Privacy Issues Galore Crop Up In California Supreme Court E-Commerce Ruling

Attorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

On Monday (Feb. 4), the California Supreme Court revisited the question of whether online retailers are permitted to collect certain personal information when engaging in a credit-card transaction. A 1974 statute seems to say "no," but the California Supreme Court says "yes." Although the case is a victory for online retailers, the way the court came to its decision may open up consumers to much more use of personal information. In the end, that possibility may cause the State Legislature to clamp down on new forms of database misuse for both online and offline retailers.

In the 1970s, California passed the Song-Beverly Act. It prohibited merchants (there were no online merchants back then) from requiring, as a condition for accepting a credit card, consumers to provide certain personal information. The legislature was worried about merchants using the pretext of accepting a credit card to mandate that consumers pony up their names, addresses and other personal information. Of course, the credit card itself already has some information—cardmember's name, card number, CVV and expiration date, but not much more. The purpose of the Sony-Beverly Act was to protect consumers' privacy when they bought something by credit card. Sure, if you needed something shipped or a warranty card filled out or other "order fulfillment" type things, the merchant could ask for your address. But if retailers just wanted the data to profile you, to market to you, or just because they were nosy, the Act prohibited that.

Sony-Beverly also had an "anti-fraud" provision that allowed a merchant to look at, but not to "write down," a consumer's driver's license number and photograph and mailing address to ensure that consumer was, in fact, the cardmember. This approach could be used to prevent fraud. Well, to prevent some fraud, anyway.

A few years ago, Williams-Sonoma (NYSE:WSM) fell afoul of the statute. It demanded brick-and-mortar customers provide their Zip code, in addition to their credit-card number. The retailer then used that Zip code to determine consumers' addresses (only one Millard Fillmore in Zip code 14052) and to then use the names and addresses to send catalogues and other marketing materials. That is a no-no, according to the California Supreme Court; even a mere Zip code is "personal information" under the Song-Beverly Act.

But then, the Internet came.

With the advent of E-Commerce, online merchants taking credit cards had no effective way to ask to see (without recording) a driver's license. For anti-fraud purposes, most credit-card processors demand not only the consumer's credit card number but also the associated name, address and Zip code. But what about the law?

That's what David Krescent thought when he signed up for an Apple (NASDAQ:AAPL) iTunes account in California. Apple required Krescent to not only give his credit-card number but provide a bunch of other information (name, address, Zip code, etc.) to make digital purchases of music. Because the commodity delivered was itself digital, and downloaded, Krescent argued, Apple didn't need his address or Zip code to process the transaction.The company didn't even need his name, as long as the credit card was valid! And besides, the statute makes it illegal to "write down" things like address, etc., and an electronic recording of the information is a writing, no?

Apple countered by asserting not only that an electronic writing isn't a writing but that, mainly, the law—written long before electronic commerce—doesn't naturally apply to E-Commerce. When applied to brick-and-mortar stores, the law had an anti-fraud provision—permitting the merchant to ask for and examine personal information to prevent fraud. If you don't allow the use of this information for anti-fraud purposes, you put online merchants at a disadvantage—especially when you consider the volume of fraud online.

Lower California courts had already carved out an "online" exception to the Song-Beverly Act. The legislature passed a special law exempting gas stations from the Williams-Sonoma "Zip code" provisions, so they could likewise demand personal information (Zip codes) to prevent pump-and-go frauds. So Apple asked the Supreme Court to carve out an exception for online transactions.

On February 4, that's exactly what the California Supreme Court did. The court found that, to effectuate the purposes of the law (protecting privacy while permitting merchants to fight fraud), online merchants could collect things like a consumer's name, billing address and Zip code, even if the transaction was completely digital. Besides, the court observed, other California statutes—such as the California Online Privacy Protection Act (COPPA, Cal. Bus. Prof. Code 22575)—require online merchants (and others) to conspicuously post their privacy policies, including what data they collect and how they will use it. So consumer privacy is protected. Not.

The problem with what the Supreme Court did in the Krescent case was that by trying to make online merchants equal to their brick-and-mortar siblings, they elevated the rights of such merchants beyond those of their terrestrial counterparts. The court could have said that Apple and others could collect consumer personal information during a credit-card transaction, but only to use it to prevent fraud (validate the transaction), and then they had to destroy the personal data. This would have been the electronic equivalent of "looking at" the driver's license—well, close to it, anyway.

But having collected personal information to prevent fraud, the California Supreme Court held that the only limits on the online merchant's use of that data is whatever it puts on its privacy policies. So although a brick-and-mortar entity can't collect any data (except for order fulfillment), an online merchant can collect and use personal information—exactly what the Song-Beverly Act didn't want to happen. So it looks like a victory for cyberspace merchants at the expense of ground-based ones. At least until the California Legislature convenes. After that, who knows what might happen.

If you disagree with me, I'll see you in court, buddy. If you agree with me, however, I would love to hear from you.