were for Symantec products, the transactions in which the PII were requested occurred through Digital River. Therefore, plaintiff did not suffer any wrong at the hands of Symantec.
The degree of proof necessary to establish standing differs at various stages of the proceedings. Lujan, 504 U.S. at 561 (“At the pleading stage, general factual allegations of injury resulting from the defendant’s conduct may suffice,” but “[i]n response to a summary judgment motion . . . the plaintiff can no longer rest on such mere allegations, but must set forth by affidavit or other evidence specific facts, which for purposes of the summary judgment motion will be taken to be true.” (citations omitted)).
Here, plaintiff shows that he visited a website with the “Symantec” name that sold “Symantec” branded products. While it is true that Digital River manages the sales of Symantec products, a review of Symantec and Digital River’s “Second Amended and Restated Symantec Online Store Agreement” (the “Agreement”) suggests that Symantec is a proper party. (Mot. Ex. 16, p. 236.) The Agreement entered into with Digital River makes Digital River the online distributor for Symantec products. The Agreement requires that the online “Storefront” for Symantec products “meet Symantec’s specifications and . . . contain all features, including graphical components that comprise the ‘look and feel’ of Symantec’s Storefront.” (Id. at 239.)
Additionally, Digital River is to prominently identify itself as “Symantec’s contracted vendor.” (Id.) The Agreement also states that Symantec “shall have sole discretion regarding the Content (other than pricing information for Symantec Products), structure and look and feel of the Storefront.” (Id. at 240.) The Agreement specifies that “Digital River shall permit Customers to make orders directly through the Internet via online order forms.” (Id. at 242.) This evidence suffices to establish Symantec as a proper party.
B. Transactions Covered by the Act
Plaintiff contends that if his transaction was of the type defined by the statute and if the information requested was of a type prohibited by the statute, he has standing to sue even if he did not suffer any personal harm or loss. While no injury in fact is required under the statute, the Court finds, as set forth below, that plaintiff’s transaction was not of a type defined by the statute.
The Act’s subdivisions, paraphrased, prohibit defendants from “(1) having the cardholder write personal information on the credit card form, (2) having the cardholder furnish personal information for [defendants] to write on the credit card form, and (3) using forms containing preprinted space for personal information.” TJX Cos., Inc. v. Superior Court, 163 Cal. App. 4th 80, 88, 22 Cal. Rptr. 3d 114 (2008). The Act makes no reference to online credit card transactions.
Plaintiff does not cite, and the Court does not find, any state or federal case in which a violation of the Act is found based on an online transaction. See Korn v. Polo Ralph
Lauren Corp., —F. Supp. 2d—, No. CV S07-02745, 2008 WL 2225743 at *1 (E.D. Cal. May 28, 2008) (alleging violation for request of PII in credit card transactions at “Defendant’s retail store located in Vacaville, California”); Romeo v. Home Depot U.S.A., Inc., No. 06CV1505, 2007 WL 3047105, at *1 (S.D. Cal. Oct. 16, 2007) (alleging violation for request of PII in credit card refund transaction at “Defendant’s store”); Thompson v. Home Depot, Inc., No. 07CV1058, 2007 WL 2746603, at *1 (S.D. Cal. Sept. 18, 2007) (alleging violation for request of PII in credit card transactions at “Home Depot Inc.’s retail store”); Linder v. Thrifty Oil Co., 23 Cal. 4th 429, 434, 97 Cal. Rptr. 2d 179 (2000) (alleging violation of section 1747.8 of Song-Beverly Credit Card Act of 1971 (renumbered as section 1747.08 in 2004) for request of PII in credit card transactions for gasoline purchases); Absher v. AutoZone, Inc., 164 Cal. App. 4th 332, 78 Cal. Rptr. 3d 817 (2008) (alleging violation for request of PII in credit card transactions at auto parts store); Florez v. Linens ‘N Things, Inc., 108 Cal. App. 4th 447, 451, 133 Cal. Rptr. 2d 465 (2003) (alleging violation for request of PII in credit card transactions at retail outlets).1
1. Interpreting the Act and Its Purpose
Where statutory language is clear and unambiguous, it will be applied according to its terms. Wilson v. Safeway Stores, Inc., 52 Cal. App. 4th 267, 272, 60 Cal. Rptr. 2d 532
See also Party City Corp. v. Superior Court, No.D053530, — Cal. Rptr. 3d —, 2008 WL 5264023 (Cal. Ct. App.Dec. 19, 2008) (holding that Party City’s request for a zip codein a brick-and-mortar transaction does not violate section 1747.08).
(1997). At oral argument, plaintiff agreed that online transactions are not specifically covered by the Act, but counsel argued that application of the Act to online transactions is a natural outgrowth of the increase in online purchases; while online transactions are not included in the language of the Act, as a consumer credit card transaction, they are covered by the Act’s prohibitions. See Cal. Civ. Code § 1747.08(a)(3) (prohibiting use “in any credit card transaction, of a credit card form which contains preprinted spaces specifically designated for filling in any personal identification of the cardholder”). The statutory language is silent as to both the form of the credit card transaction and whether the request is made in person or online. Plaintiff’s contention warrants a study of the purpose of the Act’s prohibition on collection of PII in the course of a credit card transaction.
To interpret a statute, the Court should look first to its plain language, and then construe the law with its object and policy concerns in mind. United States v. 475 Martin Lane, 545 F.3d 1134, 1141 (9th Cir. 2008). “When a natural reading of the statutes leads to a rational, common-sense result, an alteration of meaning is not only unnecessary, but also extrajudicial.” Az. State Bd. for Charter Schs. v. U.S. Dep’t of Educ., 464 F.3d 1003, 1008 (9th Cir. 2006). As noted in Florez, the original enactment of the 1991 amendment to the Act addressed two privacy concerns: “[F]irst, that with increased use of computer technology, very specific and personal information about a consumer’s spending habits was being made available to anyone willing to pay for it; and, second, that acts of harassment and
violence were being committed by store clerks who obtained customers’ phone numbers and addresses.” 108 Cal. App. 4th at 452 (citing California Assembly Committee on Finance and Insurance, Background Information Request on Assembly Bill No. 2920. Stats. 1990, ch. 999, § 1 [A.B. No. 2920]). The purpose of the Act appears to be to protect consumer privacy in the course of a retail transaction, and this Committee analysis suggests the Act was specifically passed with a brick-and-mortar merchant environment in mind. While the use of computer technology is mentioned, the language does not suggest the Legislature considered online transactions or the perils of misappropriation of consumer credit information in an online environment where there is no ability to confirm the identity of the customer. Neither the language of the Act nor its legislative history suggests the Act includes online transactions.
2. Applying National Federation of the Blind v. Target Corp.
Plaintiff cites National Federation of the Blind v. Target Corp., 452 F. Supp. 2d 946 (N.D. Cal. 2006). There, plaintiffs brought an action against Target Corporation claiming its online retail presence,, was inaccessible to the blind in violation of federal and state laws prohibiting discrimination against the disabled. Id. at 949. Defendants argued the complaint failed to state a claim because “ is not a place of public accommodation within the meaning of the ADA” or state anti-discrimination law. Id. at 951. The district court rejected defendants’ argument, finding “to the extent that
plaintiffs allege that the inaccessibility of impedes the full and equal enjoyment of goods and services offered in Target stores, the plaintiffs state a claim [under the ADA]. . . .” Id. at 956.
The basis for the court’s decision in National Federation does not assist in the analysis of the Act. In National Federation, defendants argued that the Ninth Circuit’s determination that places of “public accommodation” under the ADA are “actual, physical places” and accordingly can only violate the ADA if it “denies physical access to Target’s brick-and mortar stores.” Id. at 954 (citing Weyer v. Twentieth Century Fox Film Corp., 198 F.3d 1104, 1114 (9th Cir. 2000) (finding places of “public accommodation” under the ADA are “actual, physical places”)). National Federation rejected this argument, relying on the Ninth Circuit’s interpretation of the scope of discrimination covered by the ADA, wherein it has found “discrimination in the enjoyment of goods, services, facilities or privileges, is that whatever goods or services the place provides, it cannot discriminate on the basis of disability in providing enjoyment of those goods and services.” Id. (citing Weyer, 198 F.3d at 1115). Accordingly, National Federation found “the inaccessibility of denies the blind the ability to enjoy the services of Target stores.” Id. at 955. This analysis did not simply adopt an expansive reading of the ADA to include online retailers. Rather, it looked to the legislative purpose of the statute to determine whether its application to the website was consistent with the intent of the statute.
Here, plaintiff does not offer, and the Court does not
find, a similar justification for expanding the application of the Act to online transactions. Consistent with National Federation, application of the Act to online transactions must advance the Act’s purpose.
3. The Act’s Purpose
While the legislative purpose of the Act was to “address the misuse of personal information for, inter alia, marketing purposes,” recent state and district court decisions give deference to a competing interest: fraud prevention through PII collection. Absher, 164 Cal. App. 4th at 345. Numerous cases have recently sought an expansive reading of the Act to include a prohibition on requests for PII when a customer requests a refund for the return of merchandise purchased by credit card, as well as the purchase transaction itself. See Korn, 2008 WL 2225743, at *1; Romeo, 2007 WL 3047105, at *1; TJX Cos., 163 Cal. App. 4th at 80; Absher, 164 Cal. App. 4th at 339. California courts and district courts have all reached the same conclusion: the Act “does not apply to credit card refund transactions.” Romeo, 2008 WL 2697229, at *1 (citing TJX Cos., 163 Cal. App. 4th at 87-88).
Rejecting a reading of the statute which would extend its application to refund transactions, a California appeals court cited the legislative history of the Act, noting that in adopting the Act the legislature found “no need for the retailer to request” PII to complete a credit card transaction “since the credit card issuer already has that information.” TJX Cos., 163 Cal. App. 4th at 89 (citing Enrolled Bill Report of the California Department of Consumer Affairs, Assembly Bill No. 1477
(1991-1992 Reg. Sess.)). Comparing the interest in collecting PII for refund transactions versus purchases, TJX Companies found that “[t]he same considerations do not apply to merchandise returns. Here there are substantial opportunities for fraud and it behooves the merchant to identify the person who returns merchandise, which subsequent examination may disclose to have been used, damaged, or even stolen.” TJX Cos., 163 Cal. App. 4th at 89. Similarly, Absher found “returns of merchandise are arguably different,” than the original purchase transaction because the merchant: (1) has an interest in preventing employee fraud in the course of the transaction and (2) if the product has been used or damaged, there may be “a legitimate need to contact the customer who made the return.” 164 Cal. App. 4th at 346.
4. Fraud Concerns with Online Transactions
As in refund transactions, an online transaction raises fraud concerns. Defendants point out that there are numerous differences between a “brick and mortar” purchase and an online purchase and the merchant’s ability to ensure the cardholder is who she claims to be. For example, an in-person transaction provides the merchant with the opportunity to check the customer’s signature on her credit card against the signature on the credit card slip. (Decl. of Andrew Barker ¶ 44 (“Barker Decl.”).) Additionally, the merchant can ask for picture identification to compare the person in front of them to the name on the credit card. (Id.) Certain credit cards even include the consumer’s picture imprinted on the card, allowing the merchant to confirm that the cardholder is who she claims to be. In an online transaction, without a request for PII, online merchants
must ultimately accept payment with nothing more than a name and credit card number — there is no “verification.”
Plaintiff asserted at oral argument the existence of numerous ways to confirm the identity of the cardholder in an online transaction without relying on PII. Defendants counter, however, with an extensive explanation of the Digital River fraud prevention process wherein PII is compared against various “data point for conflicts and irregularities” that flags a potentially fraudulent transaction. (Id. ¶ 47.) When Digital River’s “fraud indicators” suggest a potentially fraudulent transaction, they call the consumer to verify the transaction. (Id. ¶ 51.) In addition, Digital River notes that its payment processor, “Paymentech,” also uses customer PII to run its own fraud checks. (Id. ¶ 52.) Digital River also uses the customer’s phone number to address any online delivery problems that cannot be resolved through e-mail. (Id. ¶ 55.)
The Court must recognize plaintiff’s argument that identity theft is a potential concern where PII is shared. But, plaintiff did not offer, and the Court does not find, any support for protecting this interest in online transactions in the Act or its legislative history. Instead, the Act appears to be concerned with the use of PII for unsolicited marketing. In keeping with the precedents finding that refund transactions are outside the category of transactions covered by the Act because of the unique fraud concerns created by those transactions, the Court also finds online transactions are not encompassed within the Act. Thus, plaintiff’s claim cannot be maintained. //
For the foregoing reasons, the Court denies plaintiff’s Motion for Class Certification. Plaintiff’s and Digital River’s Requests for Judicial Notice are denied and evidentiary objections are overruled.
IT IS FURTHER ORDERED that the clerk shall serve a copy of this Order on counsel for all parties in this action.
DATED: January 5, 2009.

U.S. DISTRICT JUDGE AliceMarie H. Stotler


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.