Friday, December 13, 2013

Song Beverly Strikes Again: Email Address Collection Added to Potentially Worrisome Activity

As we've previously blogged, retailers who sell products to consumers in California and Massachusetts, as well as a number of other states, run the risk of costly class action lawsuits if they collect customer zip codes in connection with purchase of goods by credit card.  The prohibitions in those states, as we've explained, often go beyond zip codes, and can include -- in California, for example -- any information that does not appear on the face of the credit card.

A recent decision by the United States District Court in California involved the collection of e-mail addresses in credit card transactions, and found against a retailer on a motion dismiss -- propelling the case to trial.  That decision adopted what some might call an inordinately expansive interpretation of the underlying law by the Supreme Court of California, and made things far worse by adding an apparent misreading of the statute to the mix.  Not for the faint of heart, but certainly important for the prudent direct marketer who hopes to avoid costly and sometimes bogus lawsuits, the decision helps underscore the risks faced by even the most diligent companies -- risks high enough that companies are often forced to settle when they know in their heart of hearts that they're right.

The Case Up Close.  To begin with, it's not at all a surprise that the the federal court concluded that e-mail addresses are "personal identification information" under the California statute.  After all, the statute expressly defines PII as any information not appearing on the face of the credit card, as was pointed out with much energy by the California Supreme Court in what could reasonably be seen as landmark overreach in the Pineda case.  Thus, if you're collecting any information that's not on the face of the credit card, you're playing on enemy, i.e., the class action lawyer's, territory.  This could extend to information as bland as a customer's state of residence.

Well, like a lot of other retailers, this one collected e-mail addresses from customers for the purpose of sending customers purchase receipts.  However, as the federal court observed, the underlying statute -- the so-called Song Beverly Act -- includes an exemption "if personal identification information is required for a special purpose incidental but related to the individual credit card transaction, including, but not limited to, information relating to shipping, delivery, servicing, or installation of the purchased merchandise, or for special orders." Asking a customer for an email address in order to send a receipt for a purchase certainly qualifies, it would seem, as a "special purpose" that is "incidental but related to the individual credit card transaction."  That should end the case, right?  Well, as lawyers in consumer class action lawsuits have come to understand, the answer is ... not so fast.

Song-Beverly Up Close and Personal.  To set the table for what happened next, a few observations are important.

First, that exemption I mentioned (let's call it the "special purpose exemption") gets you completely out of the prohibitions of Song Beverly. That's right. If you qualify, all of the prohibitions of the law do not apply. The list of exemptions, including the special purpose exemption, begins with: "(c) Subdivision (a) does not apply in the following instances". What is contained in subdivision (a)? All -- that's right, all -- of the prohibitions on both requesting and requiring the provision of PII are contained in subdivision (a).

Second, look more closely at the special purpose exemption:
 (4) If personal identification information is required for a special purpose incidental but related to the individual credit card transaction, including, but not limited to, information relating to shipping, delivery, servicing, or installation of the purchased merchandise, or for special orders.
It would seem beyond cavil that an e-mail address is required to send a receipt by e-mail. Any other reading is nonsensical.

Third, if you have an exemption that removes the prohibitions in subdivision (a), then there is no limit on what you can do with the information that you've collected under the special purpose exemption.  (Of course, what you do with the information can't contradict what you've told the customer that you'll be doing with it -- that's Consumer Protection Law 101.)

What Gives?  So then why wasn't this case dismissed?  Good question.

The federal court refused to dismiss the claim because the plaintiff alleged that the retailer somehow had led him to believe that he had no choice but to submit his e-mail address.  As the court recited, the complaint alleges that the Plaintiff "perceived the request as a condition" and "did not believe he could obtain the receipt he desired if he did not affirmatively respond to Defendant's request for his email address."  It is difficult for me to understand how either point makes a whit of difference because (1) the special purpose exemption quite clearly applies; and (2) once under the exemption, the whole of subdivision (a) is rendered inapplicable.  Even if the customer's beliefs were "reasonable," the "factual question" that the court figured should force the case to proceed to trial seems utterly irrelevant.   Although in the land of consumer protection statutes ordinary rules of statutory construction sometimes fall by the wayside, it is hard for me to imagine this ruling holding up on appeal.  Nevertheless, an order like this on a motion to dismiss usually isn't immediately appealable, which means that it could be years before the Ninth Circuit Court of Appeals gets to hear the case.

A Silver Lining?  It is worth noting, however, that the retailer may be able to argue that this kind of individualized factual determination -- involving what was told to a consumer and the consumer's (seemingly) subjective beliefs -- makes the case inappropriate for class certification.  After all, the hallmark of a class action case is the ability to have one lawsuit resolve the rights of large numbers of similarly situated persons.  It doesn't really accomplish that purpose if each individual's claim requires an evidentiary hearing about what they were told and/or what they believed.

Lessons Learned.  Again.  If you've been involved in consumer class action lawsuits, the lessons derived from this case aren't great revelations.

First, if you are going to ask for consumer information like e-mail addresses, try to give the consumer a choice about it and make that choice clear.  No class action plaintiff's lawyer is going to be thrilled about taking a case where his or her own client gave information after being told he or she didn't have to do so. While you're at it, if you're going to use that information to send promotions to a customer, consider telling them. Both of these disclosures help set the atmospherics of any subsequent class action lawsuit on the retailer's side since they make clear that no one was trying to pull a fast one.

Second, back up those disclosures with written scripts for sales associates and store signage if possible, so that any dispute about what was or wasn't said doesn't end up pitting the customer's recollection against the recollection of a specific sales associate (who may or may not still be working for the company).  Retailers rarely win those battles, and they'll almost guarantee a trial.

Third, pick your statutory arguments carefully.  In this federal court case, it appears a lot of ink was spilled on arguing that e-mail addresses didn't constitute PII.  Why?  If zip codes are PII (as we learned in Pineda), then fighting over whether e-mail addresses qualify as PII is a losing battle that might only serve shift attention away from the bigger question of whether the special purpose exemption bars the lawsuit.  Obviously, it's impossible to know the precise strategic considerations behind the arguments that were raised.  The bottom line, however, is that careful and surgical statutory interpretation arguments can be successful, but generally shouldn't be diluted by weaker arguments -- aim carefully and take only your best shots.

A Word to the Wise.  Cases like this are not-so-subtle reminders to work closely with legal counsel of your choice on privacy and information-gathering activities, particularly where consumer information is concerned.  In states like California, where consumer protection laws are like so many unsprung traps, every information gathering approach needs to balance the business gains against the potential downside risks.  Where, as in California, the penalties can be substantial for each improperly collected piece of PII, a very large downside may counsel retailers to obtain the information from someplace other than the point of sale.

Want to Read More?   Check out Professor Eric Goldman's take on Song Beverly and the collection e-mail addresses.  He's head of the High Tech Law Institute at Santa Clara University Law School in Palo Alto.

No comments:

Post a Comment