Skip navigation
credit card Thinkstock

Risky business: Collecting personal information in credit card transactions

California consumer protection law creates liability hazard for restaurants

For the food-and-hospitality industry nowadays, protecting customers’ data can be as important, if not more so, than serving delicious food.

Many industry leaders have been sued for violations of California’s Song-Beverly Credit Card Act, which prohibits retailers from requiring customers’ personal identification information as a condition to accepting credit card payments. While email marketing campaigns can be an invaluable marketing tool, trying to collect too much data can land your bistro in hot water. 

California enacted the Song-Beverly Credit Card Act more than four decades ago with the goal of promoting consumer protection. California courts have found the act’s purpose is to protect consumer privacy and prevent the misuse of personal identification information for, among other things, “marketing purposes” — which is exactly why businesses want this data. They want to email you their weekly specials and happy hour deals!

The statute specifically prohibits merchants from requesting or requiring personal identification information as a condition of using a credit card. 

Courts have found that “personal identification information” includes a customer’s phone number, address and email. In other words, if a restaurant or diner asks for a customer’s email, phone number or zip code during the credit card payment process, it could open the restaurant to liability.

And liability is potentially huge — $250 for the first violation and $1,000 per each subsequent violation. That means if a restaurant requests a mere 100 emails a day, which is in violation of the act, within a couple of weeks the business could be facing more than a million dollars in potential liability — a very expensive electronic mailing list.

However, there are exceptions to the act’s prohibitions.

The act was enacted not just to protect consumer privacy but also to prevent identity theft. Therefore, businesses are permitted to request driver’s licenses before accepting their credit-card payments. Furthermore, return transactions are excluded, and customers’ addresses may be recorded if it serves a delivery purpose.

Additionally, the California Supreme Court has held that the act does not prohibit online retailers from requiring personal identification information as a condition for accepting credit-card payments for electronically downloadable products.

In the 2013 case Apple Inc. v. Superior Court, the court reasoned that because the act’s purpose is to protect consumer privacy and to facilitate fraud prevention, online retailers can request buyer identification as online businesses cannot access the information in person, unlike brick-and-mortar businesses. 

Notably, the court in the Apple case analyzed and ruled on the applicability of the act to online sales of items delivered electronically, but not on electronic sales that involve in-person delivery.

It was not until in a later case in 2015, Michael Ambers v. Beverages & More, Inc., that the California Supreme Court discussed the issue of online sales with in-person pickup of the sold item. The court ruled such sales are also exempt from the act.

Therefore, if a business allows customers to order items online for in-store pickup, the business can require the customer to provide his/her personal identification information at the time of pickup.

In a situation where the customer orders pizza or other food via an online app, however, the restaurant has more leeway to ask for personal identifying information to determine where to deliver that pizza, to prevent fraud, or to contact the guest to let them know their order is ready for pick up.

While cases have analyzed the act’s applicability to online sales with in-person pickup, there have not been any legal precedents discussing the law in relation to a burgeoning field of technology: ordering kiosks or touch screens.

Restaurants are slowly moving toward automated ordering procedures in order to minimize long lines and to cut costs of using human labor. Although these kiosks should make running a business easier, retailers may face significant legal problems if they require customers to input personal identification information using the kiosks.

For example, if a kiosk asks customers to input their telephone numbers or email before taking the customer to the payment screen, this procedure may breach the act.

Businesses can take precautions to minimize risks of running afoul of the act. One obvious procedure is to avoid requesting customer personal identification information — via kiosks or otherwise.

If this information is desirable for marketing purposes, restaurants should ask guests to sign up for mailing lists rather than request customers’ contact information on payment receipts or similar forms. Another precautionary measure is to notify customers that providing personal identification information is optional.

Given their high customer traffic, restaurants and other hospitality industry retailers can be prime targets for data privacy lawsuits, which makes it especially important for these businesses to stay informed of their consumer protection obligations. Failure to meet these obligations can result in tremendous liability.

Angela Hebberd is an attorney in Duane Morris’ Los Angeles office. Her practice focuses on general commercial litigation.

Constantine Mittendorf is a trial lawyer in Duane Morris’ San Francisco office.

Disclaimer: This article is prepared and published for informational purposes only and should not be construed as legal advice. The views expressed in this article are those of the authors and do not necessarily reflect the views of the authors’ law firm or its individual partners.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.