With cybercrime on the rise, regulators and plaintiffs’ lawyers are pressing businesses to help mitigate the risk of identity fraud to American consumers. Ironically, at the same time, plaintiffs’ lawyers have sued numerous retailers for taking steps to prevent fraud, contending that when retailers require customers to provide information about themselves to verify their identities at the point of sale, they violate California’s Song-Beverly Credit Card Act (Cal. Civ. Code § 1747.08), a statute limiting the information retailers can collect during credit card transactions. A decision last week by California’s Court of Appeal, Flores v. Chevron U.S.A., Inc., strengthens retailers’ efforts to defend these lawsuits by holding that Song-Beverly does not apply to retailers’ fraud-prevention measures. The Chevron decision is subject to review by California’s Supreme Court, but reflects a growing trend among California courts to place fraud prevention practices beyond Song-Beverly’s reach.
The Chevron action was brought in February 2011, when John Flores and other plaintiffs filed suit against Chevron on behalf of themselves and a putative class of Chevron’s customers in California Superior Court, alleging that the company violated the Song-Beverly Act by sometimes requiring customers to provide their ZIP codes when buying gasoline with credit cards. The undisputed facts showed that Chevron required ZIP codes only in pay-at-the-pump transactions at locations where there was a high risk of fraud, used the information only to prevent fraud, and purged the information shortly after the credit card transactions were reconciled. Chevron filed a motion for summary judgment, arguing among other things that its collection of ZIP codes solely for the purpose of preventing fraud fell within a statutory exception to Song-Beverly, § 1747.08(c)(4), that permits collection of personal information “for a special purpose incidental but related to the individual credit card transaction, including, but not limited to, information relating to shipping, delivery, servicing, or installation of the purchased merchandise, or for special orders.” The Superior Court agreed with Chevron and entered judgment against the plaintiffs, who appealed.
The Second Appellate District of California’s Court of Appeal, the state’s intermediate appellate court, unanimously affirmed the Superior Court’s ruling on June 20, 2013. The court agreed with Chevron that its collection of ZIP codes qualified for the “special purpose” exception under § 1747.08(c)(4) because the purpose of preventing fraud is “incidental but related to the individual credit card transaction.” Preventing fraud is “incidental,” according to the court, in that it is possible for the seller to complete the transaction without attempting to ensure that the transaction is not fraudulent. But it is also “related” to the transaction, the court held, because the seller is trying to ensure that that particular transaction is not fraudulent. Importantly, the court expressly declined to decide whether Chevron’s practices fell within a narrower exception to Song-Beverly, § 1747.08(c)(3)(B) that applies only to motor fuel dispensers, choosing to rely instead upon Song-Beverly’s broad “special purpose” exemption.
The Court of Appeal’s ruling in Chevron is significant because it continues and expands upon a recent trend among California courts to exempt from Song-Beverly certain transactions in which collecting consumer information is needed to help prevent fraud. For instance, earlier this year, in Apple, Inc. v. Superior Court of Los Angeles County, 56 Cal. 4th 128 (Feb. 4, 2013), the California Supreme Court held that the Song-Beverly Act does not apply to online purchases of downloadable files, reasoning in part that online retailers cannot avail themselves of certain anti-fraud precautions (such as reviewing an identification card) available to brick-and-mortar retailers. Just a few months later, a federal district court in California applied Apple’s reasoning in Ambers v. Buy.com, 2013 WL 1944430 (C.D. Cal. Apr. 30, 2013), to hold that Song-Beverly likewise does not apply to the online sale of shipped goods because an online retailer needs to collect more than merely a shipping address in order to verify a customer’s identity. By holding that fraud-prevention qualifies for Song-Beverly’s “special purpose” exception, Chevron appears to go even further towards insulating fraud-prevention efforts from Song-Beverly’s reach. Chevron’s effect may even be felt in other states that have statutes similar to California’s Song-Beverly Act. However, given the absence of binding state supreme court precedent on the issue addressed in Chevron, all merchants that collect ZIP codes, phone numbers or other customer information for fraud-prevention or other purposes at the point of sale should fully assess the legal risks involved.
For more information regarding the Chevron decision and its potential impact, or point-of-sale data collection practices generally, please contact a member of our leading privacy and data security team, including Mark Szpak and David McIntosh.
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find our more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.