On August 24, 2011, Judge Loretta M. Giorgi of the San Francisco Superior Court dismissed a lawsuit against Craigslist which alleged that Craigslist had violated California Civil Code section 1747.08 (part of the Song-Beverly Credit Card Act of 1971) by requiring customers who use credit cards as tender to provide personal identification information ("PII"). In a summary order, the court held that, "California Civil Code section 1747.08 on its face does not apply to online transactions." The court also noted that applicable case law, legislative intent, and public policy "indicate that such transactions are not, and should not be, encompassed by Section 1747.08."1 This order breathes new life into Saulic v. Symantec Corp.,2 a federal district court case that held that Section 1747.08 does not apply to online transactions, but was issued two years before the California Supreme Court held in Pineda v. Williams-Sonoma Stores, Inc., that Section 1747.08 should be "liberally construe[d] … in favor of [its] protective purpose …."3 Thus, although the order in Gonor is not binding on any other court, it nevertheless is good news for online resellers.
Section 1747.08 prohibits businesses from requesting or requiring PII as a condition to accepting a credit card as payment in full or in part for goods or services from customers, and then recording such information.4 The statute also bans the use of forms that facilitate the obtaining of such information.5 The statute defines PII as "information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder's address and telephone number.6 Exempted from the statute's reach, among other things, are requests for and recordations of PII "for a special purpose incidental but related to the individual credit card transaction, including, but not limited to, information relating to shipping, delivery, servicing, or installation of the purchased merchandise, or for special orders."7 Companies that violate the statute are subject to a civil penalty of up to two hundred fifty dollars ($250) for the first violation and one thousand dollars ($1,000) for each subsequent violation.8
In Pineda, the plaintiff alleged (1) she went to the cashier at defendant's store to pay for an item with her credit card; (2) the cashier asked for her ZIP code, and, believing she was required to provide the requested information to complete the transaction, plaintiff provided it; (3) the cashier entered plaintiff's ZIP code into the electronic cash register and then completed the transaction; (4) at the end of the transaction, defendant had plaintiff's credit card number, name, and ZIP code recorded in its database; (5) defendant matched plaintiff's name and ZIP code with plaintiff's previously undisclosed address, giving defendant the information, which it then maintained in its own database; and (6) defendant used its database to market products to customers and could also sell the information it compiled to other businesses.9
In a unanimous opinion, the Supreme Court reversed the appellate court's decision that ZIP codes were not the kind of information the statute was intended to protect. The Court noted that Section 1747.08 should be "liberally construe[d] … in favor of [its] protective purpose … which, in the case of section 1747.08, includes addressing the misuse of personal identification information for, inter alia, marketing purposes."10 The Court also noted that the legislative history of section 1747.08 demonstrated the Legislature intended to provide "robust consumer protections by prohibiting retailers from soliciting and recording information about the cardholder that is unnecessary to the credit card transaction."11
Following the Pineda decision in February 2011, several hundred class action lawsuits alleging violations of Section 1747.08 were filed in California courts. In Gonor v. Craigslist, Inc., however, the San Francisco Superior Court reaffirmed the earlier, federal (persuasive, but non-binding) Saulic decision which held that online retailers are excluded from the application of Section 1747.08. This is the first time a California state court has considered the matter, reaching a positive result for online services that accept credit card payments.12
Although Judge Giorgi does not delve into the reasons for her decision, she appears to agree with the District Court's analysis in Saulic. As noted by Judge Alicemarie H. Stotler of the Central District of California:
The purpose of the Act appears to be to protect consumer privacy in the course of a retail transaction, and [the California Assembly Committee on Finance and Insurance Background Information Request] analysis suggests the Act was specifically passed with a brick-and-mortar merchant environment in mind. While the use of computer technology is mentioned, the language does not suggest the Legislature considered online transactions or the perils of misappropriation of consumer credit information in an online environment where there is no ability to confirm the identity of the customer. Neither the language of the Act nor its legislative history suggests the Act includes online transactions.13
If you have any questions about Section 1747.08, privacy issues, or this Alert, please contact one of the attorneys listed above.
1 Gonor v. Craigslist, Inc., No. CGC-11-511332.
2 596 F. Supp. 2d 1323 (C.D. Cal. 2009).
3 51 Cal. 4th 524, 532 (2011).
4 Cal. Civ. Code §1747.08(a)(1),(2).
5 Cal. Civ. Code §1747.08(a)(3).
6 Cal. Civ. Code §1747.08(b).
7 Cal. Civ. Code §1747.08(c)(4).
8 Cal. Civ. Code §1747.08(e).
9 51 Cal. 4th at 528.
10 Id. (internal citation and quotation marks omitted).
11 Id. at 536.
12 No. CGC-11-511332.
13 Saulic, 596 F. Supp. 2d at 1333-34.