For twenty years now, the Song-Beverly Credit-Card Act has been quietly protecting Californians’ personal information — including home address and telephone numbers — from retailers who want to collect and store it for their own use. Last week the California Supreme Court, in a divided ruling (Apple v. Superior Court ex rel Krescent), held that the law doesn’t protect consumers who shop online for downloadable products. Right or wrong, the court’s reasoning needlessly reinforces the tired myth that privacy and security are incompatible.
The Song-Beverly Act prohibits retailers from asking for any “personal identification information” unnecessary to a transaction as a condition for accepting a customer’s credit card payment. Any doubt that the law plays an important role in protecting consumer privacy was put to rest last year, when Williams-Sonoma was successfully sued under the act for using zip code information collected during credit card transactions to dig up customers’ home addresses and “to market products to [them] and [possibly] also sell [their] information … to other businesses.”
Last week’s Supreme Court decision signals that online retailers get to do what brick-and-mortar retailers like Williams-Sonoma could not. The court held that the Song Beverly Act does not preclude Apple from collecting its iTunes customers’ addresses and phone numbers. In ruling so, the Court pitted consumer privacy against the need for security against fraud and identity-theft in online commerce. Privacy lost, as it usually does in these battles.
According to the court, “[w]hile the Legislature indeed sought to protect consumer privacy, it did not intend to do so at the cost of creating an undue risk of credit card fraud,” which the court said arises in online transactions. The court’s decision in all likelihood exempts most online retailers from the Song-Beverly Act’s information collection restrictions.
There is room for debate about the majority’s legal conclusion. But whether or not the ruling is right as a legal matter, it is problematic in the way it reinforces the myth that privacy and security are incompatible (the court characterizes the risk of identity theft as a “cost” of Song-Beverly’s privacy protections). The not-so-hidden policy judgment in the majority’s decision is that the interest in preventing credit-card fraud and identity theft justifies allowing online retailers to stockpile customer information.
It doesn’t. For one, fraud-prevention hardly explains why Apple and other online companies would need a customer’s telephone number, which isn’t necessary to complete a credit card transaction or to verify a customer’s identity. More importantly, when businesses over-collect, aggregate, and indefinitely store their customers’ personal information, they leave that information more susceptible to data breach and misuse—and therefore, to credit card fraud and identity theft.
Here’s a telling statistic from Symantec’s 2011 Internet Security Threat Report, which monitors the incidents of data breach worldwide: More than 232.4 million identities were exposed overall during 2011. Deliberate breaches mainly targeted customer-related information, primarily because it can be used for fraud.
According to Symantec, the most common types of identity information leaked in malicious data breaches was names, addresses and credit card numbers; accounting for one-third of the identities breached in 2011. While a relatively small number of data breaches affected the retail industry, that trend is likely to change as online retailers continue to gather massive amounts of personal information. It’s easy to see why allowing online businesses to indiscriminately collect customer data—leaving large stores of that data vulnerable to breach and disclosure—might not be the best way of stemming the rising costs of fraud and identity theft.
We don’t have to—and we should not—choose between protecting consumer privacy and reducing the risk of fraud and identity theft. In fact, preventing the needless collection of consumers’ personal information is an important tool (as part of a bigger toolbox) to protect consumers from privacy crimes. As outdated as the law may be, that is precisely the type of protection the Song-Beverly Act offers. It’s unfortunate, then, that the court used the risk of fraud and identity theft as its crutch in restricting the law precisely where consumers need privacy protections most.
The court was right in at least one respect: the California legislature should take this as an opportunity to step in and modernize the Song-Beverly Act. The law should be updated to cover new privacy and fraud risks raised by online retail, cloud-based mobile payments systems, and other developments in Internet commerce. Otherwise, Californians will continue to find that the protections they enjoy offline do not apply to their online activities.
 While the court restricted its holding to services that offer downloadable products, like iTunes or Amazon Music, the Court’s rationale would seem to apply to traditional online retailers offering remote credit card transactions (like Overstock.com, Amazon.com and yes, even Williams-Sonoma.com).
 The majority reasoned that online retailers cannot be subject to Song-Beverly’s restrictions on collecting personal information, because — unlike brick-and-mortar retailers—they cannot ask to see a customer’s driver’s license or other photo ID in an in-person credit card transaction. The dissenting justices called the decision “a major loss for consumers,” and argued that nothing in the language of the statute — which has been updated several times during the age of Internet commerce — exempts online credit card transactions from its restrictions. Indeed, even when the Song Beverly Act was first enacted (before the heyday of Internet commerce), its restrictions were meant to apply to mail order catalogs, which like online retailers require remote credit card transactions.
 Simpler solutions, like requiring pin numbers for credit card transactions, would go very far in protecting consumers without affecting their privacy.