Apple v. Super. Ct., S199384

Credit cards: consumers’ protection: what information can be collected by the retailer in case of online purchases of electronically downloadable products? The Song-Beverly Credit Card Act of 1971 (Credit Card Act) governs the issuance and use of credit cards.  (Civ. Code, § 1747 et seq.; all further statutory references are to the Civil Code unless otherwise indicated.)  One of its provisions, section 1747.08, prohibits retailers from “requesting, or requiring as a condition to accepting the credit card as payment . . . , the cardholder to write any personal identification information upon the credit card transaction form or otherwise.”  (§ 1747.08, subd. (a) (hereafter section 1747.08(a)).)  It also prohibits retailers from requesting or requiring the cardholder “to provide personal identification information, which the retailer . . . writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise,” and from “utilizing . . . a credit card form which contains preprinted spaces specifically designed for filling in any personal identification information of the cardholder.”  (Ibid.)  In Pineda v. Williams-Sonoma Stores, Inc. (2011) 51 Cal.4th 524 (Pineda), we considered whether section 1747.08 is violated when a retailer requests and records a customer’s ZIP code during a credit card transaction.  Relying on the statute’s language, legislative history, and purpose, we concluded that a ZIP code constitutes “personal identification information” within the meaning of the statute and that the Credit Card Act forbids a retailer from requesting or recording such information.  (Pineda, at pp. 527–528.)

Like Pineda, this case involves an asserted violation of section 1747.08.  David Krescent, the plaintiff in this case, alleged in his complaint that defendant Apple Inc. requested or required him to provide his address and telephone number as a condition of accepting his credit card as payment.  However, unlike Pineda, which concerned the purchase of a physical product at a traditional “brick-and-mortar” business, this case concerns the purchase of an electronic download via the Internet.  We must resolve whether section 1747.08 prohibits an online retailer from requesting or requiring personal identification information from a customer as a condition to accepting a credit card as payment for an electronically downloadable product.  Upon careful consideration of the statute’s text, structure, and purpose, we hold that section 1747.08 does not apply to online purchases in which the product is downloaded electronically.

Our dissenting colleagues warn that today’s decision “relegates to the dust heap” the “ ‘robust’ consumer protection . . . at the heart of section 1747.08” (dis. opn. by Kennard, J., post, at p. 6) and represents a “major loss for consumers” (id. at p. 1) that “leaves online retailers free to collect and use the personal identification information of credit card users as they wish” (dis. opn. by Baxter, J., post, at p. 1).  These ominous assertions, though eye-catching, do not withstand scrutiny.  As we explain, existing state and federal laws provide consumers with a degree of protection against unwanted use or disclosure of personal identification information.  The Legislature may believe these measures are inadequate and, if so, may enact additional protections.  Or the Legislature may believe that existing laws, together with market forces reflecting consumer preferences, are sufficient.  It is not our role to opine on this important policy issue.  We merely hold that section 1747.08 does not govern online purchases of electronically downloadable products because this type of transaction does not fit within the statutory scheme.

We review de novo questions of statutory construction.  In doing so, “ ‘our fundamental task is to “ascertain the intent of the lawmakers so as to effectuate the purpose of the statute.” ’ ”  (Mays v. City of Los Angeles (2008) 43 Cal.4th 313, 321.)  As always, we start with the language of the statute, “giving the words their usual and ordinary meaning, while construing them in light of the statute as a whole and the statute’s purpose.”  (Pineda, supra, 51 Cal.4th at pp. 529–530.)

At the outset, we observe that the text of section 1747.08 makes no reference to online transactions or the Internet.  This is not surprising because former section 1747.8, section 1747.08’s predecessor, was enacted in 1990 (Stats. 1990, ch. 999, § 1, p. 4191), before the privatization of the Internet (see Frischmann, Privatization and Commercialization of the Internet Infrastructure: Rethinking Market Intervention into Government and Government Intervention into the Market (2001) 2 Colum. Sci. & Tech. L.Rev. 1, 20) and almost a decade before online commercial transactions became widespread (see, e.g., McDonough v. Toys “R” Us, Inc. (E.D.Pa. 2009) 638 F.Supp.2d 461, 468); we think the text of section 1747.08(a) alone is not decisive on the question before us.  The statutory language suggests that the Legislature, at the time it enacted former section 1747.8, did not contemplate commercial transactions conducted on the Internet.  But it does not seem awkward or improper to describe the act of typing characters into a digital display as “writing” on a computerized “form.”  In construing statutes that predate their possible applicability to new technology, courts have not relied on wooden construction of their terms.  Fidelity to legislative intent does not “make it impossible to apply a legal text to technologies that did not exist when the text was created. . . .  Drafters of every era know that technological advances will proceed apace and that the rules they create will one day apply to all sorts of circumstances they could not possibly envision.”  (Scalia & Garner, Reading Law: The Interpretation of Legal Texts (2012) pp. 85–86.).

The plain meaning of the statute’s text is not decisive.  An examination of the statutory scheme as a whole is necessary to determine whether it is applicable to a transaction made possible by technology that the Legislature did not envision.

While it is clear that the Legislature enacted the Credit Card Act to protect consumer privacy, it is also clear that the Legislature did not intend to achieve privacy protection without regard to exposing consumers and retailers to undue risk of fraud.  The legislative history shows that the Legislature enacted the statute’s prohibitions only after carefully considering and rejecting the possibility that the collection of personal identification information by brick-and-mortar retailers could serve a legitimate purpose such as fraud prevention.

As previously noted, section 1747.08(d) makes clear that nothing in the statute prevents retailers from requiring customers to provide positive identification — “which may include a driver’s license or a California state identification card, or where one of these is not available, another form of photo identification” — as a condition of accepting a credit card as payment.

The safeguards against fraud that are provided in section 1747.08(d) are not available to the online retailer selling an electronically downloadable product.  Unlike a brick-and-mortar retailer, an online retailer cannot visually inspect the credit card, the signature on the back of the card, or the customer’s photo identification.  Thus, section 1747.08(d) — the key antifraud mechanism in the statutory scheme — has no practical application to online transactions involving electronically downloadable products.  We cannot conclude that if the Legislature in 1990 had been prescient enough to anticipate online transactions involving electronically downloadable products, it would have intended section 1747.08(a)’s prohibitions to apply to such transactions despite the unavailability of section 1747.08(d)’s safeguards.

In his brief (but not in his complaint), Krescent argued that requiring a customer to provide his or her name, credit card number, card expiration date, and credit card identification number suffices to prevent fraud.  But it is clear that the Legislature has disagreed.  A customer’s name, credit card number, expiration date, and security code are all apparent to a “brick-and-mortar” retailer on the credit card itself when the card is presented during an in-person transaction.  Yet the Legislature expressly authorized retailers to request additional information — namely, a driver’s license, state identification card, or another form of photo identification — in order to combat fraud.  (§ 1747.08(d).)  The Legislature has thus decided that the information on the credit card is not necessarily sufficient by itself to protect consumers and retailers against fraud.

We have no occasion here to decide whether section 1747.08 applies to online transactions that do not involve electronically downloadable products or to any other transactions that do not involve in-person, face-to-face interaction between the customer and retailer.

Although “statutory interpretation must be prepared to accommodate technological innovation,” this is only possible “if the technology is otherwise consistent with the statutory scheme.”  (Slocum, supra, 196 Cal.App.4th at p. 1652.)  Having thoroughly examined section 1747.08’s text, purpose, and history, we are unable to find the clarity of legislative intent or consistency with the statutory scheme necessary to conclude that the Legislature in 1990 intended to bring the enormous yet unforeseen advent of online commerce involving electronically downloadable products — and the novel challenges for privacy protection and fraud prevention that such commerce presents — within the coverage of the Credit Card Act.

We must conclude that online transactions involving electronically downloadable products fall outside the coverage of the statute (Cal. S. Ct., S199384, 04.02.2013, Apple v. Super. Ct.)

Cartes de crédit : protection des consommateurs : quelles informations peuvent-elles être collectées par les détaillants dans les cas d'achats en ligne de produits téléchargés par Internet ? La loi californienne sur la délivrance et l'usage des cartes de crédit interdit aux détaillants de demander ou d'exiger du détenteur de carte, comme condition d'acceptation d'un paiement par carte de crédit, des informations écrites portant sur l'identification de la personne du détenteur de carte. Le code postal de domicile constitue une telle donnée d'identification de la personne. La loi californienne en question ne s'applique pas dans le cas d'achats de produits qui peuvent être téléchargés électroniquement. C'est au législateur d'intervenir s'il souhaite modifier cette situation. Par ailleurs, d'autres lois californiennes et le droit fédéral apportent déjà un certain degré de protection en faveur du consommateur pour prévenir une divulgation ou un usage non souhaité de données d'identifications personnelles. Dans les cas où la loi sur les cartes de crédit s'applique, les détaillants peuvent tout de même demander au client d'établir son identité par exemple à l'aide du permis de conduire. Une telle possibilité de s'assurer de l'identité du client (pour prévenir une fraude) n'existe pas dans le cadre de détaillants qui vendent un produit à télécharger sur Internet. Bien que l'interprétation d'une loi doit être mise en œuvre pour tenir compte de l'innovation technologique, cela n'est possible que si la nouvelle technologie est compatible avec le système de la loi en question. A la lumière du droit applicable, de son histoire législative et de son but, la Cour ne peut appliquer les principes de protection des consommateurs prévus dans le Credit Card Act aux transactions impliquant l'achat par Internet d'un produit qui peut être directement téléchargé en ligne.