Apple’s Dispute Over iTunes Data Collection May Have Implications for the Future of Mobile Payments

This post was co-authored by Marion Bergeret, Berkeley Law LL.M. Candidate 2013, and Babak Siavoshy, Teaching Fellow, Samuelson Law, Technology & Public Policy Clinic. 

Last month the California Supreme Court heard oral argument in Apple v. Superior Court (Krescent), a consumer class action filed against Apple to contest the company’s collection of consumer personal information. The plaintiffs’ immediate target is online services like iTunes and the App Store, which they would like to see subjected to the same privacy laws as brick-and-mortar retailers. But the case may also have an impact on the privacy rights of customers using mobile payments apps like Square and Google Wallet.

At issue is the Song-Beverly Credit Card Act, a California law that prohibits retailers from asking for any “personal identification information” that is “unnecessary to the credit card transaction” as a condition for accepting a customer’s credit card payment.  The Supreme Court must decide whether the 1971 Act, which was last updated in 2011, precludes “online” retailers from collecting customers’ personal information—including address and telephone number—when processing credit card transactions.

Apple contends that it needs to collect this information to verify iTunes customers’ identities and prevent fraud.  Unlike brick and mortar retailer, Apple cannot ask its iTunes customers for physical means of identification (such as a drivers license) in person.  The plaintiffs claim, however, that while transactions that require shipping a physical good might justify collecting a home address, Apple does not need customers’ addresses because the goods are digitally delivered.  The plaintiffs further suggest that there is little evidence that online merchants are actually using the additional personal data they collect to prevent fraud—or that the information collected is necessary to do so. According to plaintiffs, online retailers seek to use, share and aggregate the extensive personal data collected for marketing purposes, the very conduct Song-Beverly was enacted to curtail.

A less obvious, but equally important, impact of the Supreme Court’s decision is that it may change the privacy rules for customers making in-store purchases using cloud-based mobile payments apps like Google Wallet and Square. Though mobile payments transactions often occur face-to-face with a cashier, most mobile payments services currently store consumers’ personal and financial information in the cloud, which makes them very similar to online transactions. Mobile devices equipped with mobile payments applications are predicted to handle the majority of worldwide brick-and-mortar retail transactions by 2015, when they will reach over $670 billion in annual transactions.

A ruling that Song Beverly applies to “online” transactions may extend the law’s protections to mobile payments transactions, and restrict the type of personal data mobile payment providers can collect. Data collection is a crucial part of the mobile payments business, as providers seek to bring the tracking capabilities of online commerce to consumers’ brick-and-mortar purchases. When consumers use Google- or Square-Wallet-equipped smartphones to make in-store purchases, they also send the provider a host of information about what they bought—and when, where, how, and why they bought it.  The potential value of that information is a large part of what is driving investment in mobile payments.

On the other hand, a ruling in favor of Apple would sound the death knell for the protections of the Song-Beverly Act, which may no longer apply to the increasing number of credit card transactions that are processed “online,” either through Internet retailers (like iTunes and Amazon) or through in-store purchases made using mobile payments applications.  It would also potentially remove an obstacle to pervasive customer tracking by mobile payments providers, who—unlike traditional credit card companies—are subject to few direct regulations of their collection and use of consumers’ information.

The issue is almost certain to be on Apple’s radar, as the company is widely speculated to be readying to enter the data-rich mobile payments market.  The iPhone’s built-in Passbook app currently offers limited payment capabilities (i.e., mostly through prepaid cards or virtual gift cards). But with the credit card data of several hundred million consumers already on file (collected for purchasing on Apple’s iTunes and App Store), analysts predict Apple will update Passbook to enable consumers to make payments through the app in the near future.

Even after the Court comes to a decision about the application of Song-Beverly to online purchases, mobile payments services—because they are neither entirely online nor exclusively face-to-face—could be left in a regulatory grey zone. To avoid any subsisting doubts, it may be time to modernize the Song-Beverly Act so that it covers the new threats to consumer information privacy raised by the use of cloud-reliant smartphones in brick-and-mortar purchases. Mobile privacy advocates at UC Berkeley have gone so far as to argue that the Act should be updated to explicitly regulate mobile payments providers’ use of consumers’ purchase and transaction histories for marketing purposes.

The California Supreme Court’s forthcoming decision may determine whether such legislative changes are necessary.  If the Court holds the Song-Beverly Act does not apply to online retailers, then the law may also exclude the growing number of mobile payments transactions that occur in brick-and-mortar stores.  As mobile payments become the norm, Californians may find that one of the state’s landmark privacy laws, the protection of which they have enjoyed for four decades, has become largely obsolete.