Retailers have had to contend with California’s Song-Beverly Credit Card Act since 1971. Among other things, this law set limits on what information retailers can and cannot collect at the point of sale. A 2011 decision by the California Supreme Court saw a wave of class action lawsuits against retailers in the early part of the decade, but common-sense holdings in the years that followed slowed the predatory litigation to a trickle. That was, until, recently.
On May 15, three notable plaintiffs’ firms filed at least eight class actions in at least seven counties in California. Each case alleges that to check out with a credit card, the plaintiff was required to provide personal identification information, or “PII,” including the plaintiff’s email address and IP address. According to the plaintiffs, this information wasn't needed to complete the transactions or deliver merchandise, but was instead “recorded and retained” by the retailers “to be used in connection with later undisclosed marketing efforts.” In addition, the plaintiffs allege that the businesses use tracking pixels and other similar technologies, including the Facebook tracking pixel, Google Analytics, and the PayPal tracking pixel, to “surreptitiously” collect PII. The end result, according to the plaintiffs, is that the plaintiffs’ private information is revealed and that the plaintiffs are bombarded with targeted advertising.
Allegations concerning pixel tracking technology aren't new. In the last year, hundreds of cases have been filed against website operators from all industries for their use of pixels, scripts and other tracking tools. But the marriage of Song-Beverly and pixel tracking claims is novel and untested. In this article, we break down the statute, dive into these new theories of liability, and discuss ways companies can attempt to reduce the risk of or fight these nascent cases.
Song-Beverly, Explained
First enacted in 1971 and amended in the early 1990s, the Song-Beverly Credit Card Act limits what kinds of information businesses can collect during a credit card transaction. The Act provides, in relevant part:
(a) Except as provided …, no person, firm, partnership, association, or corporation that accepts credit cards for the transaction of business shall do any of the following:
(1) Request, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to write any personal identification information upon the credit card transaction form or otherwise.
(2) Request, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the person, firm, partnership, association, or corporation accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise.
Song-Beverly defines PII as “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.”
Class actions under the Song-Beverly Credit Card Act were in vogue in the early- to mid-2010s, following a 2011 ruling by the California Supreme Court which held that ZIP codes are PII. However, as businesses in the following years accumulated victories, the pace of litigation slowed. California courts interpreting the statute in recent years have held that there is no violation unless a request for PII is reasonably perceived as a condition to accepting a credit card as payment. One appellate court said that while the statute is intended to protect consumer privacy and to prohibit merchants from obtaining PII under the mistaken impression the information is required to process a credit card transaction, the Act is not intended to forbid merchants from obtaining such information voluntarily if the customer understands that the information need not be disclosed in order to use a credit card.
The Rise of Pixel Tracking Litigation
Originally tiny, pixel-sized images on web pages for tracking purposes, tracking pixels now refer broadly to a range of HTMP and JavaScript embedded in websites which are capable of monitoring certain interactions between a user and a web page. These analytics tools provide insight about the actions users take on a website so that a business can optimize the browsing experience. They can also be used to target ads to users who may be more likely to engage or purchase something based on prior online behavior.
These tools are often fully disclosed to website visitors, but that hasn't stopped the plaintiffs’ bar from asserting claims. Over the past year, the business community has been met with countless demand letters, lawsuits, and arbitrations concerning the use of pixel trackers. The claims assert that the plaintiffs’ sensitive information was illegally collected — either by the company itself or by the third party that designed the pixel, whose eavesdropping the company aided and abetting by installing the pixel — in violation of decades-old privacy laws that were enacted well before the internet era, such as the California Invasion of Privacy Act (“CIPA”). The claims seek statutory penalties — up to $5,000, in the case of CIPA.
These claims have been met with varying degrees of success. Many settle or are resolved at the pleading stage. Few have made it into discovery. So far, none have been tried.
Song-Beverly and Pixel Tracking Claims: An Imperfect Marriage
Last month’s filings revive the Song-Beverly claims and combine them with the trendy pixel tracking claims of late. Among other things, each plaintiff alleges that the retailers requested their email addresses and used tracking pixels to collect their IP addresses, even though this information is not needed to process the plaintiff’s credit card or ship merchandise. Instead, the information was supposedly collected so that the retailers could target the plaintiffs with advertising.
The plaintiffs allege that the retailers violated Song-Beverly simply by “recording” PII in the form of email addresses and IP addresses. According to the plaintiffs, “[t]he reasons that Defendants collected the PII or how or why Defendants used or did not use the PII, or whether Defendants ‘disaggregated’ or separated the PII from other data bases are irrelevant to establishing liability.” The plaintiffs also allege that the retailers engaged in common law negligence, invasion of privacy, and intrusion upon seclusion.
Each plaintiff seeks to certify a class and obtain a statutory penalty of $250 to $1,000 per credit card transaction statewide in California.
The law firms filing these cases clearly have big ambitions. By filing in counties all over the state, the law firms are ostensibly testing which venues will be most favorable for these hybrid claims moving forward. The law firms have more targets lined up: they have posted advertisements soliciting plaintiffs to bring claims against additional retailers, and the ads have been promoted by a popular class action website.
Not So Fast …
Needless to say, the complaints, if successful, could have massive implications. Virtually every retailer requests email addresses as a point of contact for credit card transactions online in order to deliver order confirmations and communications about the order and shipping. IP addresses are critical for the functioning of websites. Tracking pixels are nearly ubiquitous in e-commerce because they can help brands optimize the user experience. Awarding statutory penalties on a class-wide basis in the state with the largest base of consumers could be a game changer. As with most things, it's not that simple.
Song-Beverly doesn't apply where PII “is required for a special purpose incidental but related to the individual credit card transaction, including, but not limited to, information relating to shipping, delivery, servicing, or installation of the purchased merchandise, or for special orders.” As stated above, email addresses are a vital piece of information for retailers to be able to contact customers about their purchases. Indeed, the California Supreme Court has held that Song-Beverly does not apply to pure online transactions involving downloadable merchandise. Another California appellate court held that retailers could request PII for online credit card transactions where the merchandise would be picked up at a store. These holdings could just as reasonably apply to online transactions where goods are shipped to the customer’s home.
IP addresses may not even be PII. An IP address is not one of the enumerated examples of PII in Song-Beverly. And even if it is PII, a claim under Song-Beverly still requires the plaintiff to prove that a reasonable consumer would perceive the retailer’s “request” for information as a “condition” of the use of a credit card. But, as alleged by the plaintiffs, there was no request — the tracking pixels were “surreptitiously installed.” If the plaintiff does not even know that the retailer is using a tracking pixel, how can the plaintiff have perceived the collection of an IP address by the tracking pixel to be a condition for using a credit card?
Nonetheless, due to the potential for aggregated statutory penalties, retailers should proceed cautiously. Online retailers should consider conspicuously displaying their privacy policies and capturing customer consent at multiple points in the website experience, including from the first page viewed by a customer via a pop-up banner or other notification and again at checkout. Lastly, until the law on this issue is developed, retailers should consult with counsel about additional strategies and defenses that they can deploy proactively.
Harrison Brown is a partner, business litigation, at Blank Rome, an Am Law 100 firm with 16 offices and more than 700 attorneys and principals who provide a full range of legal and advocacy services to clients operating in the United States and around the world.
Ana Tagvoryan is a partner, business litigation, at Blank Rome.
Related story: Win Customers, Avoid Lawsuits: Minimizing Reference Price Litigation Risk
Harrison Brown represents companies and executives facing consumer class actions, mass arbitration, and other major civil litigation in various areas, including telemarketing and communications, consumer protection, unfair competition, and false and deceptive advertising. Harrison’s areas of experience include successfully defending class actions involving telemarketing under the federal Telephone Consumer Protection Act (“TCPA”) and Florida’s Telephone Solicitation Act (“FTSA”), the Federal Trade Commission Act and California’s Unfair Competition Law (“UCL”) and Consumer Legal Remedies Act (“CLRA”), Illinois’ Biometric Information Privacy Act (“BIPA”), California’s Song-Beverly Credit Card Act, chatbot and wiretapping litigation under California’s Invasion of Privacy Act (“CIPA”), and California’s Automatic Renewal Law (“ARL”). Harrison has secured early dismissal of multiple class action lawsuits prior to class certification, protecting sensitive customer lists from premature disclosure.
Harrison has assisted businesses in virtually every industry, including retailers, distributors, food products and agriculture, banks, investment firms, hotels, and car dealers. He is well versed in Title III of the Americans with Disabilities Act (“ADA”) and California’s Unruh Civil Rights Act and has obtained multiple judgments prior to discovery in favor of clients facing website and physical accessibility lawsuits. An experienced advocate, Harrison also counsels and helps companies navigate a wide range of business matters and challenges, including fraud, breach of contract, and partnership disputes.
Harrison has assisted clients in jurisdictions throughout the country, including federal and state trial courts, appellate courts, and in administrative proceedings before the Federal Communications Commission (“FCC”).
Harrison has been recognized as a Southern California Super Lawyers “Rising Star” in class actions by Super Lawyers every year since 2019. As part of his extensive background in consumer protection and privacy laws, he regularly advises clients in advertising, retail, e-commerce, and related risk mitigation strategies under federal and state laws and regulations.
Ana Tagvoryan is a high-stakes corporate litigator with almost two decades of experience advising, counseling, and defending business clients in consumer-facing litigation and enforcement actions in state and federal courts across the nation. Her complex corporate litigation and compliance-related practice focuses on current issues presented for clients with consumer-facing businesses in retail, media, hospitality, technology, banking, and food & beverage. Ana’s nationwide practice routinely involves solving issues and defending claims related to consumer fraud, advertising, labeling, data privacy, cybersecurity, online and mobile marketing, pricing, and related intra- and inter-state commerce and e-commerce issues.
Ana is also the chair of the Privacy Class Action Defense group, which handles privacy-related cases involving wiretapping, data breaches, biometrics, telemarketing, call recording, data handling and sharing, and other consumer privacy matters. In addition, Ana’s team routinely litigates the ever-changing wave of claims dealing with auto-renewing subscription offers, e-commerce business practices, and federal & state consumer protection laws.
Ana serves as a trusted adviser and business partner to many clients who operate consumer-facing businesses. With regard to both mitigation of risk and litigation of claims, Ana’s clients regard her as strategic and creative; they trust her commonsense approach to problem-solving and appreciate her professional dedication.
Litigation
Ana has a reputable track record for successfully defeating threatened and actual claims at every stage of litigation. She has succeeded in bringing early dispositive issues before the courts and saving costs associated with discovery, and is skilled in early and efficient dispute resolution, including mediation and class action settlements. Ana and her team have secured orders of affirmation or reversal from Courts of Appeals and the U.S. Supreme Court on key issues and defenses on behalf of various companies, making precedent and good law in jurisdictions across the nation.
Ana has extensive experience with state and federal consumer protection statutes, such as: California and related states’ Unfair Competition Law, False Advertising Act, Consumer Legal Remedies Act, Invasion of Privacy Act, Consumer Privacy Rights Act, and Automatic Renewal Law; and federal statutes including the Federal Wiretap Act, Telephone Consumer Protection Act (“TCPA”), the Fair Credit Reporting Act, Stored Communications Act, Fair and Accurate Credit Transactions Act, Video Privacy and Protection Act, Magnuson-Moss Warranty Act, and U.S. federal and state CAN-SPAM laws. In addition, Ana routinely handles claims under the Illinois Biometric Information Privacy Act, Michigan Privacy Protection Act, Florida Telephone Sales Act, Florida Security of Communications Act, Pennsylvania Wiretapping and Electronic Surveillance Act, and Federal Trade Commission and state agency investigations and claims.
Compliance
Ana’s team routinely advises clients with respect to e-commerce data handling and disclosure practices, data privacy and data breach, and compliance with federal and state consumer laws across various industries, including retail, media, and e-commerce. Her compliance practice includes insight into vendor and software provider licenses and agreements, product labeling, online marketing and advertising, and related issues.
Teaching and Professional Engagements
Ana has served on various legal and professional organizations and lectured extensively on current events facing in-house counsel and business executives. She also regularly writes in leading industry publications concerning consumer protection and litigation trends, compliance insights, and future legislation. (See Publications.) Ana is currently active with the Atlantic Legal Foundation and sits on its advisory board.
Outside the Firm
Ana is an ardent indoor cyclist and coffee enthusiast, always looking for the newest and best trends in the things that help her give her best to her three kids, husband, and clients.