|
This bulletin
is provided
as an informational service to clients and friends of
the firm. It is designed to provide timely information
and links to news relevant to the retail industry. We
value your time and input, so please provide comments
or questions to mailto:%20lcoleman@gardere.com?subject=Retail
Team Alert.
Want to Avoid Privacy-Law Class
Actions?
FACTA Compliance is the First
Step
By Barry M. Golden
Every time I use my credit card to pay
for an item at a retail store, I always look to see if
my receipt contains my credit-card number or expiration
date (as opposed to something that looks like
xxxx-xxxx-xxxx-xxxx). If either appears on
my receipt, I know that this retailer is a potential
target for a privacy-law class action.
Under the Fair and Accurate Credit
Transactions Act, (FACTA), retailers are prohibited from
printing on credit-card receipts more than the last five
digits of the customer`s card number or the expiration
date. At last count, plaintiffs have filed more than 300
putative class actions alleging such violations of
FACTA. For a federal statute as young as FACTA
(effective as of 2004), that`s already a lot of class
actions.
In order to avoid becoming the next
privacy-law class defendant, some retailers have
instructed their stores to print customer receipts
containing only the last five
digits of the customer`s card number. In other
words, retailers have told their stores to comply with
FACTA. Sounds like a sure-fire way to avoid class
liability, right? Well, only partially.
Complying with FACTA without also
complying with each and every individual state`s privacy
laws is like fixing the biggest hole in your leaky roof,
while pretending that the smaller holes don`t
exist. You`ll still end up with a very wet floor,
and before long, you might be watching the entire roof
collapse. Indeed, any retailer relying only on
FACTA, without also implementing a compliance program
for state-privacy laws, is easy pickings for the
ambitious class plaintiff.
For example, in the states of Illinois,
Michigan, Texas and Virginia, retailers printing the
last five digits of a credit card number on a customer
receipt would be in violation of state laws and risk
being sued on a class wide basis. How is
that? Although FACTA allows for five digits on
receipts, these states only allow
four digits.
What about the retailer that has
stopped printing credit numbers or expiration dates on
customer receipts altogether? Is that retailer safe
from being a privacy-law class defendant? Not even
close. A number of states maintain quirky statutes that
are veritable class-action landmines. For example,
in California, class plaintiffs have repeatedly sued
retailers merely because the retailers gave their
customers credit-card receipts containing preprinted
spaces designated for addresses. In other states,
including Illinois, New Jersey, and New York, retailers
are at risk simply by giving their customers receipts
that are not carbonless or are not perforated. Strange,
I know, but true.
Ok. So, as the retailer, you`ve
now stopped printing credit numbers or expiration
dates on customer receipts; you`ve ceased using
credit-card forms with preprinted spaces designated for
addresses; and you`ve trashed those carbonless and
non-perforated receipts. Can you finally sleep
well at night, knowing that you are in full compliance
with privacy laws? Unfortunately, no.
There are still many other privacy-law
traps. For example, allowing cashiers to ask
customers at the point of sale to provide their
addresses or telephone numbers is a bad idea. That
type of act can lead to class actions in more than a
dozen states, including California, Massachusetts, New
York, Pennsylvania, Kansas, New Jersey, Oregon, Rhode
Island, Wisconsin, Delaware, District of Columbia,
Minnesota, Ohio, Maryland and Nevada.
In terms of privacy-law compliance and
avoidance of class actions, everything mentioned above
only scratches the surface. The bottom line is that a
retailer should not fool itself into believing that
complying with FACTA will prevent privacy-law class
actions. Rather, FACTA compliance should serve
merely as a retailers` starting point, and should be
followed with a thorough analysis of the privacy
statutes in each and every state in which the retailer
does business.
Barry Golden is a partner at
Gardere and a member of the Retail Industry Team where
his practice focuses on complex commercial litigation,
principally in the areas of intellectual property,
computer technology, antitrust and class actions. Please
email
Barry if you have questions or would like more
information about this article.
|
