California’s Song-Beverly Credit Card Act of 1971 (the “Act”) (Cal. Civ. Code § 1747.08) generally prohibits merchants from requesting customers to provide “personal identification information” during a credit card transaction and then recording that information. Several recent California decisions have interpreted the Act’s prohibitions broadly, which has led to some uncertainty regarding its scope. Earlier this year, for example, the California Supreme Court held that a retailer who requests and subsequently records a customer’s ZIP code in connection with a credit card transaction violates the Act. Pineda v. Williams-Sonoma Stores, Inc., 246 P.3d 612, 614 (Cal. 2011). Because penalties for such violations are punishable by civil penalties of up to $250 for a first offense and up to $1,000 for each subsequent offense, the Pineda decision has led to hundreds of lawsuits being filed against companies that operate in California and request ZIP code information at the point of sale for credit card transactions.
Although most of the lawsuits filed in the wake of the Pineda decision have targeted brick-and-mortar establishments, several have alleged that large online retailers (e.g., Amazon.com and Craigslist) violated the Act by requesting ZIP code information from customers in connection with credit card payments. These allegations have sparked substantial debate regarding the Act’s applicability to online transactions. On one hand, a federal district court case that was decided prior to Pineda reached the conclusion that online transactions were outside of the Act’s scope. Saulic v. Symantec Corp., 596 F. Supp. 2d 1323 (C.D. Cal. 2009). On the other hand, the Pineda decision broadened the Act’s reach and left online retailers wondering whether California courts would come to the same conclusion as the federal district court regarding online transactions. Consequently, Pineda and the resulting wave of litigation has forced digital merchants to weigh the costs of large potential civil penalties against the need to collect ZIP code information for valid business purposes.
Fortunately for online retailers, on August 24, 2011 the San Francisco Superior Court provided some clarity on this issue. Specifically, in Gonor v. Craigslist, Inc. the San Francisco Superior Court dismissed a Song-Beverly Act lawsuit against Craigslist on the grounds that the Act “on its face does not apply to online transactions.” Gonor v. Craigslist, Inc., No. CGC-11-511332. In making this determination, the court also noted that “applicable case law, legislative intent and public policy indicate that [online] transactions are not, and should not be, encompassed by [the Act].” The finding provides further support for Saulic v. Symantec, the federal district court decision holding that the Act does not apply to online transactions, and will likely result in a significant decrease in the number of future lawsuits filed against online merchants that conduct business in California. However, it should be noted that numerous other post-Pineda cases are still pending in California state and federal courts that relate to the collection of “personal identification information” by digital merchants. As a result, online merchants should applaud the Craigslist decision but should also remain aware that the issue of the Act’s applicability to online transactions is not an entirely settled matter.