Macy's Cites Privacy In Fighting D.A.'s CRM, POS Subpoena

Fighting a subpoena for CRM and POS data from the Los Angeles District Attorney, Macy's attorneys are arguing that privacy expectations prevent them from revealing the names of their customers who purchased children's jewelry made with potentially toxic lead levels. The D.A. argues that it needs the names so that the consumers can be contacted to try and stop the health threat.

The case raises many critical retail IT issues, including how private—or proprietary—the courts should consider data, including purchase histories from CRM/loyalty and POS payment files. Beyond privacy issues, such subpoenas could force retailers to publicly reveal that they are collecting and saving a lot more information than they want to disclose. There are also PCI implications, where a merchant could theoretically be shown to be saving prohibited payment card data.

The L.A. D.A. is prosecuting a criminal complaint against Macy's, accusing the chain of falsely advertising that the children's jewelry was lead- and nickel-free. The U.S. Consumer Product Safety Commission was involved in a recall of the jewelry in February 2008 and estimates that some 2,900 necklaces were sold from January 2006 through November 2007. "The children's necklaces contain high levels of lead. Lead is toxic if ingested by young children and can cause adverse health effects," the U.S. Consumer Product Safety Commission notice said.

Macy's lawyers have asked state Superior Court Judge Frederick Rotenberg to dismiss the charges and Rotenberg on Tuesday (April 7) scheduled arguments on the case for May 4. In a motion filed with Rotenberg seeking to quash the subpoena, Macy's argues that turning the names over is not appropriate because the nature of this criminal case is about false advertising and not the recall nor consumer notification.

"Macy's promises its customers to keep their personal information confidential except in certain limited circumstances. Macy's customers therefore have a reasonable expectation that any identifying information collected and retained by Macy's as a result of their purchases will be kept confidential and not disclosed unless Macy's is compelled to do so by proper legal process," wrote Macy's attorney Donald Etra. "As the privacy concerns of third parties is high and the usefulness of the documents to the people's prosecution of the false advertising claims against Defendants is non-existent, production should not be required."

It's a new twist to the privacy argument, in that it's unlikely that most of the impacted consumers would object if they alerted that they have children's jewelry with potentially toxic lead levels. How many of them would consider such contacts to be privacy violations?

The filing also said that Macy's may—or may not—have the information being sought, but those details are intriguing."It should be noted that Macy's does not have information as to every customer who purchased the (lead) product at issue. If a customer used a Macy's proprietary credit card to purchase the product—either a Macy's credit card or a Macy's branded Visa—Macy's retains such information, though such retention and any possible disclosure is governed by the terms of Macy's privacy policy," the filing said. "If a customer purchased the products on a credit card other than Macy's, Macy's may not have in its possession the customer's personal contact information from the credit card transaction and thus may not have any documents reflecting that customer's identity. Macy's does not have information relating to the identities of those who purchased the products with cash."

It's interesting that the filing was so explicit that the chain did not have any relevant data for customers who paid cash. If a customer used their loyalty card and paid cash, wouldn't that information still exist? Is Macy's saying that it already checked and it just so happens that CRM files revealed anyone using cash to make the lead-laden purchase? It's not clear.

The document gives the judge a few alternatives, including merely instructing that Macy's contact those customers, which would avoid the public disclosure. Failing that, the document said the judge should limit the D.A.'s office for anything other than identifying witnesses and evidence "and prohibiting (the D.A.'s office) from abusing subpoena power by using it to notify Macy's customers of alleged violations." That last requirement seems to be asking the court to prevent the D.A.'s office from telling those consumers that they apparently have a poisonous piece of children's jewelry, presumably being used by a child.

"The People's only expressed reason for the documents described in the subpoena is a desire to communicate with Macy's customers regarding a perceived, but unsubstantiated, allegation that, unless such a notice is sent out, the public safety will be threatened. This stated reason for compelling production is not valid in a false advertising case. The identification of customers who purchased the products at issue has no bearing on the facts that the People need to prove to establish the elements of this misdemeanor."

The filing also challenges the Los Angeles official's efforts to subpoena customer information from all across the country. "The District Attorney's office has no jurisdiction to demand production of documents reflecting sales outside of Los Angeles county since he has no jurisdiction to prosecute such alleged violations."