Evan Schuman's StorefrontBacktalk

The lawsuit to be heard by the California Supreme Court revolves around whether online merchants like Apple, eHarmony, Ticketmaster and others can require California consumers to provide things like their name, address, telephone number, E-mail address or other personal information before they can purchase digital items that will be delivered digitally. Previously, the California Supreme Court had held that even such seemingly trivial information as a consumer’s ZIP Code was personal information that could not be collected or written down by the merchant.

The statute was intended to represent a balance between the privacy rights of consumers—not being forced to give up personal information as a condition of using a credit card and not being able to be marketed to simply because they paid by credit card—and the need for merchants to be able to deliver goods, products or services to the consumer.

However, the courts have had a difficult time balancing these competing interests in the online world. Certainly, when a retailer like Amazon or ebay receives an online order from a customer, it needs to collect that customer’s shipping information to deliver the product. It also collects other identifying information like the consumer’s telephone number and E-mail address at the same time. Well, that’s why we have courts, right? There is no doubt that the case presents a conflict between consumer privacy and fraud prevention. Merchants, both online and offline, have a right to prevent fraud and authenticate consumers. Just as a brick-and-mortar merchant can “see ID,” an online merchant should be permitted to do the same thing. Of course, a brick-and-mortar store can “look” at an ID without copying it. Online, there must be a copy.

Clearly, if the merchant uses the other identifying information solely for the purposes of ensuring delivery of the product or service there should be no problem under the Song Beverly Act. But, of course, these online merchants collect this information so they can market to the consumer or sell this information to third-party marketers, provided they comply with other California laws regarding explicit privacy policies.

This puts brick-and-mortar stores at a distinct disadvantage. Their online competitors can use the fact that they are operating in a virtual world to collect, store, cross-reference, data mine or otherwise use or sell the personal data they collect about their customers at the time of the credit-card transaction. The brick-and-mortar store can’t even ask customers for their ZIP Code.

The online merchants want to create a wholesale “online exemption” from the statute that says, essentially, “Hey, it’s 2012. That law is sooo 1971. Groovy man!” Because online sales weren’t contemplated, they can collect any information.

What should happen is that the California legislature should revisit the law with online transactions in mind and then specify what information can and cannot be collected online and, more importantly, what can be done with the information collected. Consistent with the principles of Song Beverly, if brick-and-mortar retailers can’t collect my name and address, then online retailers can’t, either, except to the extent that the information is needed to fulfill the order and prevent fraud—and then, and here is the kicker, that information can only be used for those purposes. No data mining, no reselling, no analytics, nothing. Alternatively, the legislature could say that Song Beverly has outlived its purposes and that anyone can collect any information about customers as long as a privacy policy is in place. Either way, consumer privacy should be protected, and both brick-and-mortar and online stores should be treated roughly the same. We will see what the Sacramento Court does.

If you disagree with me, I’ll see you in court, buddy. If you agree with me, however, I would love to hear from you.