StorefrontBacktalk

California Supreme Court Ponders Whether Online Privacy Is Different From In-Store Privacy

Written by Mark Rasch

November 7th, 2012

Attorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

In a case to be argued Wednesday (Nov. 7), the California Supreme Court will decide whether to treat brick-and-mortar stores differently from online stores when it comes to the collection of personal information about customers who make purchases by credit card. The case could have serious consequences for personal privacy of online customers, as well as for the ability of online retailers to prevent fraud and authenticate their customers.

Several online retailers, including Apple, eHarmony and Ticketmaster, were sued in a class-action lawsuit that claimed their collective practice of collecting certain personal information—including consumers’ names, street addresses, telephone numbers and E-mail addresses—violate the provisions of a 1971 law that precludes the collection of personal information about users of payment cards. The E-tailers are arguing before California’s highest court that the 1971 law didn’t contemplate online transactions, that prohibitions on merchants “writing down” consumer information don’t apply to data entry into a computer databases and, besides, they need this information to authenticate users and prevent fraud. In the “real” world, of course, you can ask to see customers’ driver’s licenses and authenticate them that way (as long as you don’t write down the number). You can’t do that online. So, Apple complains, the law improperly discriminates against online merchants.

Not so fast, say consumers. The purpose of the law, called the Song Beverly Act of 1971, was to protect the privacy of consumers who make transactions. It was designed to prevent California merchants (merchants doing business in California) from compiling a dossier on their customers simply because they paid by credit card. And this, the customers allege, is exactly what the online merchants are trying to do.

But wait, complain the World Wide Webheads. We need to collect a bunch of personal information to deliver the goods and services you want. Unlike a brick-and-mortar store, where the goods can be handed to the customer, online merchants need the information to get the goods to the consumer. They need to collect the consumer’s MAC address, IP address, E-mail address, etc., to make sure that the products get to the correct payer. All of this is completely kosher and above board. And besides, California has another law that requires online merchants to disclose their data collection and privacy policies. “As long as we tell you what we are collecting and why, and what we are going to do with it, what’s the problem? Your privacy is protected by our disclosed Terms of Service.”

Unh, uhn. The California Supreme Court previously ruled that a brick-and-mortar store could not even ask customers for their ZIP Codes, because this was “personal information.” Why should online stores be allowed to collect, store, analyze and sell personal data that a brick-and-mortar store would be fined for collecting? In fact, if the “service” is completely digital (e.g., downloaded music from Apple, a hookup from eHarmony or downloaded event tickets from TicketMaster), no personal information is required—and certainly not a phone number.

So who wins?

In 1971, Rod Stewart’s “Maggie Mae” and Janis Joplin’s “Me and Bobby McGee” were the top of the pop charts. In computers, the first voice-recognition software and the first laser printer were developed, as were the first warnings about the Y2K problem. That same year, the California Legislature also passed what is called the Song Beverly Act, which restricted the ability of merchants to require that consumers provide personal information as a condition precedent to being able to use more than fairly new payment methods of revolving charge cards or other credit cards. Al Gore’s invention of the Internet was still several years in the future.

The statute, codified in California Civ. Code section 1747.08(a) prohibits any company that accepts credit cards from requesting “the cardholder to write any personal identification information upon the credit card transaction form or otherwise” or requiring the cardholder “to provide personal identification information, which the [company] writes, causes to be written or otherwise records upon the credit card transaction form or otherwise.”

The statute contains an exception that allows merchants to collect personal information if “personal identification information is required for a special purpose incidental but related to the individual credit-card transaction, including, but not limited to, information relating to shipping, delivery, servicing or installation of the purchased merchandise, or for special orders.” So, both online and brick-and-mortar merchants can collect personal information about consumers to ship them a product, ensure delivery, service a product or install it. Otherwise, it looks like the collection of personal information is verboten.

Posted in CRM, E-Commerce, In-Store, Payment Systems

Comments are closed.

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Kindle Convenience - StorefrontBacktalk is now available natively on the Kindle so you can read us on the place without a connection.

Read StorefrontBacktalk's Retailing Column every month at Retail-Week.com. Please click here for an archive of those columns.

Read StorefrontBacktalk's Retail Realities Column every week at CBSNews.com. Please click here for an archive of those columns.