The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

California Amends Song-Beverly Act

California recently amended its Song-Beverly Act (“Act”) to include a specific exception from its prohibition on collecting personal information during a credit card transaction. This exception allows collection of personal information (such as a zip code) by businesses in certain pay at the pump scenarios.   This law was filed with the Secretary of State on October 9, 2011, and went into effect immediately. This amendment was enacted as a result of the California Supreme Court’s decision in Pineda v. Williams Sonoma in February of this year. Our coverage of this decision can be found here.

Litigation continues in California in the aftermath of the Pineda decision. In August, the Superior Court of California, County of San Francisco, held that the prohibition on collecting and recording personal information under the Act did not apply to online transactions in Gonor v. Craigslist, concurring with an earlier federal court decision from 2009 (See Saulic v. Symantec Corp.)

Litigation has also been filed in other states that have laws similar to the Act. In Massachusetts, suit was filed against Michael’s stores in May. The plaintiff alleged that she made a purchase at a Michael’s store with her credit card, and provider her zip code during the sales transaction. She asserted that Michael’s then combined her zip code with other information to obtain her home address and sent her marketing materials. Plaintiff argues that this practice violates Mass. Gen Laws ch. 93 s. 105.

Similarly in New Jersey, suits have been filed in state and federal court regarding the collection of zip code at the point of sale. Plaintiffs argue that this practice violates NJSA 56:11-17. In September, a state court judge allowed a suit to move forward against Harmon Stores.  However, a federal judge came to the opposite conclusion about a week later and dismissed a class action based on this law.   For businesses that collect zip codes or personal information during credit card transactions, this issue will continue to be one to watch.

Leave a comment

9th Circuit Rules ECPA Applies to Foreign Citizens

On Monday, the Ninth Circuit announced its decision in Suzlon Energy Ltd. v. Microsoft Corp., — F.3d — (9th Cir. 2011), holding that the plain language of the Electronic Communications Privacy Act ("ECPA") applies to any person, including foreigners.

In Suzlon Energy, Suzlon Energy sought production of emails from Microsoft stored in the United States for use against an Indian citizen in a civil action in Australia. Initially the district court granted Suzlon Energy’s request, and in response, Microsoft filed an objection. The district court ultimately agreed with Microsoft and held that ECPA prohibited Microsoft’s disclosure of the emails.

The Ninth Circuit affirmed the district court’s decision, stating "[t]he Court finds that the plain language of the ECPA extends its protections to non-citizens. The Court is therefore obligated to enforce the statute as written."  The Ninth Circuit also examined the legislative history of ECPA, and found it did not "clearly refute" the plain language of the statute.  The Court cautioned however that ECPA’s protections only applied to information stored in the United States.

A full copy of the decision is located here.  It will be interesting to see what impact, if any, this decision has on the growing movement to modernize ECPA.