Ninth Circuit Rules that Emailed Receipts Do Not Trigger the Identity Theft Provisions of the Fair and Accurate Credit Transactions Act

June 2, 2011

With its May 24, 2011 decision in Simonoff v. Expedia, Inc., No. 10-3559 (9th Cir. May 24, 2011), the United States Court of Appeals for the Ninth Circuit joined a growing majority of courts that have concluded that important portions of the Fair and Accurate Credit Transactions Act ("FACTA") do not apply to receipts that are sent to consumers only through the Internet.

Shortly after FACTA went into effect in December 2006, plaintiffs’ firms filed numerous class action suits against well-known companies alleging, among other things, that companies commit FACTA violations when they transmit transaction receipts by email that contain more information than the statute prescribes for "electronically printed" receipts.  This has given rise to the concern that FACTA may have the effect of curtailing modern mobile e-commerce (driven by explosion in the popularity of smart phones and tablet computers) merely because the printing of receipts is becoming an outmoded process.  The Ninth Circuit’s decision in Simonoff cements the developing consensus that FACTA should be applied as written, and should not be used to create prohibitions that Congress did not explicitly authorize.  Because FACTA provides for substantial damages against companies that do not comply with its privacy protections, however, companies must continue to evaluate their processes for the collection, use, and disposal of consumers’ data to ensure compliance with FACTA and other data privacy and consumer protection laws.

Background

In 2003, Congress passed FACTA, an amendment to the Fair Credit Reporting Act, to combat identity theft.  In particular, FACTA provides that merchants who accept credit and debit cards must refrain from "print[ing] more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction."  15 U.S.C. § 1681c(g)(1).  While the law exempts transactions where the "sole means of recording a . . . . card account number is by handwriting or by an imprint or copy of the card" (i.e., carbon paper credit card sales slips used with a manual imprinter), any "electronically printed" receipts must comply with FACTA’s data-limitation requirements.  Id. § 1618c(g)(2).  The question addressed by the Ninth Circuit was whether email receipts are "electronically printed" receipts under FACTA.

The facts of the case are straightforward.  Expedia, Inc. operates a well-known Internet travel website.  In September 2008, Dimitriy Simonoff purchased travel services through Expedia’s web site.  Simonoff, slip op. at 6803; Brief of Appellant at 5.  Expedia then emailed Mr. Simonoff a receipt, which included the expiration date of his credit card.  Simonoff, slip op. at 6803.  Mr. Simonoff claimed that this email receipt violated FACTA.  Id.  Like the majority of lower courts to decide the issue, the district court in Simonoff concluded that FACTA does not apply to email receipts and granted Expedia’s motion to dismiss.  Id.

The Ninth Circuit’s Decision

The Ninth Circuit affirmed the district court’s decision, holding that receipts emailed to a customer are not "electronically printed" and, as a result, do not violate FACTA’s data-limitation provision.  Conducting a detailed statutory analysis, the court found the plain meaning and the context of the terms "print" and "electronically printed" in the statute, as well as the statute’s structure, limits the application of FACTA to hard-copy receipts issued at the point of sale, not receipts sent via email.  The decision closely tracked the Seventh Circuit’s prior consideration of FACTA in Shlahtichman v. 1-800 Contacts, Inc., 615 F.3d 794 (7th Cir. 2010), cert. denied, 131 S. Ct. 1007 (2011).  Both courts roundly concluded that to "print" a receipt requires that it be "printed on paper or another tangible medium."  Simonoff, slip op. at 6809-11; Shlahtichman, 615 F.3d at 798-99.  Indeed, the Ninth Circuit adopted in whole the Seventh Circuit’s explanation that when a judge "asks a law clerk to print a case," the judge’s "intent [is not] for the clerk to merely display the case on his computer screen."  Simonoff, slip op. at 6809 (quoting Shlahtichman, 615 F.3d at 799).  The Ninth Circuit expanded on this conclusion, noting that while technology has changed since "Mesopotamian cuneiform writing on clay cylinders . . . .  [n]obody says, ‘Turn on your Droid (or iPhone or iPad or Blackberry) and print a map of downtown San Francisco on your screen.’"  Id. at 6803.  Importantly, the court took note of the fact that "Congress could have applied FACTA to ‘electronically printed or transmitted‘ receipts, to ‘electronically printable‘ receipts, or to ‘electronically displayed’ receipts [but] chose not to do so."  Id. at 6810 (emphases in original).  The Ninth Circuit also noted that the implementation provision of FACTA relates to a "cash register or other machine or device" and applies "only to those devices that generate receipts ‘at the point of the sale or transaction,’" which the court held "furnishes additional evidence that a ‘printed’ receipt is one given to the customer in a tangible form" during "face-to-face transactions that take place in a ‘bricks-and-mortar’ store" and "excludes machines that do no more than electronically display information."  Id. at 6911-12.

Broader Significance

FACTA is a frequent vehicle for class action litigation against well-known companies.  Indeed, the Fair Credit Reporting Act overall provides for substantial potential damages in the event of a "willful" violation, permitting a plaintiff to recover, without any showing of loss, up to $1,000 in statutory damages per violation plus possible punitive damages and attorney’s fees.  15 U.S.C. § 1681n(a).  Moreover, the Supreme Court has explicitly held that a defendant commits a "willful" violation of the statute if it acts recklessly.  Safeco Ins. Co. v. Burr, 551 U.S. 47 (2007).  Accordingly, companies must continuously evaluate their compliance with FACTA and other data privacy protections in light of the rapidly changing technologies used by consumers.

Although the Court of Appeals found that its obligation to construe a statute "liberally" to effect the relevant Congressional intent did not change the outcome in this case because of the clarity of the words chosen by Congress,  Simonoff, slip op. at 6813, there is no doubt that Congress and the courts remain concerned about the unnecessary distribution of consumers’ credit card information, given lawmakers’ overall concern with data privacy and the prevalence of identity theft.[1]

In addition, as the Ninth Circuit noted, FACTA could trip up merchants that, at the customer’s option, use devices to generate either a paper receipt in the store or send an email receipt.  Simonoff, slip op. at 6812 n.6.  As a result, merchants that offer consumers a choice of receipt formats, i.e., email or printed receipt at the point of sale, should err on the side of caution, and ensure their receipts will be FACTA compliant, no matter which option a consumer may choose.



[1] See, e.g., bills pending as S. 799, 112th Cong. (2011) (Sens. John Kerry and John McCain) ("The Commercial Privacy Bill of Rights Act of 2011"); H.R. 611, 112th Cong. (2011) (Rep. Bobby L. Rush) ("Building Effective Strategies To Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act"); H.R. 654, 112th Cong. (2011) (Rep. Jackie Speier) ("Do Not Track Me Online Act").  See also TracReports (February 2011), http://trac.syr.edu/tracreports/bulletins/white_collar_crime/monthlyfeb11/fil/  (noting that  nearly 15% of all federal white-collar prosecutions involve a charge of identity theft, and "aggravated identity theft" is the lead charge in 54% of white collar cases brought in federal magistrate courts).

Gibson, Dunn & Crutcher LLP  

Gibson, Dunn & Crutcher’s Information Technology and Data Privacy Practice Group has extensive experience in information technology and data privacy matters and regularly represents many leading companies in a variety of privacy contexts, ranging from compliance with relevant privacy regulation to broad-scope representations involving regulatory scrutiny, litigation, and law enforcement interest.  Gibson Dunn lawyers are available to assist in addressing any questions you may have regarding these issues.

Please contact the Gibson Dunn lawyer with whom you work, the authors of this alert, Howard S. Hogan (202-887-3640, [email protected]) and Jeremy Joseph (202-955-8218; [email protected])in Gibson Dunn’s Washington, D.C. office, or any of the following co-chairs of the Information Technology and Data Privacy Practice Group:

Debra Wong Yang – Los Angeles (213-229-7472, [email protected])
M. Sean Royall – Dallas (214-698-3256, [email protected])
Alexander H. Southwell – New York (212-351-3981, [email protected] 
S. Ashlie Beringer – Palo Alto (650-849-5219, [email protected])

© 2011 Gibson, Dunn & Crutcher LLP

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.