In California, the Song-Beverly Credit Card Act forbids merchants from asking for "personal information" when a customer uses a credit card to make a purchase. Addresses and telephone numbers are clearly covered by Song-Beverly. Zip codes are not, per Party City Corp v. Superior Court, 169 Cal.App.4th 497 (Cal. Ct.App. 2008).
How about e-mail addresses? Are they "personal information" forbidden to be collected by Song-Beverly? And if e-mail addresses are regulated by Song-Beverly, then is this aspect of Song-Beverly preempted by the federal CAN-SPAM Act?
Yesterday, in the case of Powers v. Pottery Barn Inc., D054336 (Cal. Ct.App., Sept. 21, 2009), a California intermediate appellate court ruled that the CAN-SPAM Act does not preempt a cause of action alleging that Song-Beverly was violated when a merchant (Pottery Barn, in this case) asked for and received the plaintiff's e-mail address during the course of a credit card transaction. CAN-SPAM does not preempt state laws of general applicability that only incidentally regulate e-mail, the court said. "Because Song-Beverly's regulation of what may be asked of credit card customers is not a regulation of what can be sent in commercial e-mails and is not in any manner specific to e-mail, we conclude Song-Beverly is not pre-empted by CAN-SPAM."
So the plaintiff's lawsuit, which seeks class status, lives on. As for the preliminary question of whether e-mail addresses are in fact "personal information" under Song-Beverly, the court didn't make a conclusive ruling on this point. It said that the record wasn't sufficiently developed to decide the question, adding that the allegations in the complaint were sufficient to avoid summary dismissal of the case. So the parties are free to fight this one out in a future hearing.
This could be a close question. E-mail addresses are generally considered -- see HIPAA, COPPA, GLBA here and PIPEDA in Canada -- to be personal information; but ... one leading federal privacy proposal, H.R. 2221 (the DATA Act), excludes e-mail addresses from its definition of personal information. State-law definitions are all over the map. And of course Song-Beverly does not specifically include e-mail addresses within its definition of personal information because, as the court pointed out, California lawmakers did not have e-mail regulation in mind when they wrote the law.
Finally, the court turned back Pottery Barn's claim that Song-Beverly's restriction on its ability to collect customer e-mail addresses violates the First Amendment. The court acknowledged Pottery Barn's First Amendment right to collect e-mail addresses, but added that this right was overcome by the state's "well-established and substantial" interest in protecting the privacy of its citizens. Marketers have lately been asserting a First Amendment right to access commercially valuable data, though without much success so far. A recent example I blogged about was IMS Health Inc v. Ayotte, in which the First Circuit turned back a First Amendment challenge to a New Hampshire law banning the sale of prescription drug information that identifies doctors' prescribing patterns. The U.S. Supreme Court declined June 29 to review the case.
Comments