News & Insights

California Supreme Court Decides Song-Beverly Credit Card Act of 1971 Does Not Apply to Online Transactions

Information Law and Privacy Update

Today the California Supreme Court issued its long-awaited opinion in Apple v. Superior Court (Krescent), holding that the Song-Beverly Credit Card Act of 1971 does not apply to online transactions relating to electronically-downloaded products. The Act, which prohibits retailers from collecting and recording a customer’s personal identifying information as a condition of accepting payment by credit card, was enacted prior to the advent of online commerce, and in today’s decision, the California Supreme Court held in a closely-divided opinion that the Legislature could not have intended the Act to apply to internet commerce relating to electronically-downloaded products.

In 2011, the California Supreme Court held in Pineda v. Williams-Sonoma Stores that the collection of a customer’s ZIP code at the point of sale was not necessary to complete a credit card sale at a physical store (as it was not required, such as for shipping the product) and thus collecting such data violated the Song-Beverly Act and improperly infringed on consumer privacy. That decision spawned more than a hundred lawsuits against brick-and-mortar stores alleging violations under the Act relating to collection of consumer information.

It was inevitable that the lawsuits would reach out to include the growing segment of online sales and, three months after Pineda, a plaintiffs’ firm filed three putative class actions against Apple, Ticketmaster and eHarmony, Inc., alleging that each collected personal information (including address and telephone number) in connection with online sales in violation of the Song-Beverly Act because the data was not required to ship a product. In particular, the plaintiffs alleged that the internet retailers collected the information for the purpose of marketing, rather than for some legitimate purpose. The trial court refused to dismiss the case, and the three online retailers petitioned for review to the California Supreme Court.

The primary policy issue considered by the Court was its role in balancing consumer privacy – given added breadth by Pineda – and fraud deterrence – especially given the large costs to consumer of credit card fraud and the fact that the Act was passed before internet commerce had been conceived. The Court, in its 4-3 decision, struck the balance in favor of supporting the Legislature’s view of fraud deterrence while still attempting to safeguard consumer privacy. Finding that the “safeguards against fraud that are provided in [the Act] are not available to the online retailer selling an electronically downloaded product,” see slip op. at 12, and that the Legislature had carefully considered such concerns in crafting the consumer protections in the Act, the Court concluded that “the Legislature could not have intended [the Act] to apply to this type of transaction.” Slip op. at 16.

While this outcome is welcome news to internet retailers, the Court’s opinion was divided and very narrowly tailored. The Court was careful to limit its opinion to online transactions relating to electronically-downloadable products, and specifically stated that it was not addressing whether its decision applies to other online transactions or “any other transactions that do not involve in-person, face-to-face interaction between the customer and retailer.” Slip op. at 16.

That, in conjunction with the Court’s invitation to the Legislature to “revisit the issue of consumer privacy and fraud prevention in online credit card transactions,” see slip op. at 25, suggest that those engaged in e-commerce undertake certain steps. First, the Court has not abandoned its strong protection of consumer privacy, and the retailer’s use of the consumer information collected through e-commerce remains a key issue. In particular, the dissenting Justices strongly cautioned of the risk of “collect[ing] unlimited personal information concerning their credit-card-using customers and sell that information to, or share it with, other companies, which, for marketing purposes, can then construct detailed consumer profiles.” See Dissenting Opinion of J. Kennard, slip op. at 6. Businesses involved in e-commerce should ensure that the information they are collecting is used only for legitimate purposes in verifying purchaser identity, that they have robust online privacy statements and data protection provisions in place that are consistent with their actual practices, and that they are otherwise compliant with the California Online Privacy Protection Act of 2003.

Second, the Court was careful to limit the scope of its decision to online transactions involving electronically-downloaded products. E-commerce merchants of other products should review their online data collection practices and make any necessary adjustments to ensure ongoing compliance with existing law and this new decision.

Finally, the California Legislature has also demonstrated its broad support for consumer privacy, and there is a possibility, enhanced by the Court’s explicit suggestion, that today’s decision will result in the introduction of additional consumer privacy legislation that may affect e-commerce relating to residents of California.

The Information Law and Privacy Practice of Sidley Austin LLP

Sidley has been at the forefront of e-commerce privacy issues, and advises on online privacy statements, online data protection, and litigation involving data privacy and e-commerce issues. Sidley has also successfully defended against putative class actions involving alleged violations of the Song-Beverly Credit Card Act of 1971 in California courts. Sidley monitors state and federal legislative developments in this area, as well as agency regulations and investigative activities. We offer an inter-disciplinary, international group of lawyers focusing on the complex national and international issues of data protection and cyberlaw. The group includes regulatory compliance lawyers, litigators, financial institution practitioners, healthcare lawyers, EU specialists, IT licensing and marketing counsel, intellectual property, and white collar lawyers. We frequently advise regarding HIPAA and Healthcare Privacy Issues.

Please Contact Us With Any Questions

Alan Raul

Ed McNicholas

Amy Lally

To receive future copies of this and other Sidley updates via email, please sign up at

Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.

Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.