California Supreme Court Finds That Apple Is Not Prohibited From Obtaining Personal Identification Information for Online Purchases

iStock_000000162568SmallCourt Makes a Distinction between Brick-and-Mortar Transactions

by Peggy Reetz

 On February 4, 2013, the Supreme Court of California issued its decision in the Apple v. Krescent case.  In June 2011, David Krescent (the original plaintiff) sued Apple on behalf of himself and a putative class, alleging violations of California’s credit card act (The Song-Beverly Credit Card Act).  The Act prohibits retailers from requesting or requiring as a condition to accepting credit card as payment that the cardholder write any personal identification information upon the credit card transaction form; and, the Act prohibits retailers from writing the personal information on the transaction form.

Krescent alleged that he purchased media downloads from Apple on various occasions and that, as a condition of receiving these downloads, he was required to provide his telephone number and address.  Krescent also alleged that Apple records each customer’s personal information but Apple is not required to collect a customer’s telephone number or address in order to complete the credit card transaction.  Even if a credit card processing company requires a valid billing address, under no circumstances would a customer’s telephone number be required to complete the transaction, Mr. Krescent argued.

Apple filed a demurrer arguing that the Credit Card Act does not apply to online transactions and also argued that a decision otherwise would undermine identity theft and fraud prevention measures.  The trial court overruled the demurrer – “the Act itself is silent on exempting online credit card transactions… [the Court is] not prepared, at the pleading stage, to read the [Credit Card] Act as completely exempting online credit transactions…”

The Supreme Court reviewed various exceptions to the prohibition on collecting personal data: cash advances, contractual obligations, in order to prevent fraud/theft by collecting zip codes at a self-serve gas station, special purposes like shipping, installation.  The Court noted that the Act does not prohibit requiring a cardholder to show a reasonable form of ID, as a condition to accepting credit card payments.

The Court noted that the Act makes no reference to online transactions, or even the Internet (having been enacted as of 1990).  The Court stated that the text of the Act alone is not decisive.   At the time the language was enacted, the Legislature did not contemplate commercial transactions over the Internet.  The Court reviewed California appellate cases that dealt with whether shield laws apply to digital media; or whether an electronic signature was appropriate for an initiative petition.  But, rather than analogizing too closely to the “new media” versus “old media” cases, the Court returned to the history/purpose of the Credit Card Act.

While the Act is intended to protect consumer privacy, the Legislature did not intend to achieve privacy goals without regard to risks for fraud.  The Court reasoned that the fraud safeguards available to a brick-and-mortar retailer are not available to an online retailer (the shopkeeper can inspect the signature, photo ID, etc.)   The Court ruled that the key antifraud provision in the Act has no practical application to online transactions involving electronically downloadable products.  Krescent conceded that Apple may need a valid billing address, if not a telephone number, to verify the credit card.  The Court believed the Legislature expressly authorized retailers to request additional information—a driver’s license, state ID card, or other form of photo ID- in order to combat fraud.

In that regard, the Court found it appropriate for Apple to collect such information to combat fraud (disagreeing with one of the dissenting justices, the majority found that the legislative history addresses the concern that there be some mechanism for verifying a cardholder’s identity).  Ultimately, the majority found that the Act did not apply to online transactions.  The Court was forced to reconcile these findings with its earlier decision in Pineda v. Williams-Sonoma, which decision found ZIP codes constitute personal identification information.  The Court noted the legislature subsequently carved out exceptions to the collection of ZIP codes, if used for fraud prevention purposes (pay-at-the-pump transactions, for instance).

Finally, the Court noted that the California Legislature has weighed the goals of regulating online privacy with concerns unique to online commerce.  COPPA, the California Online Privacy Protection Act of 2003, requires online services or Web site operators to post privacy policies and for those policies to address which categories of information  the operator may collect.  The Court also cited to the TCPA, stating that federal law likewise is supposed to protect the privacy interests of consumers (do-not-call registry and the like).  The Court closed the decision with a recitation of how significant e-commerce has become since the enactment of these statutes and invited the Legislature to revisit the issue of consumer privacy and fraud prevention in online transactions (just as the Legislature did in response to the Pineda decision).

The decision is at:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.