Papa John’s Texting Lawsuit Raises Troubling Mobile Marketing Issues For All Retail

Written by Evan Schuman
November 14th, 2012

When a federal judge certified class-action status against Papa John’s on November 9, the pizza chain became the poster child for mobile text-messaging abuse. But this case raises some key questions retailers need to wrestle with—and which the court will decide—including the use of POS data for non-payment functions, the chain’s reasonable responsibilities for the decisions of very independent franchisee owners and what constitutes a business relationship sufficient to establish marketing permission (and in any definition, does buying one slice of pizza reasonably trigger it?).

(Related stories: “Federal Judge Dismisses Walmart Texting Lawsuit, Just Days After Another Federal Judge Ruled The Opposite Way For Papa Johns” and “Would You Like Spam With That?”)

The specifics of this Papa John’s case involve a vendor that never worked for Papa John’s but was retained by quite a few franchisees. That vendor, OnTime4U, sent a huge number of texts to customers of Papa John’s franchisees and never received explicit permission from any of those customers. If this had been a case of whether OnTime4U had violated the Telephone Consumer Protection Act (TCPA), it would be a very easy case. But because the case is focused on the retailer that never retained the vendor, things get much trickier.

To be fair, Papa John’s is far from having clean hands when it comes to OnTime4U. Although the chain didn’t retain the vendor, it did send memos to franchisees encouraging them to retain OnTime4U. When one franchisee complained, a Papa John’s exec told him to try again. The chain also gave the vendor a prominent presentation slot at its franchisee meeting, clearly endorsing OnTime4U. Therefore, blaming Papa John’s for what OnTime4U did is not wildly inappropriate.

According to U.S. District Court Judge John C. Coughenour in Seattle’s decision, the phone numbers enabling those text messages came from the ones customers gave when they placed pizza orders or that caller-ID systems grabbed. So if you phoned in to ask about a pizza—and perhaps not even buy one—you were about to enter text-message hell.

“Those lists were generated out of the PROFIT system, a proprietary database that Papa John’s describes as a point-of-sale data-entry system,” the judge wrote. “The PROFIT system is downloaded onto registers in Papa John’s restaurants and tracks customer and order information. OnTime4U removed landline numbers from the lists and sent text messages to the numbers associated with cell phones.”

Depending on the text-message plan—or lack of same—the customer has, those annoying texts could also become extremely expensive. So a program intended to generate sales for Papa John’s and to generate goodwill ended up having much of the opposite effect.

Papa John’s ultimately disavowed OnTime4U, but by that point a lot of damage had already been done. When Papa John’s finally did turn on the vendor, IT folks will recognize the classic toothpaste-back-into-the-tube problem of getting back tainted data.

Coughenour’s ruling said that “Papa John’s then directed that all franchisees who have shared customer data (particularly telephone numbers) with OnTime4U take all necessary steps to reclaim this data and/or have the vendor permanently delete it from the vendor’s system as well as demand that the vendor not share the data with anyone. Papa John’s also sent a letter directly to OnTime4U in which it demanded that (the vendor) return all customer data supplied to you by our franchisees or take measures to immediately and permanently delete this data from your systems and make certain that it cannot and will not be copied to, shared with or forwarded to anyone. OnTime4U has told Plaintiff’s counsel that it destroyed the call lists at the behest of Papa John’s.”

What about routine backups? Or employees of OnTime4U who copy parts of the database (or all of it) to laptops and mobile devices (phones and tablets, in addition to thumb-drives)? Or employees who work at home on their personal PCs? Marketing teams with their own copies for analytics? The idea that a names-oriented company can easily and completely expunge such data from its systems is ridiculous—and that’s still assuming the vendor chooses to fully and aggressively try and comply. If OnTime4U makes a half-hearted effort to technically comply, this gets much worse.

By the way, the destruction of those names did make it a lot more difficult to supply a complete list of the names of consumers who had been text-bombed. Would we be so cynical as to suggest that Papa John’s had that in mind when it asked for those names to be destroyed? (Who us?)

One weak argument can really make an entire case look bad. Amidst some very legitimate arguments against this class-action suit being certified, Papa John’s argued that the lead plaintiff—a customer—didn’t have standing to sue, because she did not pay the bills for that phone, as her ex-husband is the primary account holder.

“Plaintiff correctly argues that the case law does not unambiguously require that a plaintiff own the relevant phone or account in order to have standing to sue under the TCPA. Moreover, she argues, she has standing to sue under the TCPA because her privacy interests are the very ones that Congress intended to protect when it enacted the TCPA. Plaintiff avers that: (1) she has been the exclusive user of her cell number since 2002, years before sharing a cellular service plan with her ex-husband; (2) she owned the cell phone which received the message; and (3) she was the intended recipient of the texts.”

Yeah, that wasn’t the best argument to make.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.