The digital marketplace is facing a new legal challenge that could reshape the online checkout experience.
Class-action lawsuits targeting the near-universal practice of asking for an email address during checkout online are on the rise. As we previously reported, the summer started with a wave of class actions alleging violations of California’s Song-Beverly Credit Card Act for use of pixel tracking technology during checkout. Now, Massachusetts attorneys are getting into the game with a series of new lawsuits under Mass. Gen. Laws ch. 93, § 105 (“Section 105”), sometimes referred to as the Consumer Privacy in Commercial Transactions Act (or CPICTA).
Under Section 105, businesses that accept credit cards cannot write or require customers to enter personal identification information (“PII”) on the credit card transaction form, unless required by the card issuer. A new round of lawsuits alleges that online retailers violate Section 105 by asking for email addresses during checkout.
What is Section 105?
Enacted in 1991, Massachusetts’ Section 105, like California’s Song-Beverly Credit Card Act, governs merchants’ collection of PII at the point of sale. In a 2013 case interpreting the statute, the Massachusetts Supreme Judicial Court concluded that the Legislature’s “purpose was to safeguard consumer privacy and more particularly to protect consumers using credit cards from becoming the recipients of unwanted commercial solicitations from merchants with access to their identifying information.”
Section 105 provides, in relevant part:
No person, firm, partnership, corporation or other business entity that accepts a credit card for a business transaction shall write, cause to be written or require that a credit card holder write personal identification information, not required by the credit card issuer, on the credit card transaction form.
A violation of the statute is considered an unfair and deceptive trade practice. An aggrieved individual may bring a civil action for the greater of actual damages or $25 (or treble damages for willful or knowing violations), injunctive relief, attorney’s fees, and costs.
When aggregated in a class action, these penalties can grow quickly.
What Do the New Complaints Allege?
Two law firms working in tandem recently filed at least four complaints against online retailers alleging violations of Section 105. The plaintiffs in each of the complaints allege that during checkout they're required to provide their email addresses in order to place an order. The plaintiffs allege that after they completed the checkout, they received unwanted email marketing, sometimes even if they didn't click an optional box to receive offers during the checkout. Each of the plaintiffs seeks to represent a class of all Massachusetts consumers who made a purchase on the websites using a credit card, and seeks statutory damages, injunctive relief, and attorney’s fees and costs.
What Are the Implications for Retailers?
In these cases, the plaintiffs naively allege that “there is no reason why a customer must provide their email address for a credit card transaction [because a] customer furnishes their shipping address for delivery, and they must also provide their phone number (presumably for communications).” Yet, email is often the fastest, least expensive, and most effective method to reach a customer about an order. Moreover, other forms of communication, like telephone, are strictly regulated. Therefore, if the plaintiffs’ arguments are accepted, the complaints could have a big impact on how online checkout looks and functions today.
Of course, it remains to be seen if these cases will be successful. For one thing, Section 105 includes as examples of PII addresses and telephone numbers, but not email addresses. This is because the statute was enacted in 1991, before email became ubiquitous, and there's nothing in the legislative record which suggests that the Massachusetts Legislature was concerned with email spam when it passed the law. It's also worth noting that in more than 30 years since the statute was enacted, the Legislature hasn't updated Section 105 to specifically include email addresses.
Likely, this issue will be resolved in the courts, not in the Legislature. Until then, what can online retailers do?
- Ensure that users who have created accounts agree to email marketing during the account creation process. Don't wait until the checkout page to obtain permission to send a commercial email.
- If a retailer uses a guest checkout, include an optional box for the user to click to receive email offers. If the user doesn't click the box, use the customer’s email for communications about the order only and refrain from sending email marketing.
- If a retailer wishes to arbitrate, ensure that consumers are required to click a box to agree to the retailer’s terms and conditions, both during account creation and at checkout. Review arbitration provisions in the terms and conditions to make sure that such disputes are within the scope of arbitrable issues.
- Consider conspicuously displaying privacy policies and capturing customer consent at multiple points in the website experience, including from the first page viewed by a customer via a pop-up banner or other notification and again at checkout.
Conclusion
As the legal landscape evolves, retailers should stay vigilant and consult with legal counsel to develop strategies and defenses. The outcome of these lawsuits could herald significant changes in online retail practices, making it crucial for businesses to adapt and protect themselves against potential legal challenges.
"Checkout Challenged: Navigating the New Wave of E-mail Address Lawsuits in Massachusetts," by Harrison Brown and Ana Tagvoryan was published in Total Retail on August 22, 2024.