Skip to main content

The Unforeseeable Transaction: Apple Argues that the California Song-Beverly Credit Card Act Should Not Apply To Online Retailers

Written by Jake Romero

When is a gallon of gas like an iTunes track?  That may sound like a riddle from a Lewis Carroll novel, but it was one of the questions considered by the California Supreme Court during oral arguments in Apple v. Superior Court (Krescent) as Apple, Inc. attempted to persuade the Court that the Song-Beverly Credit Card Act of 1971, which prohibits retails from recording a customer’s personal identification information as a condition of accepting a credit card payment, does not apply to online retailers.

As used in Song-Beverly, “personal identification information” means information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.  In 2011, the Court held in Pineda v. Williams-Sonoma Stores, that, in the interest of advancing the privacy protection goals of Song-Beverly, the term “personal identification information” should be read broadly to include the ZIP codes of customers.  The suit brought against Apple was one of a number of class action suits filed shortly thereafter, arguing that Song-Beverly should apply to online merchants as well as brick-and-mortar stores.

Apple has argued that the Song-Beverly Act, originally passed in 1971 and last revised in 1991, could not have contemplated, and is ultimately incompatible with, online retail stores selling a downloadable service.  Section 1747.08 of the Act, Apple argues, seeks to establish a balance between privacy and fraud prevention, by authorizing retailers to require “reasonable forms of positive identification.”  Online retailers, Apple has argued, must be permitted to collect personal identification information because it is the only way for an online retailer to prevent fraud.  Counsel for Krescent has argued that when Song-Beverly was updated in 1991, credit card payments made over the phone were already common and, therefore, if the legislature had intended to exempt retailers other than brick-and-mortar establishments, they would have.

This brings the application of Song-Beverly back to the opening riddle.  In 2011, the California legislature amended Song-Beverly to exempt gas stations, under the rationale that gas stations have a legitimate need to prevent fraud which outweighs the risk of allowing gas stations to collect and record customers’ ZIP codes.  No such exemption was made for online retailers.  Therefore, counsel for Krescent has argued, Song-Beverly should apply to online retailers.  However, as reported by Scott Graham in The Recorder, during oral arguments Chief Justice Tani Cantil-Sakauye pointed out that the gas station amendment just as reasonably cuts in Apple’s favor.  A gallon of gas and a digital movie or song are similar because each is “immediately downloadable.  You’re not gonna ship it, you’re not gonna deliver it, you’re not gonna service it.”  The Chief Justice seems to imply that given the similarities between the products, the fact that the legislature failed to exempt online retailers along with gas stations may just as reasonably suggest that the legislature never intended Song-Beverly to apply to e-commerce.

Regardless of the outcome, the arguments raised highlight the ongoing difficulties involved with applying laws written prior to the broad expansion of the internet to our quickly-evolving online transactions.  Or, as Apple’s counsel more eloquently described it, laws that were written and passed “at a time when the idea of the Internet, much less purchasing music from the cloud on iTunes, would have seemed like the whimsy of a science fiction novelist.”

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.