Federal Judge Rules In Favor Of E-Tailers, A Move Many Online Merchants May Come To Regret

Written by Mark Rasch
March 19th, 2009

Mark Rasch is a lawyer, privacy and security expert, and former federal computer crime prosecutor. He is currently the Principal of The Secure IT Experts, a computer security and privacy consulting company and is based in Bethesda Maryland.

Online retailers collecting credit card information and other personal information (e.g., name, address and telephone number) gained a victory against a privacy prohibition in a recent California federal case. However, in the long run the court decision may undo many protections for electronic commerce.

The decision by U.S. District Court Judge Alicemarie H. Stotler raises issues of how strictly retail laws should be interpreted when it comes to E-Commerce issues, many of which couldn’t have been imagined when the laws were written.

In 1971, California enacted the Song-Beverly Credit Card Act ( California Civil Code Section 1747.08), which was designed to prevent bricks and mortar retailers from requiring customers to provide them with their names and addresses or telephone numbers as a condition precedent for allowing them to use a credit card. The statute essentially said that you couldn’t require the cardholder to write any personal identification information upon the credit card transaction form or otherwise, or request this information from the cardholder that you would write down, or even use a form in connection with a credit card transaction that “contains preprinted spaces specifically designated for filling in any personal identification information of the cardholder.”

The law provided for statutory damages for each and every violation. When amending the statute in 1991 — in the nascent ages of e-commerce, the legislature noted that with “increased use of computer technology, very specific and personal information about a consumer’s spending habits was being made available to anyone willing to pay for it; and, second, that acts of harassment and violence were being committed by store clerks who obtained customers’ phone numbers and addresses.” So for 38 years, California merchants were prohibited from asking consumers for their names and addresses as a condition of using credit cards, although they could presumably ask for this information for shipping products, and in one case decided in 2008, could ask for this information to process returns or refunds.

In a recent case, Saulic v. Symantec, (Dkt. No. SA CV 07-610 AHS)(C.D. Ca., Jan 5, 2009 Stotler, J.,), the federal court addressed a potential class-action lawsuit against Symantec and its processor Digital River for having an online form requiring credit card purchasers to give their name, address and telephone numbers for the purpose of validating the transaction, the identity of the consumer, and preventing online fraud. The plaintiff alleged that this form itself violated the California law.

The federal judge disagreed, noting that “the purpose of the Act appears to be to protect consumer privacy in the course of a retail transaction and the legislative history suggests the Act was specifically passed with a brick-and-mortar merchant environment in mind. ” The Court went on to say that “the language does not suggest the Legislature considered online transactions or the perils of misappropriation of consumer credit information in an online environment where there is no ability to confirm the identity of the customer.”

Neither the language of the Act nor its legislative history suggests the Act includes online transactions. Thus, the Court concluded, the law doesn’t apply to online transactions. A victory for online retailers — particularly those who want to protect not only themselves but also their customers from fraud by collecting identity information to validate the transaction.

The problem is the fact that, irrespective of the intent of the legislature, the statute is pretty clear. You can’t record this information in any way. What the federal district court did in essence was to say that, because the statute did not expressly apply to online transactions, and because the harm the legislature meant to deal with was in “bricks and mortar” stores, the statute did not apply.

We have all kinds of statutes that were not written for the Internet age. General fraud statutes have been around for hundreds of years, and may be traced back to Hammurabi. Theft and copyright infringement statutes date back to the beginning of the republic. Many of these have no separate provisions for online activity, and were drafted long before the advent of computer technology.

Although the Federal Trade Commission had jurisdiction over unfair and deceptive trade practices, there is nothing in its statutory authority that expressly says these relate to online practices and it is doubtful that this was intended by Congress when it established the Commission in the 1930s.

In fact, the FTC has long taken the position that, “The same consumer protection laws that apply to commercial activities in other media apply online. The FTC Act’s prohibition on unfair or deceptive acts or practices encompasses Internet advertising, marketing and sales. In addition, many Commission rules and guides are not limited to any particular medium used to disseminate claims or advertising, and therefore, apply to online activities.

The FTC went on to note that “Commission rules and guides that use specific terms, written, writing, printed or direct mail are adaptable to new technologies.”

The mere fact that application of general consumer protection or privacy laws to the online environment is inconvenient is no reason to rewrite the law — at least not by the courts in the first instance. The legislature can do this — and probably should.

As a result of this ruling, retailers may now collect personal information about credit card customers. However, retailers would be wise to use this information only to validate the credit card transaction itself, and then to either delete or otherwise protect the confidentiality of the data afterwards.

Indeed, the harm that the California legislature was concerned with in 1971 and 1991—that consumer personal information would be collected and then leaked—is much worse in an online than in a brick and mortar transaction. Failure to protect and restrict use of this data may result not only in a data breach disclosure requirement, but also in legislation specifically prohibiting its initial collection.

Even though the court ruling may be a short-term victory for retailers, in the long-run, we are left to scratch our heads and wonder which pre-Internet laws the courts will, on their own, choose to apply to online transactions, and which ones they will not. And uncertainly is not what we need.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.