Retailers can demand personal data for downloads

by Bob Egelko, San Francisco Chronicle

If you buy something at the store with a credit card, a state privacy law prohibits the clerk from asking for your address and phone number. But the same law doesn’t cover your online purchases of audio or video files or e-books, according to a closely divided California Supreme Court.

The 1990 law barred retailers from requiring or even requesting "personal identification information" from credit card customers. Retailers can ask to see a driver’s license or other photo ID as long as they don’t record the information.

The court ruled unanimously two years ago that businesses were also prohibited from asking in-person customers for their ZIP codes, though the law was later amended to let gas stations require postal codes for automated "pay-at-the-pump" purchases.

But in a 4-3 ruling Monday, the justices said the ban on requiring addresses and phone numbers doesn’t apply to online purchases of downloadable products. Although sellers don’t need addresses to ship those products, they can require the information as a safeguard against credit card fraud, the court said.

"Unlike a brick-and-mortar retailer, an online retailer cannot visually inspect the credit card, the signature on the back of the card, or the customer’s photo identification," said Justice Goodwin Liu in the majority opinion.

Dissenters said the court had rewritten the law, protecting businesses at the expense of consumers.

The ruling allows online retailers to "collect unlimited personal information concerning their credit-card-using customers and sell that information," said Justice Joyce Kennard, joined by Justice Marvin Baxter and Barbara Jones, a San Francisco appeals court justice sitting by temporary assignment.

Richard Holober, executive director of the Consumer Federation of California, called the ruling "a gift to online businesses that have demonstrated a callous disregard for customer privacy."

But Liu said allowing sellers to seek additional information from online purchasers would protect consumers as well as retailers against credit card fraud.

The case arose from a suit in Los Angeles County by David Krescent, an online customer of Apple Inc., challenging the company’s insistence that he provide his address and phone number when he bought audio and video files by credit card. Lower courts had ruled that Krescent could sue Apple for violating the privacy law, but the Supreme Court disagreed.

Apple declined to comment on the ruling.

Read the ruling in Apple vs. Superior Court, S199384, at