On February 4, 2013, the California Supreme Court held in Apple Inc. v. Superior Court (Krescent) that the Song-Beverly Credit Card Act’s prohibition against recording customers’ personal identification information as a condition of credit card purchases does not apply to online purchases in which the product is downloaded. This decision will provide significant relief to online retailers, who otherwise could have been exposed to up to $1,000 in statutory penalties each time a customer was required to enter an address or telephone number in order to complete a downloadable online purchase.
For now, retailers can rest assured that online transactions involving downloadable products do not fall within the scope of the Credit Card Act. However, the Court invited the Legislature “to revisit the issue of consumer privacy and fraud prevention in online credit card transactions,” while other questions, such as the application of the Credit Card Act to online transactions not involving downloadable products, still remain open.
Krescent v. Apple Inc.
In June 2011, David Krescent sued Apple on behalf of himself and a putative class, alleging violations of the Song-Beverly Credit Card Act, Civil Code Section 1747.08. He claimed that on several occasions he used a credit card to purchase online media downloads from Apple, and was required to provide his telephone number and address in order to complete his purchases. Apple filed a demurrer to the complaint, arguing that the Credit Card Act does not apply to online transactions, noting the importance of the prevention of identity theft and fraud. The trial court overruled Apple’s demurrer, and the Court of Appeal denied Apple’s petition for writ of mandate seeking review of the trial court’s order.
The California Supreme Court began by examining the text of the Credit Card Act. Section 1747.08 provides that, subject to several exceptions, a retailer shall not request or require, as a condition to accepting a credit card as payment, that the cardholder write any personal identification information, provide personal identification information that the retailer writes or records, or utilize a credit card form containing preprinted spaces designated for filling in personal identification information. The Court noted that the Credit Card Act “makes no reference to online transactions or the Internet” as it was “enacted in 1990 before the privatization of the Internet and almost a decade before online commercial transactions became widespread.”
As it was not clear whether the Legislature intended for the Credit Card Act to cover online transactions, the Court considered its legislative history and purpose. The Court found that the Legislature’s enactment of the Credit Card Act balanced consumer privacy protection with retailers’ concerns about the risk of fraud. The Court explained that in 1991, a subsection was added to clarify that retailers could require cardholders to provide positive photo identification and could record the customer’s driver’s license number if the customer did not make the credit card itself available for verification. This “key antifraud mechanism,” however, is not applicable to an online retailer who cannot visually inspect a credit card, signature, or photo.
The Court held “that the statutory scheme and legislative history make clear the Legislature’s concern that there be some mechanism by which retailers can verify that a person using a credit card is authorized to do so. No such mechanism would exist in the context of online purchases of electronically downloadable products if the statute were read to apply to such transactions. Because the statutory scheme provides no means for online retailers selling electronically downloadable products to protect against credit card fraud, we conclude that the Legislature could not have intended section 1747.08 to apply to this type of transaction.”
Krescent had argued that a 2011 amendment specifying an exception for the collection of ZIP code information at “pay-at-the-pump” fuel transactions shows that all remote transactions, including online transactions, are covered by section 1747.08. The Court rejected this argument. Although there were some indications supporting Krescent’s position (such as an unpassed version of the amendment), the Court found that:
- the 2011 history was not persuasive as to what the 1990 Legislature intended;
- unpassed bills have little value as evidence of legislative intent;
- the legislative history in 2011 was conflicting; and
- the 2011 amendment was enacted to address one particular narrow problem, namely, the retroactive applicability of the Court’s 2011 holding in Pineda v. Williams-Sonoma Stores, Inc. that a ZIP code constitutes personal identification information within the meaning of the statute.
The Court also reasoned that “the California Online Privacy Protection Act of 2003 (COPPA) shows that the Legislature knows how to make clear that it is regulating online privacy and that it does so by carefully balancing concerns unique to online commerce.”
Impact of Krescent v. Apple Inc.
It remains to be seen whether the Legislature will act with respect to the recording of personal identification information as a requirement of online transactions involving downloadable products.
It is also important to note that this decision does not conclusively settle all issues regarding online transactions. The Court declined to decide whether section 1747.08 applies to online transactions that do not involve downloadable products, or to mail order or telephone order transactions. The Court did note that mail and telephone orders often involve the delivery of merchandise, implying that such transactions would fall under the statutory exception where information “is required for a special purpose incidental but related to the individual credit card transaction, including, but not limited to, information relating to shipping, delivery, servicing, or installation of the purchased merchandise.” It is likely that online transactions involving the shipping or delivery of merchandise would be covered by the same exception, if such online transactions are covered by the Credit Card Act at all. Finally, the Court’s decision will have little, if any, immediate impact on the dozens of ongoing class action lawsuits in which plaintiffs allege that retailers’ in-person collection of their ZIP codes violates the Credit Card Act.