Privacy Issues Galore Crop Up In California Supreme Court E-Commerce Ruling

Written by Mark Rasch
February 7th, 2013

Attorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

On Monday (Feb. 4), the California Supreme Court revisited the question of whether online retailers are permitted to collect certain personal information when engaging in a credit-card transaction. A 1974 statute seems to say “no,” but the California Supreme Court says “yes.” Although the case is a victory for online retailers, the way the court came to its decision may open up consumers to much more use of personal information. In the end, that possibility may cause the State Legislature to clamp down on new forms of database misuse for both online and offline retailers.

In the 1970s, California passed the Song-Beverly Act. It prohibited merchants (there were no online merchants back then) from requiring, as a condition for accepting a credit card, consumers to provide certain personal information. The legislature was worried about merchants using the pretext of accepting a credit card to mandate that consumers pony up their names, addresses and other personal information. Of course, the credit card itself already has some information—cardmember’s name, card number, CVV and expiration date, but not much more. The purpose of the Sony-Beverly Act was to protect consumers’ privacy when they bought something by credit card. Sure, if you needed something shipped or a warranty card filled out or other “order fulfillment” type things, the merchant could ask for your address. But if retailers just wanted the data to profile you, to market to you, or just because they were nosy, the Act prohibited that.

Sony-Beverly also had an “anti-fraud” provision that allowed a merchant to look at, but not to “write down,” a consumer’s driver’s license number and photograph and mailing address to ensure that consumer was, in fact, the cardmember. This approach could be used to prevent fraud. Well, to prevent some fraud, anyway.

A few years ago, Williams-Sonoma (NYSE:WSM) fell afoul of the statute. It demanded brick-and-mortar customers provide their Zip code, in addition to their credit-card number. The retailer then used that Zip code to determine consumers’ addresses (only one Millard Fillmore in Zip code 14052) and to then use the names and addresses to send catalogues and other marketing materials. That is a no-no, according to the California Supreme Court; even a mere Zip code is “personal information” under the Song-Beverly Act.

But then, the Internet came.

With the advent of E-Commerce, online merchants taking credit cards had no effective way to ask to see (without recording) a driver’s license. For anti-fraud purposes, most credit-card processors demand not only the consumer’s credit card number but also the associated name, address and Zip code. But what about the law?

That’s what David Krescent thought when he signed up for an Apple (NASDAQ:AAPL) iTunes account in California. Apple required Krescent to not only give his credit-card number but provide a bunch of other information (name, address, Zip code, etc.) to make digital purchases of music. Because the commodity delivered was itself digital, and downloaded, Krescent argued, Apple didn’t need his address or Zip code to process the transaction.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.