Customer information is a valuable marketing commodity. However, state privacy laws may restrict the manner in which businesses collect such information during retail transactions. Though some privacy laws have been in effect for years, many businesses still use information-collection practices that violate them.
California’s Song-Beverly Credit Card Act prevents retailers from requesting or recording “personal identification information” such as an address or telephone number when a customer uses a credit card to pay for a purchase. Direct marketers who gather personal information during a credit card transaction must recognize that their practices are governed by this act and other state laws. Song-Beverly was the first of its kind but has spawned similar privacy laws in at least 15 other states including New York, Massachusetts, Pennsylvania, Minnesota, Nevada, New Jersey and Ohio.
The act lets litigants seek hefty monetary penalties from retailers who fail to heed its protections. An initial violation can be punished by a $250 penalty, and each subsequent violation may be met with a maximum penalty of $1,000. Song-Beverly’s use of a variable penalty affords a court extensive leeway in fixing the amount. For many retailers, however, the potential penalty for one violation could far exceed the revenue or profit derived from the offending transaction.
The act does carve out exceptions, and these may give many direct marketers a legal way to collect customers’ personal identification information. The broadest exception lets a retailer collect customer information when that information is used for an incidental, but related, purpose. Examples include product shipping, delivery, servicing or installation. The exception must be evaluated in the context of each transaction, so DMers who also run bricks-and-mortar stores, outlets or kiosks may have to formulate different policies and practices for those types of operations.
Song-Beverly also does not prevent retailers from requesting a customer’s personal information when that request is made outside the scope of the credit card transaction. Retailers may find creative ways to gather this information through informational mailing lists, frequent-buyer clubs or other rewards programs. They should, of course, ensure that any method used to gather customer information complies with applicable laws.
Though the act vests prosecutorial authority with California’s attorney general, district attorneys and city attorneys, suits by government authorities have been few and far between. This does not mean that retailers can be lax in compliance. Private civil litigants may, and often do, seek the same monetary penalties through class action lawsuits. A recent spate of civil lawsuits in California may return the act’s privacy protections to the spotlight, making it imperative that DMers review their information-collection practices so that they do not run afoul of state privacy laws. n
Jeffrey D. Knowles and Jon-Jamison Hill are partners at Venable LLP, a Washington-based law firm. Reach them at [email protected] and [email protected].
