Plaintiffs in California Aim to Breathe New Life into the Decades-Old Law Regulating the Collection of Personal Information at Point-Of-Sale
For years, retailers have braced and prepared for the next wave of litigation under California’s Song-Beverly Credit Card Act of 1971 (Song-Beverly). While activity under Song-Beverly and the 14 other states with similar laws has been largely dormant for several years, it seems the next wave of litigation is here. This time, the lawsuits focus on the collection of IP addresses in connection with online credit card transactions. Song-Beverly was originally designed to limit the collection of personal information on the paper credit card transaction form. Plaintiffs’ attorneys now seek to extend that law to apply to online transactions and discrete pieces of information.
Litigation Surge
Since April, more than a dozen lawsuits have been filed in California against major retailers, alleging violations of Song-Beverly by collecting data such as IP addresses during online credit card transactions. Fourteen other states have similar “Song-Beverly” type laws, though several of those states enforce these laws exclusively through their attorneys general.
Legal Context
While Song-Beverly has historically been applied to in-person transactions, Song-Beverly more generally limits the collection of personal identification information in connection with a credit card transaction where that information is required “as a condition” of making a purchase. California’s law includes some exceptions, such as if the information is required to complete the credit card transaction or if the information is for a special purpose incidental to the transaction, such as shipping, delivery, or as held in case law, loyalty programs.
This new wave of litigation raises questions about what constitutes “necessary data” for processing transactions and whether digital identifiers like IP addresses constitute “personal identification information.” Other California state laws, such as the California Consumer Privacy Act, include digital identifiers within the scope of protected “personal information,” however, California courts have yet to definitively rule on whether IP addresses are considered “personal identification information” under Song-Beverly.
Potential Implications
These cases are still in the pleadings stage, so it may be months before there are decisions weighing upon the viability of these claims. That said, if the claims are viable, they would pose a substantial risk to retailers as Song-Beverly provides for statutory damages of $250 for the first violation and $1,000 for each subsequent violation. In addition to statutory penalties, the outcomes of these cases could set new precedents for online data collection practices and impact how online retailers operate.
Proactive Steps for Online Retailers
Businesses should carefully review their data collection practices to ensure that only necessary personal information is collected during credit card transactions, evaluating whether the collection of IP addresses and other digital identifiers is essential for transaction processing and fraud prevention. Further, retailers can implement strategies to curb Song-Beverly’s applicability, such as moving the collection of information to before or after the transaction. Additionally, privacy policies should be carefully reviewed to confirm they are transparent about the types of data collected and the purposes for which it is used, clearly communicating any data-sharing practices with third parties, particularly for fraud prevention and transaction processing. It is also crucial to stay informed about ongoing litigation and court rulings related to Song-Beverly and similar laws in other states and be prepared to adjust data collection practices in response to new legal precedents and regulatory guidance.
For further information about litigation arising from Song-Beverly or privacy laws in general, please contact John Landolfi, Chris LaRocco, Gretchen Rutz Leist, Eric Parker, or your Vorys attorney.