Retailers have had to contend with California’s Song-Beverly Credit Card Act since 1971. Among other things, this law set limits on what information retailers can and cannot collect at the point of sale. A 2011 decision by the California Supreme Court saw a wave of class action lawsuits against retailers in the early part of the decade, but common-sense holdings in the years that followed slowed the predatory litigation to a trickle. That was, until, recently.
On May 15, three notable plaintiffs’ firms filed at least eight class actions in at least seven counties in California. Each case alleges that to check out with a credit card, the plaintiff was required to provide personal identification information, or “PII,” including the plaintiff’s email address and IP address. According to the plaintiffs, this information wasn't needed to complete the transactions or deliver merchandise, but was instead “recorded and retained” by the retailers “to be used in connection with later undisclosed marketing efforts.” In addition, the plaintiffs allege that the businesses use tracking pixels and other similar technologies, including the Facebook tracking pixel, Google Analytics, and the PayPal tracking pixel, to “surreptitiously” collect PII. The end result, according to the plaintiffs, is that the plaintiffs’ private information is revealed and that the plaintiffs are bombarded with targeted advertising.
Allegations concerning pixel tracking technology aren't new. In the last year, hundreds of cases have been filed against website operators from all industries for their use of pixels, scripts and other tracking tools. But the marriage of Song-Beverly and pixel tracking claims is novel and untested. In this article, we break down the statute, dive into these new theories of liability, and discuss ways companies can attempt to reduce the risk of or fight these nascent cases.
Song-Beverly, Explained
First enacted in 1971 and amended in the early 1990s, the Song-Beverly Credit Card Act limits what kinds of information businesses can collect during a credit card transaction. The Act provides, in relevant part:
(a) Except as provided …, no person, firm, partnership, association, or corporation that accepts credit cards for the transaction of business shall do any of the following:
(1) Request, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to write any personal identification information upon the credit card transaction form or otherwise.
(2) Request, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the person, firm, partnership, association, or corporation accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise.
Song-Beverly defines PII as “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.”
Class actions under the Song-Beverly Credit Card Act were in vogue in the early- to mid-2010s, following a 2011 ruling by the California Supreme Court which held that ZIP codes are PII. However, as businesses in the following years accumulated victories, the pace of litigation slowed. California courts interpreting the statute in recent years have held that there is no violation unless a request for PII is reasonably perceived as a condition to accepting a credit card as payment. One appellate court said that while the statute is intended to protect consumer privacy and to prohibit merchants from obtaining PII under the mistaken impression the information is required to process a credit card transaction, the Act is not intended to forbid merchants from obtaining such information voluntarily if the customer understands that the information need not be disclosed in order to use a credit card.
The Rise of Pixel Tracking Litigation
Originally tiny, pixel-sized images on web pages for tracking purposes, tracking pixels now refer broadly to a range of HTMP and JavaScript embedded in websites which are capable of monitoring certain interactions between a user and a web page. These analytics tools provide insight about the actions users take on a website so that a business can optimize the browsing experience. They can also be used to target ads to users who may be more likely to engage or purchase something based on prior online behavior.
These tools are often fully disclosed to website visitors, but that hasn't stopped the plaintiffs’ bar from asserting claims. Over the past year, the business community has been met with countless demand letters, lawsuits, and arbitrations concerning the use of pixel trackers. The claims assert that the plaintiffs’ sensitive information was illegally collected — either by the company itself or by the third party that designed the pixel, whose eavesdropping the company aided and abetting by installing the pixel — in violation of decades-old privacy laws that were enacted well before the internet era, such as the California Invasion of Privacy Act (“CIPA”). The claims seek statutory penalties — up to $5,000, in the case of CIPA.
These claims have been met with varying degrees of success. Many settle or are resolved at the pleading stage. Few have made it into discovery. So far, none have been tried.
Song-Beverly and Pixel Tracking Claims: An Imperfect Marriage
Last month’s filings revive the Song-Beverly claims and combine them with the trendy pixel tracking claims of late. Among other things, each plaintiff alleges that the retailers requested their email addresses and used tracking pixels to collect their IP addresses, even though this information is not needed to process the plaintiff’s credit card or ship merchandise. Instead, the information was supposedly collected so that the retailers could target the plaintiffs with advertising.
The plaintiffs allege that the retailers violated Song-Beverly simply by “recording” PII in the form of email addresses and IP addresses. According to the plaintiffs, “[t]he reasons that Defendants collected the PII or how or why Defendants used or did not use the PII, or whether Defendants ‘disaggregated’ or separated the PII from other data bases are irrelevant to establishing liability.” The plaintiffs also allege that the retailers engaged in common law negligence, invasion of privacy, and intrusion upon seclusion.
Each plaintiff seeks to certify a class and obtain a statutory penalty of $250 to $1,000 per credit card transaction statewide in California.
The law firms filing these cases clearly have big ambitions. By filing in counties all over the state, the law firms are ostensibly testing which venues will be most favorable for these hybrid claims moving forward. The law firms have more targets lined up: they have posted advertisements soliciting plaintiffs to bring claims against additional retailers, and the ads have been promoted by a popular class action website.
Not So Fast …
Needless to say, the complaints, if successful, could have massive implications. Virtually every retailer requests email addresses as a point of contact for credit card transactions online in order to deliver order confirmations and communications about the order and shipping. IP addresses are critical for the functioning of websites. Tracking pixels are nearly ubiquitous in e-commerce because they can help brands optimize the user experience. Awarding statutory penalties on a class-wide basis in the state with the largest base of consumers could be a game changer. As with most things, it's not that simple.
Song-Beverly doesn't apply where PII “is required for a special purpose incidental but related to the individual credit card transaction, including, but not limited to, information relating to shipping, delivery, servicing, or installation of the purchased merchandise, or for special orders.” As stated above, email addresses are a vital piece of information for retailers to be able to contact customers about their purchases. Indeed, the California Supreme Court has held that Song-Beverly does not apply to pure online transactions involving downloadable merchandise. Another California appellate court held that retailers could request PII for online credit card transactions where the merchandise would be picked up at a store. These holdings could just as reasonably apply to online transactions where goods are shipped to the customer’s home.
IP addresses may not even be PII. An IP address is not one of the enumerated examples of PII in Song-Beverly. And even if it is PII, a claim under Song-Beverly still requires the plaintiff to prove that a reasonable consumer would perceive the retailer’s “request” for information as a “condition” of the use of a credit card. But, as alleged by the plaintiffs, there was no request — the tracking pixels were “surreptitiously installed.” If the plaintiff does not even know that the retailer is using a tracking pixel, how can the plaintiff have perceived the collection of an IP address by the tracking pixel to be a condition for using a credit card?
Nonetheless, due to the potential for aggregated statutory penalties, retailers should proceed cautiously. Online retailers should consider conspicuously displaying their privacy policies and capturing customer consent at multiple points in the website experience, including from the first page viewed by a customer via a pop-up banner or other notification and again at checkout. Lastly, until the law on this issue is developed, retailers should consult with counsel about additional strategies and defenses that they can deploy proactively.
"Where the Song-Beverly Credit Card Act Meets Internet Pixel Litigation," by Harrison Brown and Ana Tagvoryan was published in Total Retail on June 12, 2024.