Wednesday, October 3, 2007

FACTA Privacy Lawsuit Developments – Companies Sued for Online Credit Card Receipts

This month’s newsletter follows up on some developments in the FACTA credit card receipt class action suits that InfoSecCompliance LLC (“ISC”) explored in its April and June 2007 newsletters (What You Don’t Know Just Might Hurt You. – April 2007; FACTA Privacy Class Action Lawsuit Developments – Bad News and Good News for Merchants). Recently plaintiffs have filed lawsuits against companies displaying credit card receipts on the consumer’s computer screen (not printed on a paper receipt), and at least one court has denied a merchant’s motion to dismiss a case based on online credit card receipts. In other words, the FACTA credit card receipt prohibitions may not be limited to paper receipts.

FACTA Summary

As discussed previously by ISC, a rash of over 100 class action lawsuits have been filed alleging violation of the Fair and Accurate Transaction Act of 2003 (“FACTA”), which limits the information that can be shown on an electronically-printed credit card receipt to the last five digits of the credit card number, and prohibits printing a credit card’s expiration date on the receipt. FACTA specifically provides:

Except as otherwise provided in this subsection, no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.

* * *

(2) LIMITATION.—This subsection shall apply only to receipts that are electronically printed, and shall not apply to transactions in which the sole means of recording a credit card or debit card account number is by handwriting or by an imprint or copy of the card.

15 U.S.C. 1681c(g) (emphasis supplied). A single willful violation of FACTA could result in damages ranging from $100 to $1,000 without the plaintiff having to establish that he or she suffered actual harm. Class plaintiffs are alleging hundreds of millions of dollars in statutory damages against such household names as Urban Outfitters, IKEA, Cost Plus and Toys-R-Us.

Recent Suits Filed Against Online Companies

In a complaint filed August 8, 2007 in the U.S. District Court for the Southern District of Florida, plaintiffs alleged that after they purchased iPods and other electronic equipment from Apple Computer Inc. online, the company provided receipts that included the full credit or debit card number used to make the purchase (Maria v. Apple Computer Inc., S.D. Fla., 1:07-cv-22040-AJ, complaint filed 8/8/07).

In addition, in a complaint filed in the U.S. District Court for the Southern District of Illinois, plaintiffs alleged they received receipts with their full payment card number information after they paid for hotel reservations and services online through a subsidiary of Expedia Inc. (Sutton v. Expedia Inc., S.D. Ill., No. 3:07-cv-00547-GPM-DGW, complaint filed 7/31/07).

These lawsuits may have been initiated because of a recent ruling against Stubhub Inc. in a FACTA lawsuit.

Stubhub Ruling: On-Screen Credit Card Receipt Qualifies as “Printed”

Stubhub, Inc., an online ticket broker, was sued for a violation of FACTA based on an electronically generated credit card receipt, and the plaintiff in that case survived a motion to dismiss the case. In July 2007, the U.S. District Court for the Central District of California ruled that a credit card expiration date appearing on an electronically generated receipt qualifies as “printed” for purposes of FACTA (Vasquez-Torres v. Stubhub Inc., C.D. Cal., No. CV 07-1328, motion to dismiss denied 7/2/07).

Since the term “print” was not defined in FACTA, Stubhub and the court looked to common dictionary usage for guidance on the definition. Stubhub cited Webster's Third New International Dictionary, which defines "print" in part as "to make an impression in or upon." The court held that even under Stubhub’s definition, Stubhub had “made an impression upon” a computer screen when it displayed the credit card expiration date. The court also cited Merriam-Webster's Collegiate Dictionary (10th ed. 2002, p. 924), which defined "print" as "to display on a surface (as a computer screen) for viewing."

In addition, the court held that its ruling was consistent with the purposes of FACTA: to prevent identity theft in all its forms. The court reasoned that a narrow interpretation limited to paper-printed records did not comport with the broad goals of FACTA in combating identity theft. The court stated that if Congress intended to exclude receipts printed on a computer screen, it could have explicitly done so as it did for the exclusion of “transactions in which the sole means of recording a credit card or debit card account number is by handwriting or by an imprint or copy of the card.”


While some of the recent rulings on class certification may have slowed down the FACTA lawsuits for plaintiffs, the potential for lawsuits with respect to online credit card receipts poses considerable challenges to organizations. Just getting sued and having to incur substantial fees to defend the suit could be an expensive and distracting proposition. Companies, working with attorneys and IT professionals, should conduct an inventory of their online consumer systems to determine whether any of their websites or portals displays credit card confirmations or receipts with expiration dates or credit card numbers in excess of the last five digits. If such information is displayed, organizations should seek to technologically disable that display. In addition, service providers (e.g. ecommerce payment processors, hosters, application service providers) that may be working with companies displaying credit card information using the service provider’s systems, should consider informing their customers of FACTA and adding contract terms to protect themselves from FACTA liability.