Dangers of Data-Mining in California Restaurants: Song-Beverly Credit Card Act

Data is hugely important in running a successful restaurant today.  Targeted email marketing campaigns can be an invaluable marketing tool.  But trying to collect too much data can land your bistro in hot water.  California has specific laws limiting what data can and cannot be collected – restaurants need to be aware of these limitations or it can be very costly.

For example, California enacted the Song-Beverly Credit Card Act in order to promote consumer protection.   The Act’s purpose is to protect people’s personal privacy and personal identification information during credit card transactions.  California courts have found the Act’s purpose is to protect against the misuse of personal identification information for, among other things, “marketing purposes” – which is exactly why businesses want this data.  They want to email you their weekly specials and happy hour deals!

The statute specifically prohibits merchants from requesting or requiring personal identification information as a condition of using a credit card.  The key language of the Act is as follows:

… [no] corporation that accepts credit cards for the transaction of business shall … [r]equest, or require as a condition to accepting the credit card … personal identification information….

Courts have found that “personal identification information” includes a customer’s phone number, addresses, and even email addresses.  In other words, if a restaurant or diner asks for a customer’s email, phone number, or ZIP code during the credit card payment process, it could open the restaurant to liability under the Act.

And liability is potentially huge – $250 for the first violation and $1,000 per each subsequent violation.  That means if a restaurant requests a mere 100 email addresses a day in violation of the Act, within a couple of weeks the business could be facing over a million dollars in potential liability – a very expensive electronic mailing list.

The other day, I ate lunch at a fast casual restaurant chain.  Sure enough, in the middle of the credit card transaction came a request for my email address.  Businesses need to be very careful about how they collect, store, monitor, and use customer data.  The rules are tricky, and missteps can lead to disaster.