The California Supreme Court’s consideration of whether the Song-Beverly Credit Card Act applies to internet transactions exposed a deep tension in consumer privacy law: the same information that retailers collect to prevent fraud is also the information they use for targeted marketing. When the court took up Apple Inc. v. Superior Court (Krescent), it was deciding not just a narrow question about credit card transaction forms—it was drawing a line around how far California’s consumer protection statutes reach into the digital economy.
The Song-Beverly Credit Card Act, California Civil Code §§ 1747-1748.7, was enacted in 1971 and substantially amended in 1991. Among its provisions, the statute prohibits retailers from:
The statute was designed to prevent brick-and-mortar retailers from collecting unnecessary personal information—phone numbers, addresses, ZIP codes—as a condition of credit card transactions. Retailers were collecting this information for marketing databases, not for transaction processing.
The question before the California Supreme Court was whether Song-Beverly applies when a consumer purchases goods online. Apple argued that requiring billing address and other contact information during online transactions is necessary to prevent fraud, and that extending Song-Beverly to internet transactions would increase fraud by eliminating information used for verification.
Consumer rights advocates countered that retailers were collecting far more information than fraud prevention required, and that the information was being used primarily for marketing. The court had a closely analogous precedent to work with: in Pineda v. Williams-Sonoma Stores, Inc., 51 Cal. 4th 524 (2011), the California Supreme Court had held that ZIP codes are personal information under Song-Beverly, and that Williams-Sonoma violated the Act by collecting ZIP codes at the point of sale. The court found ZIP codes were not necessary to complete credit card transactions and were used primarily for marketing.
The California Supreme Court ultimately held that Song-Beverly’s restrictions do not apply to online transactions where personal information is reasonably necessary to prevent fraud, fulfill the transaction, or comply with legal obligations. The court reasoned that online retail transactions present different fraud risks than in-person transactions, and that billing address collection for address verification service (AVS) purposes is a legitimate business need.
However, the court made clear that retailers cannot use transaction necessity as a justification for collecting information that is actually used for marketing. If a retailer collects information beyond what is needed for the transaction and uses it to build marketing profiles, the protections of Song-Beverly may still apply.
For e-commerce businesses, the decision establishes that thoughtful data collection practices—collecting only what is genuinely needed for transaction completion and fraud prevention—are both legally safer and better privacy practice. Retailers should audit their checkout processes to ensure that required fields are actually necessary for transaction processing, and that their privacy policies accurately describe how collected information is used.
California has since enacted significantly stronger consumer data protections through the CCPA and CPRA. These statutes create affirmative consumer rights to know what information is collected and to opt out of certain uses, imposing obligations that go well beyond Song-Beverly’s transaction-specific restrictions.
Revision Legal’s e-commerce attorneys advise online retailers on compliance with California’s Song-Beverly Act, the CCPA, and related consumer protection statutes. Contact us to review your checkout data collection practices and ensure they meet California legal requirements.
The Song-Beverly litigation was a skirmish in a larger war over consumer data privacy in California. The real escalation came with the California Consumer Privacy Act (CCPA), enacted in 2018, and the California Privacy Rights Act (CPRA), which amended and expanded the CCPA and created the California Privacy Protection Agency. Together, these statutes created the most comprehensive consumer data privacy framework in the United States.
For e-commerce businesses that sell to California residents, CCPA and CPRA compliance is not optional. Businesses that meet the statutory thresholds—annual gross revenue exceeding $25 million, or that buy, sell, or share the personal information of 100,000 or more consumers or households annually, or that derive 50% or more of annual revenue from selling consumer personal information—must comply with extensive notice, access, deletion, portability, and opt-out requirements.
CCPA imposes specific obligations on covered e-commerce businesses:
While California has led the way on comprehensive state privacy legislation, the FTC continues to shape privacy practices at the federal level through Section 5 of the FTC Act, which prohibits unfair or deceptive acts and practices. The FTC has brought enforcement actions against companies for collecting more data than disclosed in privacy policies, failing to honor stated data retention practices, and inadequately securing consumer data.
Congress has repeatedly considered federal comprehensive privacy legislation, but has not enacted a statute. If federal legislation does pass, it may preempt state laws like CCPA, or it may permit states to maintain their own frameworks. E-commerce businesses must monitor this area closely.
California’s privacy landscape has grown significantly more demanding since the Song-Beverly litigation. E-commerce businesses that collect consumer data must maintain compliant privacy programs that address Song-Beverly’s transaction-specific restrictions, CCPA and CPRA’s comprehensive consumer rights framework, and the FTC’s deceptive practices standards. Revision Legal’s internet attorneys can audit your privacy practices and implement a compliance program tailored to your business model. Contact us today.
The evolution from Song-Beverly’s transaction-focused restrictions to CCPA’s comprehensive data rights framework reflects the broader trajectory of consumer privacy law in California and across the country. E-commerce businesses that understand and stay ahead of these requirements build customer trust and reduce regulatory risk. Contact Revision Legal today to audit your data collection practices and ensure compliance with applicable law.
California continues to set the national standard for consumer privacy protection. Businesses that serve California consumers must monitor not just the existing statutes but also the California Privacy Protection Agency’s ongoing rulemaking activity, which produces binding regulations on topics from risk assessments to opt-out mechanisms. Revision Legal’s privacy attorneys track these developments and help e-commerce clients implement compliance programs that account for both current requirements and anticipated changes. Contact us today.
Facebook agreed to pay $550 million to settle a class action lawsuit under Illinois’ Biometric Information Privacy Act. Here’s what the case means for biometric data law.
Read more about Facebook’s $550M Illinois Biometric Settlement
Seizing an infringer’s domain name is one of the most effective ways to stop IP theft online. Here’s how courts order domain transfers and what rights holders need to show.
Read more about Seizing an Infringer’s Domain to Stop Infringement
Recent court decisions on what counts as an ‘autodialer’ under the TCPA suggest restrictions may be loosening. Here’s what businesses using automated texts need to know.
Read more about TCPA Autodialer Decisions: Are Restrictions Easing?