California Supreme Court Strengthens Song-Beverly Act’s Prohibitions on Collection of Consumers’ Personal Identification Information

February 17, 2011.

On February 10, 2011, the California Supreme Court issued its unanimous opinion in Pineda v. Williams-Sonoma Stores, Inc., 51 Cal. 4th 524 (2011), strengthening the Song-Beverly Act’s restrictions on retailers’ collection and use of consumer data and holding that even a ZIP code constitutes “personal identification information” under the statute.

California Song Beverly Act, Cal. Civ. Code § 1747.08(a), forbids retailers from requesting and recording personal identification information during or in connection with credit card transactions. The statute, as enacted in 1990 and amended in 1991, was created to accomplish two goals: 1) guard against identity theft; and 2) prevent consumers from receiving unwanted, spam marketing. Recent news of large, well-known retailers having suffered huge security breaches in their point-of-sale software systems underscores the importance of laws intended to safeguard consumer retail transactions against the prospect of identity theft. These news reports also emphasize such breaches often go undetected, unreported, or underreported, with the damage turning out to be vastly more significant than originally revealed by retailers’ own internal audits.

A unanimous California Supreme Court made clear in Pineda that “requesting and recording a cardholder’s ZIP code, without more, violates the Credit Card Act” (emphasis added). Id. at 527-28. See also Florez v. Linen ‘N Things, Inc., 108 Cal. App. 4th 447, 453 (2003) (holding that requesting and recording a cardholder’s personal identification information is prohibited “even if the consumer’s response was voluntary and made only for marketing purposes”. Id. at 453; see Pineda, 51 Cal. 4th at 535 (“[T]he 1991 amendment [adding the word “request”] prevents a retailer from making an end-run around the law by claiming the customer furnished personal identification data ‘voluntarily.’”) The Court emphasized that Section 1747.08 is a remedial statute which must be liberally construed in favor of its protective purposes.  51 Cal. 4th at 532. Section 1747.08(e) establishes penalties of up to two-hundred fifty dollars ($250) for the first violation and up to one thousand dollars ($1,000) for each subsequent violation. The amount of the penalty is at the discretion of the trial court. Cal. Civ. Code § 1747.08(e). Section 1747.04 further prohibits any waiver of Section 1747.08’s protections. Cal. Civ. Code § 1747.04.

Any retailer that requests and records consumers’ personal identification information during or in connection with credit cards should be aware of § 1747.08’s prohibitions and reevaluate their data collection policies and practices accordingly in light of Pineda. As a customer, if a retailer asks for your personal data in connection with a transaction, even just your ZIP code, be aware of your right to say no. Retailers’ point-of-sale policies and practices are generally standardized, and if you encounter a violation of § 1747.08’s data collection restrictions, likely many thousands of other consumers are faced with the same issue. Class action treatment may be appropriate in certain instances and, given the penalties imposed by § 1747.08(e) per violation, liability exposure can be significant.

To find out more on any of these issues, please contact our offices: Wucetich & Korovilas LLP; (310) 335-2001; dimitri@wukolaw.com. This article is for educational use only, should not be considered legal advice, and in no way creates an attorney-client relationship between the firm and the reader.