A Costly Swipe: Examining ‘Point of Sale’ Acquisitions from a Compliance Perspective

Last month while attending MAAWG: San Francisco I visited the city’s historic Grant Avenue shopping artery. While making a purchase from one of the Avenue’s clothing retailers using my credit card, I was offered to have my receipt emailed to me. I agreed, gave my email address to the associate, signed for the purchase, and went back to the hotel one eco-friendly bag heavier. That very evening I received the promised in-store e-Receipt. Five (5) days later, I started receiving commercial emails from the retailer.

As a consumer I was peeved with how casually my address was auto-consented into to the retailer’s email marketing program with nary a word at the register. As a compliance professional, I wondered if the retailer realized that it likely violated California’s Song-Beverly Credit Card Act of 1971.

The U.S. District Court for the Central District of California noted that the Act’s main purpose is to address the misuse of personal information for marketing purposes and that it was “specifically passed with a brick-and-mortar merchant environment in mind.”1

If you collect email addresses at Point of Sale (POS) in California, here is what you should know about this historic consumer protection law:

  1. Song-Beverly prohibits businesses from collecting “personal identification information” during credit card transactions.
  2. The law defines PII as “information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number2‘Not limited to’ opens the window for ZIP codes3 and email addresses being covered under the law.
  3. California’s Supreme Court ruled4 that the statute does not apply to vending kiosks and online transactions involving credit cards, supporting the District Court’s assessment that the law focuses on in-store, non-cash PII collection.
  4. The statute gives private right of action to credit card users with civil penalties of up to $250 for the first violation and $1,000 for each subsequent violation plus costs and legal fees.

As it is often the case, risk mitigation begins with staff education and customer perception management, and flows into a smart approach to deliverability. It IS possible to collect PII at the counter in California given the following:

  1. Decouple PII collection from the credit card purchase. Ask the customer for their email address before taking their credit card or after they sign off on the purchase. Create a script for your sales associates to follow when requesting PII at the register.
  2. Consider using the credit card terminal or other touchpad device for customers to enter their email and NOT use the sales associate. The device should first prompt the customer to consent to receiving an in-store eReceipt and/or marketing communications ideally before proceeding with the transaction, but it could be after as well.
  3. Be transparent about the commercial intent. A consumer who feels misled is more likely to complain and to seek redress under the state’s Song-Beverly or potentially other consumer protection laws. If following different scripts is a challenge, apply the same disclosure/request script for both credit and cash transactions.
  4. Send a welcome permission pass. Don’t assume that the customer wants anything more than an in-store eReceipt even if you can legally claim to have this right. You are looking for a loyal customer, not a courtroom victory. Let the customer make an informed decision at the counter or in a subsequent email. For example:
    • If the customer consents to the in-store eReceipt AND opts into your marketing messages at the register, send an ‘opt-out permission pass’ welcome email shortly after delivery of the e-Receipt to confirm their subscription status and to outline benefits of your email program. Be sure to include a clear and easy unsubscribe mechanism as well as a prominent link to your privacy policy.
    • If the customer ONLY consents to the in-store e-Receipt, send an ‘opt-in permission pass’ e-Receipt where you include a “subscribe to our marketing communications” link, button, or banner along with a link to your privacy policy.

Beyond risk of exposure in California, you should also be aware of related compliance considerations:

  1. CAN-SPAM: Requires senders to obtain affirmative (aka; opt-in) consent from consumers who have previously unsubscribed from their commercial emails. If affirmative consent is not recorded at the point of collection, the address would need to be scrubbed against the appropriate unsubscribe list and suppressed.
  2. Primary Purpose: My in-store e-Receipt did not have an unsubscribe mechanism, postal address, or even a link to a privacy policy. Fortunate for the marketer, the email also did not contain any promotional content in the subject line or in the body copy so they qualified under the CAN-SPAM Act ‘transactional or relationship’ message exemption. Yet, the message could have easily been considered ‘primarily commercial’ under the FTC’s Final CAN-SPAM Act Rule if it contained any solicitous content in the subject line or if it was overwhelmed by up-sells, cross-sells or other commercial content.

With the above in mind, we can now clearly see what went wrong during my Grant Avenue shopping experience. The associate asked for PII during the credit card transaction and did not provide notice of marketing intent before or after the request. There was no transition from in-store e-Receipt to newsletter in the form of a welcome email permission pass and no efforts made to solidify the pre-existing business relationship.

I can appreciate the challenge in honoring both the spirit and letter of privacy laws at the register. We believe that following privacy best practices in respect to training, transparency, and permission management can make POS collection a fruitful practice, even in California. I welcome any comments, questions, or suggestions on this topic at privacy@cheetahmail.com.
1Saulic v. Symantec Corporation, 596 F. Supp. 2d 1323 (C.D. Cal. 2006)
3Reverse appending ZIP codes to postal information was determined by the California Supreme Court to be PII in Pineda v. Williams-Sonoma Stores, Inc., 51 Cal.4th 524 (Cal. 2011)
4 Pineda v. Williams-Sonoma Stores, Inc.

Learn more about the author,