California Privacy Law Not Preempted by CAN-SPAM Act

On September 21 a California state court found that the federal CAN-SPAM Act of 2003 does not preempt California’s state privacy law regarding the collection of an e-mail address during a credit card transaction.

In the case Powers v. Pottery Barn Inc., the court ruled that a putative class action against Pottery Barn could go forward under California’s Song-Beverly Credit Card Act. The Act prohibits retailers from asking for “personal information” when a customer purchases an item with a credit card. Although addresses and telephone numbers are clearly covered, ZIP codes are not. When the Act was passed in 1971, e-mail did not exist.

CAN-SPAM, which regulates the sending and content of commercial e-mails, does not preempt a state law that only incidentally regulates e-mail, the court said. “Because Song-Beverly’s regulation of what may be asked of credit card customers is not a regulation of what can be sent in commercial e-mails and is not in any manner specific to e-mail, we conclude Song-Beverly is not pre-empted by CAN-SPAM.”

The court did not address whether e-mail addresses constitute “personal information” under Song-Beverly, finding only that the allegations in the complaint were sufficient to avoid summary dismissal. The question could be a close one. Although e-mail addresses are considered personal information under a number of federal privacy laws, including HIPAA, COPPA, and Gramm-Leach-Bliley, one leading federal privacy bill, H.R. 2221 (the DATA Act), excludes e-mail addresses from its definition of personal information.

The court also rejected Pottery Barn’s claim that the First Amendment protects its right to collect customer e-mail addresses, finding that any such right was outweighed by the state’s “well-established and substantial” interest in protecting the privacy of its citizens. Lately marketers have been asserting a First Amendment right to access commercially valuable data, though so far without much success. For instance, in the recent case of IMS Health Inc. v. Ayotte, the First Circuit rejected a First Amendment challenge to a New Hampshire law banning the sale of prescription drug information that identifies doctors’ prescribing patterns.

Why it matters: This lawsuit may be a harbinger of a wave of copycat complaints to come. It sends a signal to plaintiffs’ lawyers that at least some courts may consider that CAN-SPAM does not necessarily preempt state law-based privacy claims over the practice of collecting e-mail addresses in various circumstances. Certainly, collecting an e-mail address is almost automatic in making a credit card purchase online, since retailers typically use the customer’s e-mail address to send a confirmation.