In a 2-1 decision, a Ninth Circuit panel has affirmed a district court's dismissal of a putative class action against Redbox - the company with the bright red DVD-rental kiosks - alleging violations of California's Song-Beverly Credit Card Act, which prohibits retailers from collecting personal identification information in connection with credit card transactions. In Sinibaldi v. Redbox Automated Retail, plaintiff asserted that Redbox's collection of ZIP code information during the rental process was not essential to complete transactions but rather that the company collected the information purely for marketing purposes. Although the district court dismissed plaintiff's claims as falling outside the Act, given the potential for fraud in kiosk credit card transactions, the panel affirmed the dismissal on alternative grounds. In the majority's view, Redbox's collection fell under an exception in the consumer privacy statute allowing the collection of information where the company uses customer credit cards "as a deposit to secure payment in the event of default, loss, damage, or other similar occurrence."
Redbox charges $1 a night for most DVD rentals and charges the customer's swiped card for the first night at the time of rental. Redbox retains the customer's credit card information during the rental period for additional rental charges, should the renter decide to keep the DVD for more than one night - or forever. The Redbox agreement allows the company to charge the card, up to a maximum flat fee ($25 for DVDs), in case the DVD is not returned within 25 days of rental. The fee is automatically processed on the credit card on file. The renter is not required to swipe the card or provide ZIP code information upon returning the DVD. In the majority's view, Redbox stores credit card information as a "deposit" - not unlike what a hotel or rental car company does - under the plain language of the statute, and therefore its collection of ZIP code information falls within the exception.
Judge Reinhardt disagreed. Emphasizing the Act's remedial nature - intended to minimize the merchant's unnecessary collection of personal data - he argued in his dissent that the majority had mischaracterized the Redbox transaction. In his view, "the Redbox customer is agreeing to rent the DVD at a fixed daily fee with a maximum total charge of $25.00 for 25 days of rental." Whether a customer damages the rental, loses it, or simply decides to keep it, the maximum charge is fixed. Particularly in light of plaintiff's allegation that the ZIP codes were used not for fraud prevention but for Redbox's business purposes, Judge Reinhardt would have construed the statute more liberally. In his view, kiosk transactions had a lower potential for fraud than online purchases. As the panel was deciding the scope of the "deposit" exception as a matter of first impression, unguided by any California precedent, the court should have construed the exception liberally, in keeping with the statute's privacy-promoting objectives.
California courts may eventually consider the scope of the Act and its exceptions, including the "deposit" exception. Until that time, however, collecting ZIP code information during the process of a credit card transaction remains a very risky procedure, at best, despite the positive results for Redbox in this case.