Previously we informed our readers that California’s new Internet data privacy law, effective January 1st, 2014, requires operators of commercial websites or online services that collect personally identifiable information (“PII”) from California consumers to conspicuously post their privacy policies on their respective websites. Now, the federal District Court for the Eastern District of California has ruled that consumers’ e-mail addresses are PII under California’s Song-Beverly Act, and that retailers may not require consumers to provide their e-mail addresses prior to making a purchase with their credit cards.
Song-Beverly Act Generally
In an effort to cut down on the amount of unsolicited marketing material sent to California consumers, the California legislature passed the Song-Beverly Act (the “Act”), which prohibits retailers from requiring consumers to provide their PII prior to purchasing a good or service by credit card. The Act defines PII as “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.”
Recent Federal Court Case Regarding E-mail Addresses
While on its face, the Act outlaws retailers from collecting consumers’ telephone numbers and street addresses, there had been uncertainty as to whether a consumer’s e-mail address is subject to the Act. In a class-action lawsuit brought against the popular retailer Nordstrom’s, the federal District Court found that, like zip codes, which were previously found to be PII under the Act, consumers’ e-mail addresses fall within the broad definition of PII under the Act.
In reaching this decision, the Court found that an e-mail address is, in fact, more personal than a consumer’s zip code. Expanding on this reasoning, the Court stated that “a cardholder’s e[-]mail address permits direct contact and implicates the privacy interests of a cardholder.” In essence, while a consumer’s zip code may inform the retailer of the general vicinity in which the consumer lives, an e-mail address gives the retailer direct access to the consumer through which it may deliver unsolicited marketing messages.
In rejecting Nordstrom’s argument that that the Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM”) preempts application of the Act to the facts at issue, the federal District Court ruled that CAN-SPAM is not preemptive because, unlike CAN-SPAM, the Act does not address or regulate the content of the e-mail messages sent to consumers. In fact, the Court found that retailers should comply with both the Act and CAN-SPAM.
The District Court’s inclusion of e-mail as PII covered under the Act may whet the appetites of plaintiff’s attorneys and result in a new wave of e-mail related lawsuits in both California State and federal courts.