By Amy Lally and Leah Abeles, Sidley Austin LLP
A number of recent class actions highlight three California privacy laws that were rarely litigated a decade ago. Last month, courts in California approved settlements by Big 5 (In re Big 5 Sporting Goods Song-Beverly Cases) and Lululemon (Chaikin v. Lululemon USA Inc.) in California Song-Beverly Credit Card Act (the “Credit Card Act”) cases. In both cases, the retailers agreed to issue vouchers to a class of consumers who claimed their personal identifying information (“PII”) was collected when they paid by credit card.
The Credit Card Act prohibits retailers from recording consumers’ PII during credit card transactions. This includes collection of ZIP codes, email addresses and phone numbers. Some exceptions allow retailers to request PII for specific purposes such as shipping or fraud prevention.
In addition to the Credit Card Act, a spate of consumer class actions have been filed under the California Invasion of Privacy Act (“CIPA”), as well as the Shine the Light law (“STL”). While the Credit Card Act generally applies at the point of sale, CIPA more frequently comes into play during customer service calls. Among other things, CIPA prohibits certain phone calls from being recorded without consent. The STL, meanwhile, requires that businesses disclose, upon request, third party marketers with whom the company has shared a customer’s PII.
Although none of these statutory schemes are new, they had generated relatively few consumer lawsuits when enacted, perhaps because they are comparatively obscure state statutes. The recent increase in putative class litigation under these statutes can be attributed in part to the general proliferation of consumer class actions, and in part to increasing attention to privacy issues resulting from continuing advances in technology. Now, it appears the plaintiffs’ bar has discovered these actions can often generate lucrative settlements, including generous attorneys’ fee payouts.
For this reason and others, it is unlikely that such actions will abate, despite several recent court decisions favorable to retailers. In February 2013, for example, the California Supreme Court (Apple Inc. v. Super. Ct.) held that the Credit Card Act does not apply to online transactions for downloadable content. This decision represented a major victory for e-merchandise retailers and led at least one other court (Ambers v. Buy.com, Inc.) to determine that the Credit Card Act does not apply to any online purchases.
However, this triumph for e-retailers may be short-lived, as the California Legislature is poised to amend the Credit Card Act in response to the Apple decision. The proposed legislation, California Senate Bill No. 383, would bring online transactions for downloadable products within the Act’s scope, but would permit online retailers to collect certain PII if necessary to detect fraud or enforce the terms of sale, or if the customer opts in following certain disclosures. If the amendment passes, it will likely generate additional lawsuits against online retailers, especially until courts have had the opportunity to delimit the exceptions permitting PII collection.
In the realm of CIPA litigation, a California appellate court recently upheld a decision denying class certification in Hataishi v. First Am. Home Buyers Protection Corp. Under the law which prohibits recording “confidential communications” without consent, a consumer must have an objectively reasonable expectation that their call will not be recorded. The court held determining each customer’s reasonable expectation depended on the particular circumstances of her call with the defendant, including whether she was advised during past calls that her calls were being recorded. The court also said that a class could not be certified under section of the law which prohibits intercepting cell phone communications because a jury would have to resolve on a call-by-call basis whether the customer was using a cell phone.
While the Hataishi decision raises the question whether a CIPA claim could ever be appropriate for class treatment, it is unlikely to stem the tide of consumer privacy class actions if plaintiffs’ lawyers believe they can survive a motion to dismiss and then settle before having to litigate class certification. This is underscored by the recent decision in McCabe v. Six Continents Hotels, Inc., which denied a motion to dismiss a claim under section 632.7 based on a broad view of the statute’s intent requirement.
Retailers may have better success under the STL, however. A series of recent California court decisions (Boorstein v. CBS Interactive, King v. Conde Nast, Miller v. Hearst) solidified that a plaintiff must request or attempt to request information from the defendant before he has standing to bring an STL claim.
While putative class litigation under the Credit Card Act and CIPA appears likely to continue, retailers can identify steps to mitigate their exposure to such claims by keeping abreast of new developments in consumer privacy law, especially as the proliferation of class actions continues to generate new rulings and legislation.
Amy Lally is a partner and Leah Abeles is an associate in Sidley Austin LLP’s Los Angeles office. The views expressed in this article are exclusively those of the authors and do not necessarily reflect those of Sidley Austin LLP and its partners. Amy Lally can be reached at email@example.com and Leah Abeles can be reached at firstname.lastname@example.org.