What Information Is Covered by These Statutes?
State laws can broadly be classified into two camps: those that broadly restrict the collection of “personal identification information” (or similar terms) (“PII”), such as the California and Massachusetts laws, and those that restrict the collection of specific categories of information, such as the District of Columbia law, which applies only to addresses and phone numbers.Unfortunately, it is not always clear what specifically is covered by these statutes. For instance, before the California Supreme Court and the Massachusetts Supreme Judicial Court decided otherwise, reasonable minds may have believed that ZIP codes were not PII because that information, standing alone, could not identify a person individually. Even today, that is not a foregone conclusion in other states where litigation has not addressed the meaning of this undefined term. Furthermore, in the jurisdictions that restrict the collection of specific categories of information like an “address,” there is scant judicial guidance on whether an email address or a ZIP code is within the scope of the statutes. Because of the general lack of case law on these statutes outside of California and Massachusetts, retailers may wish to consider all possible outcomes before collecting information from customers.
What Conduct Is Covered by These Statutes?
There is substantial variance in the specific conduct that is prohibited by these statutes. For example, the California statute prohibits a retailer from requesting or requiring a customer to write personal information, and from recording personal information that the customer provided, as a condition of accepting a credit card. Other states use similar – although sometimes different – language, and some also prohibit a retailer from causing information to be written. While California prohibits a retailer from recording information anywhere as a condition of completing a transaction, other states simply prohibit recording information on a “transaction form.” But what is a “transaction form” in the era of computerized point of sale systems? (Remember, these statutes were mostly enacted in the early 1990s.) So far only the Massachusetts Supreme Judicial Court has weighed in, holding that the statutory term “transaction form” applies both to electronic and paper forms, but that it is a factual question whether a particular electronic form qualifies.Due to the wide variability of the precise conduct covered by these statutes, a close reading of each state statute is necessary when considering the collection of personal information in connection with a sale. Minor nuances may have a substantial impact on whether a retailer’s conduct is likely to comply with these laws, such as the time of the request, the nature of the request, or even the method of data entry.
It is clear that the California statute and other state laws apply to in-store purchases in many circumstances. However, several cases have addressed the applicability of these statutes outside the scope of traditional face-to-face transactions at a cash register:
In-Person Transactions with E-Receipts. Electronic receipts have been an option at some retailers for several years now. In October 2013, a United States District Court in California addressed a retailer’s practice of requesting an email address to send an e-receipt in connection with a motion to dismiss a claim under California’s statute. The court ruled that an email address is PII, but noted that future factual development was necessary to determine whether sending an electronic receipt qualifies for the “special purpose” exception under the California statute. As the first case to address a growing retail practice, Capp has the potential to set precedent in this area.
Online Transactions. In 2013, the California Supreme Court ruled that California’s law does not apply to online transactions for a downloadable product. However, the court declined to address whether the law applies to other kinds of “transactions that do not involve in-person, face-to-face interaction between the customer and retailer,” such as online transactions for a physical, shipped product. Some cases from California federal courts, however, have concluded that the law does not apply such transactions. In January 2014, the California Senate passed S.B. 383, which would restrict the collection of personal information during the sale of an electronic downloadable product; however, this bill is stalled in the California Assembly and is “unlikely to move forward this year” according to a representative in the office of the bill’s sponsor.
Kiosk Transactions. In the sole case to address unmanned kiosk transactions, the trial court ruled that the California statute did not apply because information could be requested to address “fraud concerns” and dismissed the case. On appeal, the Ninth Circuit declined to address the trial court’s conclusion, but affirmed the dismissal of the case on grounds unrelated to the use of a kiosk. Thus, it remains an open question in California whether kiosk transactions are exempted from the California statute.
Rental Transactions. In the first case to address the California statute’s rental deposit exception, the Ninth Circuit held that money does not actually need to be drawn from a customer’s credit card for the rental deposit exception to apply – the merchant must simply be able to draw upon the customer’s credit line. The Court also noted that it is immaterial whether the merchant would actually be successful in collecting from the customer’s credit line in the future.
Other Transactions. Litigation has not addressed whether the California statute applies to mail order or telephone transactions, an issue left undecided by Apple. Gas station pay-at-the-pump transactions that collect ZIP codes solely for the prevention of fraud, theft, or identity theft, were exempted from the scope of the statute by legislative amendment in 2011.
Future Directions: Unexplored Issues and Questions
Several issues and potential defenses have not yet been fully addressed in litigation. It will be interesting to watch the development of the law, particularly on these points:
Special Purpose Exception. Certain state statutes include a potentially broad exception, such that the collection of personal information is permissible if it is collected for an incidental “special purpose.” Some federal courts have concluded that a rewards program qualifies for the “special purpose” exception under certain circumstances. However, no court to date has ruled whether an electronic receipt option qualifies as a “special purpose.” Although not helpful for marketing purposes, fraud prevention has also been held to fall within the scope of this exception. The special purpose exception may be broad enough to encompass other use cases.
Contractual Obligation Exception. The California statute includes an exception that permits information collection if the merchant is “contractually obligated” to provide information to complete a transaction. This exception is unexplored by the courts.
Unmanned Kiosk Use & Self-Checkouts. Although the trial court in Mehrens concluded that unmanned kiosks are not covered by the California statute, the Ninth Circuit chose not to address this holding; thus, it is still an open question whether the California statute applies to unmanned kiosk transactions. Additionally, no case law has addressed what makes a kiosk “unmanned” or whether the California statute applies to a self-checkout solution present in a retail store.
Online Transactions Completed In Person. Cases also have not addressed if there is a meaningful difference between online transactions with products delivered by a common carrier, versus online transactions that are picked up by the customer in a retail store. On the one hand, the same anti-fraud concerns apply to these transactions to the extent that payment is not handled by a live person; but a court could also conclude the existence of an in-store component means that the laws should apply.
Statutory Scope. In the jurisdictions that restrict the collection of only certain categories of information like an “address,” a natural question is, what is an address? Do email addresses or ZIP codes qualify? As noted above, a trial court held that the D.C. statute, which applies to an “address,” does not restrict the collection of a ZIP code; however, this decision is currently on appeal.
Developing a Corporate Policy
Retailers collecting personal information from customers should keep these laws in mind. Complying with all sixteen statutes can be tricky, but it is critically important. Recent settlements in class action cases have ranged from high six-figures to low seven-figures. In some states, criminal enforcement is possible.
Thus, a retailer may wish to develop a comprehensive strategy targeted at compliance with these point of sale data collection laws. A written policy may also enable a retailer to argue for applicability of the “safe harbor” for unintentional violations that exists in some of the state statutes. However, it is also worth noting that some retailers have been able to avoid class certification under the California statute precisely because of the non-uniform nature of requests for information.
Class action litigation is picking up in Massachusetts following the Supreme Judicial Court’s ruling that the Massachusetts law applies to ZIP codes and that the “transaction form” language is no barrier to suit against retailers using modern point-of-sale systems. A case filed in the District of Columbia was dismissed, but is currently on appeal. There appears to be no reason why litigation will not eventually be brought in other states with similar laws. Accordingly, retailers that already collect personal information at the point of sale may wish to revisit their current practices, and retailers that wish to commence information collection should consider these laws thoroughly before implementing a new program.