California Opens CRM Goldmine For All E-Tailers

The California Supreme Court on Monday (Feb. 4) ruled that online merchants have the right to ask for Zip code and other personal information about shoppers when purchases include downloadable content, but physical retailers do not. Given the clout of the highest court from the country's largest state making such a ruling—which, in turn, makes it very likely that other states will follow—this decision could sharply change CRM and POS strategies.

Such changes are especially likely because the court did not impose any restrictions on how retailers could use this newly permitted data, despite the ruling saying that data is solely to give online shops a better chance of fighting digital download fraud.

With the explosion of mobile applications, digital content of this sort is available at a wide range of retailers. This goes beyond downloading songs, movies, television shows or ebooks to downloaded games, software applications and ringtones. How-to videos from Lowe's (NYSE:LOW), jazz music sold by Starbucks (NASDAQ:SBUX) and recipe collections and videos from Williams-Sonoma (NYSE:WSM) could all play into this digital decision.

As a practical matter, this decision is likely to have little impact on traditional online versus online competition, as Amazon Amazon (NASDAQ:AMZN) and other major pure-play E-tailers have already been gathering plenty of such information—despite what had been potential legal challenges. No, the change will likely happen in-store, because in-store will find new ways to leverage all of the new online data that the court has now sanctioned.

Home Depot (NYSE:HD) is one of many chains that has been using creative techniques—in Home Depot's case, it looks for shoppers using the same payment card online and in-store—to grab in-store activity and share it with the online operation. Now, that can be reversed, with online (which the court said could take this data without restriction) able to share it with in-store.

The court ruled that the nature of a downloadable purchase exposes the retailer to more fraud risk and that the ability to seek more information is necessary to reduce that risk. But, as StorefrontBacktalk Legal Columnist Mark Rasch points out, the ruling allows address and other information to be demanded from shoppers even when the goods are physical, but only if the product is being shipped to a different location.

The rationale is that when a physical product is being delivered, the retailer has an obvious need to ask for the address to which it will be sent. But for fraud purposes, the court's Monday ruling now allows the site to demand the address of the customer, in addition to the delivery address.

(Related story: "Privacy Issues Galore Crop Up In California Supreme Court E-Commerce Ruling")

What brought the case to the court was a consumer named David Krescent, who had purchased various digital products from Apple's iTunes and objected to having to give his telephone number and address. "He further alleged that Apple records each customer's personal information, is not contractually or legally obligated to collect a customer's telephone number or address in order to complete the credit card transaction, and does not require a customer's telephone number or address for any special purpose incidental but related to the individual credit card transaction, such as shipping or delivery," the court wrote. "Krescent also contended that 'even if the credit card processing company or companies required a valid billing address and [credit-card identification number], under no circumstance would [plaintiff's] telephone number be required to complete his transaction, that is, under no circumstance does [Apple] need [plaintiff's] phone number in order to complete a [media] download transaction.'"

The court was interpreting a California law well-known throughout retail: the Song-Beverly Credit Card Act of 1971. That law has already racked lawyer hours for many chains, including Crate & Barrel and Children's Place, who were abandoned by their insurer, Hartford Insurance, on these cases, and told they were on their own when being sued for supposedly violating Song-Beverly.

Williams-Sonoma was at the heart of several challenges of Song-Beverly, as it fought the battle through federal courts. This led to various pieces of retail advice on how to avoid the letter of the law, while the California Supreme Court debated its options.The court's current decision focuses a lot on what the legislature's intent was back when it was last revised in 1990, a good five or six years before the Web became commonly used by retailers.

"In construing statutes that predate their possible applicability to new technology, courts have not relied on wooden construction of their terms," the court ruled, before quoting from a book on interpreting legal texts. "Fidelity to legislative intent does not 'make it impossible to apply a legal text to technologies that did not exist when the text was created. Drafters of every era know that technological advances will proceed apace and that the rules they create will one day apply to all sorts of circumstances they could not possibly envision.'"

The rationale the justices embraced was that an associate in a store has lots of ways of discouraging fraud through identification—looking at a driver's license, seeing the customer's face, filming the customer via a closed-circuit security camera, etc.—that are not practical options for E-tailers. Therefore, the argument continued, online retailers need to be able to demand more information to strengthen anti-fraud efforts when dealing with downloadable goods.

The court also said that, when it comes to anti-fraud options, not all E-tailers are the same. When Walmart (NYSE:WMT) ships a lawnmower, at least it has a physical shipping address. It might be a maildrop, but at least it is something that can be observed. It's also a non-arguable reason to ask for the address and Zip code.

That's more than what E-tailers have, if the product is an electronic download such as when Apple's iTunes (which was the retailer in the court's decision) sells a song, movie or TV show or when Amazon sells an ebook, downloadable game, software applications or ringtones.

The phrasing of the law "shows that while the Legislature indeed sought to protect consumer privacy, it did not intend to do so at the cost of creating an undue risk of credit card fraud. Rather, (one section) demonstrates the Legislature's intent to permit retailers to use and even record personal identification information when necessary to combat fraud and identity theft, objectives that not only protect retailers but also promote consumer privacy," the written ruling said. "The safeguards against fraud that are provided are not available to the online retailer selling an electronically downloadable product. Unlike a brick-and-mortar retailer, an online retailer cannot visually inspect the credit card, the signature on the back of the card, or the customer's photo identification. Thus, the key anti-fraud mechanism in the statutory scheme has no practical application to online transactions involving electronically downloadable products."

The court also weighed in on how much data is reasonably necessary to try and discourage fraud. The consumer plaintiff in this case "argued that requiring a customer to provide his or her name, credit card number, card expiration date, and credit card identification number suffices to prevent fraud. But it is clear that the Legislature has disagreed. A customer's name, credit card number, expiration date, and security code are all apparent to a brick-and-mortar retailer on the credit card itself when the card is presented during an in-person transaction," the court wrote. "Yet the Legislature expressly authorized retailers to request additional information—namely a driver's license, state identification card, or another form of photo identification—in order to combat fraud. The Legislature has thus decided that the information on the credit card is not necessarily sufficient by itself to protect consumers and retailers against fraud."

The court noted that some have argued gas stations are often exempted from these fraud data-collection restrictions, and for good reason. "It seems counterintuitive to posit that the Legislature created a fraud prevention exemption only for pay-at-the-pump retailers while leaving online retailers unprotected, when online retailers—a multibillion-dollar industry by the year 2011—have at least as much if not more need for an exemption to protect themselves and consumers from fraud."

That led the court to exempt all download-related E-tail activity from the law's restrictions and to impose no limits on how the data can be used and whether it can be shared with non-virtual parts of the business."Having thoroughly examined [the law's] text, purpose, and history, we are unable to find the clarity of legislative intent or consistency with the statutory scheme necessary to conclude that the Legislature in 1990 intended to bring the enormous yet unforeseen advent of online commerce involving electronically downloadable products—and the novel challenges for privacy protection and fraud prevention that such commerce presents—within the coverage of the Credit Card Act," the court wrote. "In light of our holding today, the Legislature may wish to revisit the issue of consumer privacy and fraud prevention in online credit card transactions, just as it revisited the use of Zip codes in the wake of our 2011 decision in Pineda. We cast no doubt on [plaintiff's] claim that protecting consumer privacy in online transactions is an important policy goal, nor do we suggest that combating fraud is as important or more important than protecting privacy. We express no view on this significant issue of public policy. Our role is to determine what the Legislature intended by the statute it enacted. Here the statutory scheme, considered as a whole, reveals that the Legislature intended to safeguard consumer privacy while also protecting retailers and consumers against fraud. This accommodation of interests struck by the Legislature would not be achieved if [the law] were read to apply to online transactions involving electronically downloadable products. Because we cannot make a square peg fit a round hole, we must conclude that online transactions involving electronically downloadable products fall outside the coverage of the statute."

A dissent was filed by Justice Joyce Kennard, who questioned the logic of the majority when it said that the legislature's not mentioning online merchants meant that they should be excluded from that law.

"The majority states that when the Legislature wants to regulate online businesses, it must do so expressly, as it did in the California Online Privacy Protection Act of 2003," Kennard wrote. "Under that reasoning, the civil rights protections of the Unruh Civil Rights Act would not apply to online businesses because that act does not refer to those businesses expressly. Similarly, under the majority's reasoning, the Commercial Code would not apply to online businesses because the code does not mention those businesses expressly."

Although the law of the land in California is important, it is typically trumped by E-Commerce's law of supply and demand. E-tailers, especially those a lot smaller than Amazon, have a practical limitation of seeking private information: shopper toleration. Ask too much, and some consumers simply won't bother.

Where that needle on the dial of consumer privacy intrusion tolerance should be set is up for debate. It will depend on the type of product, the demographics and inclinations of the shopper, and how invasive the information requests are.

Then there's the power of the majority, which simply means that procedures and requests that become commonly used by most of the major chains and sites will be tolerated much more than those of an outlier seeking much more than its rivals.

In short, there are laws of legislation from courts and laws of what is considered acceptable from shoppers. Regardless of where that needle falls, it's now going to be pushed sharply away from the privacy protection side. Celebrate your CRM windfall, marketers, while you can.