Problems at the register: retail collection of personal information and the data breach.

• Author: Blackmon, Glenn A.
• Position: California

CONTENTS INTRODUCTION I. CAPP V. NORDSTROM AND THE SONG-BEVERLY CREDIT CARD ACT A. Robert Capp Allegations and the Song-Beverly Credit Card Act B. Personal Identification Information and the Motion to Dismiss C. Conditioning the Sale and Summary Judgment D. The Evidence of Nordstrom's E-mail Capture Program II. MARKETING TOOL VS. DANGEROUS LIABILITY A. The Modern Retailer and the Benefits of Collection B. E-mail Addresses, Reverse Appending, and the Information Retailers Obtain C. "The Year of the Data Breach" III. PRIVACY AND RETAILER DISCLOSURE CONCLUSION INTRODUCTION

On December 21, 2012, Robert Capp entered a Nordstrom retail location in Roseville, California. (1) He picked out a couple items and then went to check out. (2) "In a ritual familiar to most shoppers," the cashier asked Mr. Capp for his e-mail address so that Nordstrom could send him the receipt for the transaction electronically. (3) Mr. Capp initially objected, but after some further prodding, he eventually gave the cashier his e-mail address, and the cashier entered it into Nordstrom's customer database. (4) If that had been the end of the interaction, Mr. Capp and Nordstrom would have gone their separate ways. However, Mr. Capp alleges that Nordstrom kept his e-mail ad dress and began to send him promotional e-mails. (5) What happened next probably took Nordstrom by surprise and definitely raised questions about the collection of e-mail addresses at the register. Using an obscure California law called the Song-Beverly Credit Card Act, (6) Mr. Capp and a group of plaintiffs brought a class action complaint against Nordstrom for their alleged collection of Personal Identification Information at the cash register. (7)

Collection of personal information has become a common occurrence at the register. Using rewards programs and other information capture programs, retailers large and small now collect tremendous amounts of personal information from customers in order to directly market to them later. (8) Some may ask, "What is the big deal?" Giving up your e-mail or other pieces of personal data can't really hurt. Promotional e-mails are a minor inconvenience at best. Many people, however, do not realize what disclosure of even a small piece of personal information can actually reveal. (9) This rise in information collection has been followed by a parallel rise in the number of data breaches. (10) Retailers are collecting more information and not doing enough to protect it. (11) This Comment analyzes the collection of e-mail addresses and other personal information by retailers in the context of Robert Capp's case against Nordstrom. It balances the benefits with the security concerns and proposes a solution that at least partially protects consumers' interests.

1. CAPP V. NORDSTROM AND THE SONG-BEVERLY CREDIT CARD ACT

   An e-mail address is a powerful marketing tool. It allows retailers to reach out to their customers directly with minimal intrusion. It is not surprising that retailers like Nordstrom aggressively seek out these e-mail addresses and market to them even more aggressively. (12) E-mail capture is now a normal facet of consumer life, and many customers reveal their e-mail addresses without giving it much thought. People have become accustomed to "the e-mail prompt." Unfortunately for Nordstrom, not all consumers appreciated its "Information Capture Policy." (13)

   1. Robert Capp Allegations and the Song-Beverly Credit Card Act

      Robert Capp's visit to a Nordstrom retail store was probably no different from millions of other visits during the 2012 holiday season. Mr. Capp walked into the Nordstrom location in Roseville, California, on December 21, 2012, to purchase a Christmas gift. (14) He picked up "two sweaters for [his] wife" and then went to check out. (15) Instead of going to a traditional register, a salesperson with a portable device called a mobile point of sale device ("MPOS") approached Mr. Capp and began to check out the two items he had chosen. (16) Although what exactly the salesperson said to Mr. Capp is in dispute, the salesperson rang up the two items, processed his credit card, and then asked Mr. Capp for his e-mail address so that Nordstrom could send him his receipt via e-mail. (17) Mr. Capp claims that he initially resisted this request but eventually gave it to the salesperson after she again asked him for the e-mail. (18) He then took his purchases and left the store. (19)

      That likely would have been the end of the encounter, except that Nordstrom allegedly retained his e-mail address. According to Mr. Capp, Nordstrom began to send him "purely promotional emails on a nearly daily basis." (20) He also contends that Nordstrom used his e-mail address to "reverse append and obtain other additional personal identification information" (21) and that he "has received a more generalized increase in email traffic from retailers indicating that Defendant may have shared or sold his email address to others without his permission." (22) Instead of just deleting the promotional e-mails from Nordstrom, Mr. Capp and a group of plaintiffs decided to bring a civil suit against Nordstrom for the collection of their personal information. (23)

      The case centers on an old California privacy law: the SongBeverly Credit Card Act. (24) The law was originally enacted in 1971 as a consumer protection statute. (25) "It made 'major changes in the law dealing with credit card practices by prescribing procedures for billing, billing errors, dissemination of false credit information, issuance and unauthorized use of credit cards.'" (26) The legislature then amended the statute in 1990 by including a new section addressing collection of personal information. (27) The legislature sought '"to address the misuse of personal identification information for, inter alia, marketing purposes, and [finding] that there would be no legitimate need to obtain such information from credit card customers if it was not necessary to the completion of the credit card transaction.'" (28)

      The pertinent section of the statute makes it illegal for anyone that accepts credit cards for the transaction of business ... [to] [r]equest, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the... corporation accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise. (29) The Act then further defines Personal Identification Information ("PH") as "information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder's address and telephone number." (30)

      Capp's suit alleges that by requesting e-mail addresses to send e-mail receipts, Nordstrom illegally conditioned the credit card transaction on the receipt of personal information. (31) The collection might seem like a minor violation, but the statute provides for significant fines if Nordstrom is found liable. Under the code, a violator can be subjected to a civil penalty of $250 for the first violation and $1,000 for each subsequent violation. (32) If Nordstrom requested the e-mail ad dress of every customer that came into one of its stores, the potential penalty could be enormous.

   2. Personal Identification Information and the Motion to Dismiss

      With the civil penalties at stake, Nordstrom would have been wise to present a strong defense in their motion to dismiss. Their initial motion, however, completely missed the statutory argument. Instead of addressing the California law head-on, Nordstrom focused almost exclusively on preemption by federal statute. (33) It argued that the Controlling Assault of Non-Solicited Pornography and Marketing Act of 2003 (34) ("Can-Spam"), a federal law that regulates commercial e-mail, "expressly preempted] state laws regulating the collection and use of email addresses." (35) Only a single section even addressed whether an e-mail address constitutes personal identification information. (36) The district court was quick to notice the error. In an order to show cause, the court stated that the Defendant "essentially seeks an advisory opinion that a federal statute preempts a California statute--a California statute that Defendant contends does not apply." (37) The doctrine of constitutional avoidance requires federal courts to "avoid reaching a preemption issue if they can resolve the case on statutory grounds." (38) The court then ordered the Defendant to either show cause regarding why their motion to dismiss should not be denied or file a supplemental brief addressing this issue. Nordstrom chose the latter and submitted a new brief shortly thereafter.

      Nordstrom's supplemental brief addressed the deficiencies of its earlier brief by adding several new arguments. Central to their new position was the contention that an e-mail address does not constitute personal identification information under the statute. (39) The Defendant argued that an e-mail address does not specifically "identify" a customer and that even though an e-mail address can be used to contact a customer, it does not "identify the area in which a person lives or is geographically located." (40) The Defendant further argued that excluding e-mails would be "consistent with the legislative history of the statute and the historical circumstances of the time." (41) The California legislature did not consider the Internet when it enacted either the initial statute or amended it. (42) Extending the statute to "requests for email addresses for the purpose of sending e-receipts would be pure speculation, which is not the proper role of the courts." (43) The Defendant then added a couple more minor arguments to rounds out its position. (44)

      Unfortunately for the Defendant, even its new arguments could not save it from an adverse ruling. In a twenty-five-page order, the...