Evan Schuman's StorefrontBacktalk

Mark Rasch is a lawyer, privacy and security expert, and former federal computer crime prosecutor. He is currently the Principal of The Secure IT Experts, a computer security and privacy consulting company and is based in Bethesda Maryland.

Online retailers collecting credit card information and other personal information (e.g., name, address and telephone number) gained a victory against a privacy prohibition in a recent California federal case. However, in the long run the court decision may undo many protections for electronic commerce.

The decision by U.S. District Court Judge Alicemarie H. Stotler raises issues of how strictly retail laws should be interpreted when it comes to E-Commerce issues, many of which couldn’t have been imagined when the laws were written.

In 1971, California enacted the Song-Beverly Credit Card Act ( California Civil Code Section 1747.08), which was designed to prevent bricks and mortar retailers from requiring customers to provide them with their names and addresses or telephone numbers as a condition precedent for allowing them to use a credit card. The statute essentially said that you couldn’t require the cardholder to write any personal identification information upon the credit card transaction form or otherwise, or request this information from the cardholder that you would write down, or even use a form in connection with a credit card transaction that “contains preprinted spaces specifically designated for filling in any personal identification information of the cardholder.”

The law provided for statutory damages for each and every violation. When amending the statute in 1991 — in the nascent ages of e-commerce, the legislature noted that with “increased use of computer technology, very specific and personal information about a consumer’s spending habits was being made available to anyone willing to pay for it; and, second, that acts of harassment and violence were being committed by store clerks who obtained customers’ phone numbers and addresses.” So for 38 years, California merchants were prohibited from asking consumers for their names and addresses as a condition of using credit cards, although they could presumably ask for this information for shipping products, and in one case decided in 2008, could ask for this information to process returns or refunds.

In a recent case, Saulic v. Symantec, (Dkt. No. SA CV 07-610 AHS)(C.D. Ca., Jan 5, 2009 Stotler, J.,) http://dockets.justia.com/docket/court-cacdce/case_no-8:2007cv00610/case_id-389291/, the federal court addressed a potential class-action lawsuit against Symantec and its processor Digital River for having an online form requiring credit card purchasers to give their name, address and telephone numbers for the purpose of validating the transaction, the identity of the consumer, and preventing online fraud. The plaintiff alleged that this form itself violated the California law.

The federal judge disagreed, noting that “the purpose of the Act appears to be to protect consumer privacy in the course of a retail transaction and the legislative history suggests the Act was specifically passed with a brick-and-mortar merchant environment in mind. ” The Court went on to say that “the language does not suggest the Legislature considered online transactions or the perils of misappropriation of consumer credit information in an online environment where there is no ability to confirm the identity of the customer.”

Neither the language of the Act nor its legislative history suggests the Act includes online transactions. Thus, the Court concluded, the law doesn’t apply to online transactions. A victory for online retailers — particularly those who want to protect not only themselves but also their customers from fraud by collecting identity information to validate the transaction.

The problem is the fact that, irrespective of the intent of the legislature, the statute is pretty clear. You can’t record this information in any way. What the federal district court did in essence was to say that, because the statute did not expressly apply to online transactions, and because the harm the legislature meant to deal with was in “bricks and mortar” stores, the statute did not apply.

We have all kinds of statutes that were not written for the Internet age. General fraud statutes have been around for hundreds of years, and may be traced back to Hammurabi. Theft and copyright infringement statutes date back to the beginning of the republic. Many of these have no separate provisions for online activity, and were drafted long before the advent of computer technology.

Although the Federal Trade Commission had jurisdiction over unfair and deceptive trade practices, there is nothing in its statutory authority that expressly says these relate to online practices and it is doubtful that this was intended by Congress when it established the Commission in the 1930s.

In fact, the FTC has long taken the position that, “The same consumer protection laws that apply to commercial activities in other media apply online. The FTC Act’s prohibition on unfair or deceptive acts or practices encompasses Internet advertising, marketing and sales. In addition, many Commission rules and guides are not limited to any particular medium used to disseminate claims or advertising, and therefore, apply to online activities.

The FTC went on to note that “Commission rules and guides that use specific terms, written, writing, printed or direct mail are adaptable to new technologies.”

The mere fact that application of general consumer protection or privacy laws to the online environment is inconvenient is no reason to rewrite the law — at least not by the courts in the first instance. The legislature can do this — and probably should.

As a result of this ruling, retailers may now collect personal information about credit card customers. However, retailers would be wise to use this information only to validate the credit card transaction itself, and then to either delete or otherwise protect the confidentiality of the data afterwards.

Indeed, the harm that the California legislature was concerned with in 1971 and 1991—that consumer personal information would be collected and then leaked—is much worse in an online than in a brick and mortar transaction. Failure to protect and restrict use of this data may result not only in a data breach disclosure requirement, but also in legislation specifically prohibiting its initial collection.

Even though the court ruling may be a short-term victory for retailers, in the long-run, we are left to scratch our heads and wonder which pre-Internet laws the courts will, on their own, choose to apply to online transactions, and which ones they will not. And uncertainly is not what we need.