California Supreme Court Ponders Whether Online Privacy Is Different From In-Store Privacy

Attorney Mark D. Rasch is the former head of the U.S. Justice Department's computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

In a case to be argued Wednesday (Nov. 7), the California Supreme Court will decide whether to treat brick-and-mortar stores differently from online stores when it comes to the collection of personal information about customers who make purchases by credit card. The case could have serious consequences for personal privacy of online customers, as well as for the ability of online retailers to prevent fraud and authenticate their customers.

Several online retailers, including Apple, eHarmony and Ticketmaster, were sued in a class-action lawsuit that claimed their collective practice of collecting certain personal information—including consumers' names, street addresses, telephone numbers and E-mail addresses—violate the provisions of a 1971 law that precludes the collection of personal information about users of payment cards. The E-tailers are arguing before California's highest court that the 1971 law didn't contemplate online transactions, that prohibitions on merchants "writing down" consumer information don't apply to data entry into a computer databases and, besides, they need this information to authenticate users and prevent fraud. In the "real" world, of course, you can ask to see customers' driver's licenses and authenticate them that way (as long as you don't write down the number). You can't do that online. So, Apple complains, the law improperly discriminates against online merchants.

Not so fast, say consumers. The purpose of the law, called the Song Beverly Act of 1971, was to protect the privacy of consumers who make transactions. It was designed to prevent California merchants (merchants doing business in California) from compiling a dossier on their customers simply because they paid by credit card. And this, the customers allege, is exactly what the online merchants are trying to do.

But wait, complain the World Wide Webheads. We need to collect a bunch of personal information to deliver the goods and services you want. Unlike a brick-and-mortar store, where the goods can be handed to the customer, online merchants need the information to get the goods to the consumer. They need to collect the consumer's MAC address, IP address, E-mail address, etc., to make sure that the products get to the correct payer. All of this is completely kosher and above board. And besides, California has another law that requires online merchants to disclose their data collection and privacy policies. "As long as we tell you what we are collecting and why, and what we are going to do with it, what's the problem? Your privacy is protected by our disclosed Terms of Service."

Unh, uhn. The California Supreme Court previously ruled that a brick-and-mortar store could not even ask customers for their ZIP Codes, because this was "personal information." Why should online stores be allowed to collect, store, analyze and sell personal data that a brick-and-mortar store would be fined for collecting? In fact, if the "service" is completely digital (e.g., downloaded music from Apple, a hookup from eHarmony or downloaded event tickets from TicketMaster), no personal information is required—and certainly not a phone number.

So who wins?

In 1971, Rod Stewart's "Maggie Mae" and Janis Joplin's "Me and Bobby McGee" were the top of the pop charts. In computers, the first voice-recognition software and the first laser printer were developed, as were the first warnings about the Y2K problem. That same year, the California Legislature also passed what is called the Song Beverly Act, which restricted the ability of merchants to require that consumers provide personal information as a condition precedent to being able to use more than fairly new payment methods of revolving charge cards or other credit cards. Al Gore's invention of the Internet was still several years in the future.

The statute, codified in California Civ. Code section 1747.08(a) prohibits any company that accepts credit cards from requesting "the cardholder to write any personal identification information upon the credit card transaction form or otherwise" or requiring the cardholder "to provide personal identification information, which the [company] writes, causes to be written or otherwise records upon the credit card transaction form or otherwise."

The statute contains an exception that allows merchants to collect personal information if "personal identification information is required for a special purpose incidental but related to the individual credit-card transaction, including, but not limited to, information relating to shipping, delivery, servicing or installation of the purchased merchandise, or for special orders." So, both online and brick-and-mortar merchants can collect personal information about consumers to ship them a product, ensure delivery, service a product or install it. Otherwise, it looks like the collection of personal information is verboten.The lawsuit to be heard by the California Supreme Court revolves around whether online merchants like Apple, eHarmony, Ticketmaster and others can require California consumers to provide things like their name, address, telephone number, E-mail address or other personal information before they can purchase digital items that will be delivered digitally. Previously, the California Supreme Court had held that even such seemingly trivial information as a consumer's ZIP Code was personal information that could not be collected or written down by the merchant.

The statute was intended to represent a balance between the privacy rights of consumers—not being forced to give up personal information as a condition of using a credit card and not being able to be marketed to simply because they paid by credit card—and the need for merchants to be able to deliver goods, products or services to the consumer.

However, the courts have had a difficult time balancing these competing interests in the online world. Certainly, when a retailer like Amazon or ebay receives an online order from a customer, it needs to collect that customer's shipping information to deliver the product. It also collects other identifying information like the consumer's telephone number and E-mail address at the same time. Well, that's why we have courts, right? There is no doubt that the case presents a conflict between consumer privacy and fraud prevention. Merchants, both online and offline, have a right to prevent fraud and authenticate consumers. Just as a brick-and-mortar merchant can "see ID," an online merchant should be permitted to do the same thing. Of course, a brick-and-mortar store can "look" at an ID without copying it. Online, there must be a copy.

Clearly, if the merchant uses the other identifying information solely for the purposes of ensuring delivery of the product or service there should be no problem under the Song Beverly Act. But, of course, these online merchants collect this information so they can market to the consumer or sell this information to third-party marketers, provided they comply with other California laws regarding explicit privacy policies.

This puts brick-and-mortar stores at a distinct disadvantage. Their online competitors can use the fact that they are operating in a virtual world to collect, store, cross-reference, data mine or otherwise use or sell the personal data they collect about their customers at the time of the credit-card transaction. The brick-and-mortar store can't even ask customers for their ZIP Code.

The online merchants want to create a wholesale "online exemption" from the statute that says, essentially, "Hey, it's 2012. That law is sooo 1971. Groovy man!" Because online sales weren't contemplated, they can collect any information.

What should happen is that the California legislature should revisit the law with online transactions in mind and then specify what information can and cannot be collected online and, more importantly, what can be done with the information collected. Consistent with the principles of Song Beverly, if brick-and-mortar retailers can't collect my name and address, then online retailers can't, either, except to the extent that the information is needed to fulfill the order and prevent fraud—and then, and here is the kicker, that information can only be used for those purposes. No data mining, no reselling, no analytics, nothing. Alternatively, the legislature could say that Song Beverly has outlived its purposes and that anyone can collect any information about customers as long as a privacy policy is in place. Either way, consumer privacy should be protected, and both brick-and-mortar and online stores should be treated roughly the same. We will see what the Sacramento Court does.

If you disagree with me, I'll see you in court, buddy. If you agree with me, however, I would love to hear from you.