California Supreme Court Ponders Whether Online Privacy Is Different From In-Store Privacy

Written by Mark Rasch
November 7th, 2012

Attorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

In a case to be argued Wednesday (Nov. 7), the California Supreme Court will decide whether to treat brick-and-mortar stores differently from online stores when it comes to the collection of personal information about customers who make purchases by credit card. The case could have serious consequences for personal privacy of online customers, as well as for the ability of online retailers to prevent fraud and authenticate their customers.

Several online retailers, including Apple, eHarmony and Ticketmaster, were sued in a class-action lawsuit that claimed their collective practice of collecting certain personal information—including consumers’ names, street addresses, telephone numbers and E-mail addresses—violate the provisions of a 1971 law that precludes the collection of personal information about users of payment cards. The E-tailers are arguing before California’s highest court that the 1971 law didn’t contemplate online transactions, that prohibitions on merchants “writing down” consumer information don’t apply to data entry into a computer databases and, besides, they need this information to authenticate users and prevent fraud. In the “real” world, of course, you can ask to see customers’ driver’s licenses and authenticate them that way (as long as you don’t write down the number). You can’t do that online. So, Apple complains, the law improperly discriminates against online merchants.

Not so fast, say consumers. The purpose of the law, called the Song Beverly Act of 1971, was to protect the privacy of consumers who make transactions. It was designed to prevent California merchants (merchants doing business in California) from compiling a dossier on their customers simply because they paid by credit card. And this, the customers allege, is exactly what the online merchants are trying to do.

But wait, complain the World Wide Webheads. We need to collect a bunch of personal information to deliver the goods and services you want. Unlike a brick-and-mortar store, where the goods can be handed to the customer, online merchants need the information to get the goods to the consumer. They need to collect the consumer’s MAC address, IP address, E-mail address, etc., to make sure that the products get to the correct payer. All of this is completely kosher and above board. And besides, California has another law that requires online merchants to disclose their data collection and privacy policies. “As long as we tell you what we are collecting and why, and what we are going to do with it, what’s the problem? Your privacy is protected by our disclosed Terms of Service.”

Unh, uhn. The California Supreme Court previously ruled that a brick-and-mortar store could not even ask customers for their ZIP Codes, because this was “personal information.” Why should online stores be allowed to collect, store, analyze and sell personal data that a brick-and-mortar store would be fined for collecting? In fact, if the “service” is completely digital (e.g., downloaded music from Apple, a hookup from eHarmony or downloaded event tickets from TicketMaster), no personal information is required—and certainly not a phone number.

So who wins?

In 1971, Rod Stewart’s “Maggie Mae” and Janis Joplin’s “Me and Bobby McGee” were the top of the pop charts. In computers, the first voice-recognition software and the first laser printer were developed, as were the first warnings about the Y2K problem. That same year, the California Legislature also passed what is called the Song Beverly Act, which restricted the ability of merchants to require that consumers provide personal information as a condition precedent to being able to use more than fairly new payment methods of revolving charge cards or other credit cards. Al Gore’s invention of the Internet was still several years in the future.

The statute, codified in California Civ. Code section 1747.08(a) prohibits any company that accepts credit cards from requesting “the cardholder to write any personal identification information upon the credit card transaction form or otherwise” or requiring the cardholder “to provide personal identification information, which the [company] writes, causes to be written or otherwise records upon the credit card transaction form or otherwise.”

The statute contains an exception that allows merchants to collect personal information if “personal identification information is required for a special purpose incidental but related to the individual credit-card transaction, including, but not limited to, information relating to shipping, delivery, servicing or installation of the purchased merchandise, or for special orders.” So, both online and brick-and-mortar merchants can collect personal information about consumers to ship them a product, ensure delivery, service a product or install it. Otherwise, it looks like the collection of personal information is verboten.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.