Every time I use my credit card to pay for an item at a retail store, I always look to see if my receipt contains my credit-card number or expiration date (as opposed to something that looks like “xxxx-xxxx-xxxx-xxxx”). If either appears on my receipt, I know that this retailer is a potential target for a privacy-law class action.
Under the Fair and Accurate Credit Transactions Act, (“FACTA”), retailers are prohibited from printing on a customer’s credit-card receipts more than the last five digits of the customer’s card number or the expiration date. At last count, plaintiffs have filed more than 300 putative class actions alleging such violations of FACTA. For a federal statute as young as FACTA (effective as of 2004), that’s already a lot of class actions.
In order to avoid becoming the next privacy-law class defendant, some retailers have instructed their stores to print customer receipts containing only the last five digits of the customer’s card number. In other words, retailers have told their stores to comply with FACTA. Sounds like a sure-fire way to avoid class liability, right? Well, only partially.
Complying with FACTA without also complying with each and every individual state’s privacy laws is like fixing the biggest hole in your leaky roof, while pretending that the smaller holes don’t exist. You’ll still end up with a very wet floor, and before long, you might be watching the entire roof collapse. Indeed, any retailer relying only on FACTA, without also implementing a compliance program for state-privacy laws, is easy pickings for the ambitious class plaintiff.
For example, in the states of Illinois, Michigan, Texas and Virginia, retailers printing the last five digits of a credit card number on a customer receipt would be a violation of state laws—and risk being sued on a class wide basis. How is that? Although FACTA allows for five digits on receipts, these states only allow four digits.
What about the retailer that has stopped printing credit numbers or expiration dates on customer receipts altogether? Is that retailer safe from being a privacy-law class defendant? Not even close. A number of states maintain quirky statutes that are veritable class-action landmines. For example, in California, class plaintiffs have repeatedly sued retailers merely because the retailers gave their customers credit-card receipts containing preprinted spaces designated for addresses. In other states, including Illinois, New Jersey, and New York, retailers are at risk simply by giving their customers receipts that are not carbonless or are not perforated. Strange, I know, but true.
Ok. So, as the retailer, you’ve now stopped printing credit numbers or expiration dates on customer receipts; you’ve ceased using credit-card forms with preprinted spaces designated for addresses; and you’ve trashed those carbonless and non-perforated receipts. Can you finally sleep well at night, knowing that you are in full compliance with privacy laws? Unfortunately, no.
There are still many other privacy-law traps. For example, allowing cashiers to ask customers at the point of sale to provide their addresses or telephone numbers is a bad idea. That type of act can lead to class actions in more than a dozen states, including California, Massachusetts, New York, Pennsylvania, Kansas, New Jersey, Oregon, Rhode Island, Wisconsin, Delaware, District of Columbia, Minnesota, Ohio, Maryland and Nevada.
In terms of privacy-law compliance and avoidance of class actions, everything mentioned above only scratches the surface. The bottom line is that a retailer should not fool itself into believing that complying with FACTA will prevent privacy-law class actions. Rather, FACTA compliance should serve merely as a retailer’s starting point, and should be followed with a thorough analysis of the privacy statutes in each and every state in which the retailer does business