Retail Risks: Federal Lawsuits On Credit And Debit Card Receipts Targeting Retailers Highlights Dangers Companies Face When Dealing With Personal Information
Class Actions allege that printing of expiration date on customer receipts violate Fair Credit Reporting Act; Federal and State laws provide multiple minefields for retailers
Recent class action lawsuits filed against high profile retailers alleging the printing of receipts containing data that violates the federal Fair Credit Reporting Act highlights the need for companies to be vigilant in following federal and state consumer privacy laws, says Bradley Muro, a partner at Danziger, Danziger & Muro LLP.
"Retailers are putting themselves at great financial risk by failing to follow the guidelines that prohibit the collection or dissemination of even basic personal information from customers in many circumstances," said Mr. Muro, who has formulated privacy protection policies for a number of major retailers. "Previously, there have been a number of lawsuits filed under state law, mainly focused on California. The Fair Credit Reporting Act laws now means that retailers face potential for a suit in any of the 50 states."
One such class action suit, for example, recently filed in Santa Ana Federal District Court in California, alleges that Oakley, Inc. printed receipts containing a credit or debit card's expiration date. The Fair Credit Reporting Act, which went into effect on December 4, 2006 for cash receipts machines that were built before 2005 and January 1, 2006 for machines that were built after January 1, 2005, prohibits the printing of receipts containing a card's expiration date or more than the last five numbers from the credit or debit card used for a purchase.
Under the rules of the Fair Credit Reporting Act, the retailers face fines ranging from $100 to $1000 for each individual violation, in addition to possible punitive damages, and attorneys fees.
"Many stores use older credit machines that automatically print this information," said Mr. Muro. "Based on sheer volume, the cost of a verdict against the company could result in multi-million dollar fines. This case is a perfect example of the danger retailers face if they do not look careful examine the plethora of consumer privacy laws that have cropped up in recent years."
Mr. Muro noted that state laws are also quite restrictive, and cited the cases of several retailers in California who spent hundreds of thousands of dollars settling lawsuits (before they paid their own attorneys) involving violations of California's strict personal information laws. California, New York and many other states prohibit the collection of, or even the request for, personal information in connection with a credit-card transaction. Personal information includes a person's address, phone number and any other personal information that is not on the face of the credit card. The laws are so restrictive that businesses cannot even use credit-card forms that contain blank spaces where one would ordinarily fill in an address or a phone number, even if the forms are not filled in or the blank spaces are not labeled.
There are certain exceptions when the collection of such personal information is deemed appropriate, such as for delivery, deposits or special orders, but there is no legislatively established safe harbor for avoiding liability in the collection of personal information in credit-card transactions if the collection is not required for some other legitimate business purpose.
Civil fines are expensive — up to $250 for the first violation and $1,000 for each subsequent violation. But that is the tip of the iceberg. California, for example, gives individual plaintiffs a private right of action to enforce the fines.