California Supreme Court eviscerates credit card privacy law

Statement of Richard Holober, Executive Director, Consumer Federation of California

A deeply divided California Supreme Court delivered a body blow to consumer privacy protection, ruling today that the Song Beverly Credit Card Act does not apply to online transactions.

The case is Apple Inc. v. Superior Court of Los Angeles County, arising from a lawsuit filed by David Krescent. Mr. Krescent alleged that Apple had violated his privacy when it required his telephone number and address to complete credit card purchases of downloadable audio and video files. Lower courts ruled against Apple.

While the Supreme Court built its ruling around the premise that online commerce opens avenues to fraud that were not contemplated by the 1990 law, it did not confine its ruling to permit the gathering of personally identifiable information for the limited purpose of fraud prevention. Instead, the Court used fraud prevention as a pretext for the wholesale elimination of privacy rights for all California consumers making online credit card purchases.

The Supreme Court’s ruling ignores the plain meaning of a law enacted for the express purpose of protecting consumer privacy. The Song Beverly Credit Card Act prohibits any ‘person, firm, partnership association, or corporation that accepts credit cards’ from requesting or requiring the cardholder to ‘provide personal identification information’ including the cardholder’s address or telephone number’, with a few narrowly drawn exceptions, such as information needed to deliver or install a product, or to gather information required by a contract with a third party credit card processor.

The 4-3 Supreme Court majority re-wrote history, stating that since online commerce did not exist in 1990 when the Song Beverly Act was adopted, the law does not apply to online transactions. This decision flies in the face of the clear language of the law, which covers all credit card transactions, and which does not state that the law only applies to in-person transaction. The majority opinion dismisses the argument in Justice Kennard’s dissent that the credit card privacy law applies to other forms of remote purchases that existed in 1990, such as mail order and telephone order transactions, with the flippant statement that ‘the issue is not presented’ in the Apple case.

Justice Baxter points out in his dissenting opinion that ‘there is nothing in the record’ of this case to discern that Apple needed the cardholder’s address and phone number to prevent fraud or identity theft.  The majority opinion states that the lack of a record is irrelevant because it ‘expresses no view as to what type of information ‘ whether an address, telephone number, or something else ‘ is essential to verify a cardholder’s identity’.  Instead of looking at the facts ‘ or lack of facts ‘ regarding fraud prevention, the majority concludes that an online merchant has an unlimited right to collect any information it wants ‘ for any purpose.

The Supreme Court’s opinion is a gift to online businesses that have demonstrated a callous disregard for customer privacy.  It is an affront to millions of Californians who care about protecting our privacy.

For more information, see California Supreme Court makes it easier for Apple, online businesses to collect personal data