California’s Song-Beverly Credit Card Act does not prohibit retailers from collecting email addresses after a credit card transaction has been concluded, according to a recent ruling by a California appellate court. The decision provides some welcome clarity for retailers who engage in point of sale data collection.
What is the Song-Beverly Act?
The Song-Beverly Act prohibits retailers from requiring a consumer to provide personally identifiable information (PII) as a condition to payment by credit card and recording that information during the credit card transaction. The Act defines PII as including the cardholder’s address and telephone number, and courts have repeatedly found that the definition includes other information such as ZIP codes and email addresses. Class actions against retailers in California based on alleged violations of the Act have become commonplace and several other states have also adopted their own laws modeled on Song-Beverly.
Details of this Case
In this case, Harrold v. Levi Strauss, a Levi’s customer named Stacie Harrold claimed that the retailer violated Song-Beverly by requesting and recording her email address in conjunction with a credit card transaction. According to Harrold, a Levi’s employee asked for her email address before her purchased merchandise was bagged and handed to her, but Harrold could not remember whether the Levi’s employee had requested her email address before or after she signed for the purchase. Harrold asserted that Song-Beverly was violated regardless of when Levi’s requested her email address because a violation of the Act occurs when a retailer requests and records PII from a customer who pays by credit card. After Harrold sought class certification for her claims, the trial court denied certification.
On appeal of the denial for class certification, the California appellate court rejected Harrold’s interpretation of the Act. As the court noted, the Act was not intended to prohibit retailers from collecting PII voluntarily from customers, such as in connection with a voluntary email marketing program. Rather, its purpose is to prohibit retailers from requesting or requiring PII as a condition of paying by credit card. Thus, a violation of the Act only occurs if a retailer requests PII “under circumstances in which the customer could reasonably understand that the [PII] was required to process the transaction.” If PII is requested after a transaction has concluded, the court suggests that it would be unreasonable for a customer to conclude that the PII was required in order to pay by credit card.
Significantly, the court noted that there was no evidence in the record to suggest that Levi’s employees collect PII before the conclusion of credit card transactions. Levi’s submitted “substantial evidence” to the court that its employees are trained to refrain from asking for email addresses until after credit card transactions are completed, and even Harrold was unable to say for certain when her email address had been requested. Accordingly, the court affirmed the denial of certification.
In recent years, numerous retailers have faced class action lawsuits under the Song-Beverly Act and related laws in other states. Although this decision just applies in California, it should offer comfort to retailers who request PII from customers after the completion of credit card transactions. That said, the case also underscores the importance of having good employee training programs in place. Retailers should carefully review those programs and their internal policies to ensure compliance with state data collection laws.