If you are a retailer with brick-and-mortar stores in California and accept credit cards for payment, take note. You may want to take a few simple steps to avoid liability for an increasing number of claims under an old law that has received a lot of recent attention. Plaintiffs have filed several recent class action lawsuits in California against major retailers for alleged violations of California's Song-Beverly Credit Card Act (the "Act"). The Act places certain restrictions on merchants that accept credit cards. In general, the law prohibits or limits a merchant's ability to request and record personal identification information concerning the cardholder.
The Act defines personal identification information as information concerning the cardholder, other than information set forth on the card. Examples of personal identification information include the cardholder's address and telephone number. The Act prohibits retailers from doing any of the following:
1. requesting, or requiring as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to write any personal identification information upon the credit card transaction form or otherwise;
2. requesting, or requiring as a condition to accepting the credit card as payment in full or in part for the goods or services, the cardholder to provide personal identification information, which the person, firm, partnership, association or corporation accepting the credit card writes, causes to be written or otherwise records upon the credit card transaction form or otherwise; and
3. utilizing, in any credit card transaction, a credit card form that contains preprinted spaces specifically designated for filling in any cardholder's personal identification information.
Violators of the Act are subject to civil penalties not to exceed $250 for the first violation and $1,000 for each subsequent violation.
The Act enumerates several exceptions:
if the credit card is used as a deposit to secure payment in the event of default, loss or damage;
if the credit card is used for cash-advance transactions;
if the merchant is contractually or legally obligated to provide the information to complete the transaction; or
if the information is required for a special purpose incidental to the transaction, such as shipping, delivery or installation.
Additionally, in the past year, California courts have issued several decisions that significantly narrow the reach of the Act.
Zip Codes Are Not Personal Identification Information
In Pineda v. Williams-Sonoma Stores, Inc., 100 Cal. Rptr. 3d 458 (Cal. Ct. App. 2009), the plaintiff alleged that Williams-Sonoma violated the Act by requesting her ZIP code during a credit card transaction, and then used that ZIP code in conjunction with her name to look up her address. The court of appeal relied on its earlier decision in Party City Corp. v. Superior Court and reaffirmed that a ZIP code does not constitute personal identification information as the term is defined under the Act. 169 Cal. App. 4th 497 (2008) (ZIP codes are shared by tens of thousands of people and do not supply enough information to identify an individual).
The Act Does Not Apply to Return Transactions
The court of appeal also determined that the Act does not apply to return transactions. In Absher v. Autozone, Inc., 164 Cal. App. 4th 332 (2008), the court emphasized that the Act was passed to prevent the misuse of personal identification information for marketing purposes. Accordingly, the return of merchandise should be treated differently because certain personal information may be necessary to verify that the return transaction is bona fide and to prevent employees from manipulating such transactions for their own benefit. Additionally, if the returned product is used or damaged, the merchant may have a legitimate need to contact the customer who made the return.
The Act Does Not Apply to Online Transactions
In January 2009, the U.S. District Court for the Central District of California ruled that the Act does not apply to transactions conducted over the Internet. Saulic v. Symantec Corp., 596 F. Supp. 2d 1323 (C.D. Cal. 2009). The court focused on the statute's legislative history and emphasized that the Act was designed to protect consumer privacy in a brick-and-mortar setting. While the use of computer technology is mentioned, the legislative history does not suggest that the California Legislature considered online transactions or the perils of misappropriation of consumer credit information in an online environment. Ultimately, the court concluded that neither the language of the Act nor its legislative history suggests that the Act includes online transactions.
Song-Beverly Is Subject to a One-Year Statute of Limitations
Finally, the court of appeal narrowed the scope of available claims under the Act by imposing a one-year statute of limitations. TJX Cos. Inc. v. Superior Court, 163 Cal. App. 4th 80 (2008). The court held that because the statute imposes a penalty, it is subject to the one-year statute of limitations of the California Code of Civil Procedure Section 340.
Despite the court's recent tendency to narrowly construe the Act to only cover requests for personal information as a condition for acceptance of credit cards, retailers should be aware that courts will likely view the request for personal information from the customer's standpoint. In other words, it matters whether a consumer would perceive the store's request for information as a condition of the use of the credit card.
 The court's ruling described in this section was reversed by the California Supreme Court on February 10, 2011.