Are Online Screen Shots Electronic Receipts for Purposes of the Federal Law Known As FACTA? Why the Right Answer Is "No" |
|
By ANITA RAMASASTRY |
|
Wednesday, December 29, 2010 |
The Fair and Accurate Credit Transactions Act of 2003 (FACTA) prohibits merchants that accept credit cards or debit cards for payment "from "print[ing] more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction." However, this prohibition -- which is sometimes called FACTA's "truncation requirement"-- applies only to receipts that are "electronically printed."
Unfortunately, Congress did not spell out what "electronically printed" means in this context -- which has left lawyers and consumers wondering whether FACTA applies when purchase confirmations are viewed or received online. If an e-commerce merchant includes a credit card number or expiration date in a screen shot, has the merchant violated FACTA?
In a recent case involving an online rental, the court answered "No." Taking a common-sense approach to the statute, the court held that the online screen shot was not an electronically printed receipt, so that FACTA did not apply. The court therefore dismissed the case.
In this column, I will discuss why I believe that this case and another recent decision that also refused to apply FACTA to e-commerce were correctly decided. However, I will also contend that -- especially as transactions increasingly are conducted online -- merchants would be wise to conform their online practices regarding confirmations and receipts to their offline practices, whether the law requires them to do so or not.
Some Background on FACTA: Its Purpose and Its Penalties
With the growing use of credit cards and debit cards -- especially at point-of-sale terminals -- receipts have become more than merely the documentation of purchases. They also provide information about a consumer and his or her credit accounts. Such receipts can thus be used by an identity thief or a "dumpster diver" who is seeking to steal credit-card numbers and expiration dates in order to make unauthorized purchases.
Ideally, consumers would keep and shred their receipts, but in practice, many do not. Moreover, businesses may keep receipt copies, presenting another possible security gap. Accordingly, in recent years states have begun passing laws prohibiting the inclusion of certain data on credit-card and debit-card receipts. And, in 2003, the federal government passed FACTA, which amends the Fair Credit Reporting Act (FCRA).
What happens if a merchant violates FACTA? A plaintiff may recover statutory damages (without being required to provide any proof of injury) of $100 to $1,000 per violation, without limitation, but only if the violation of the statute was willful. Thus, large businesses could face stiff penalties if they generated thousands of improperly formatted receipts daily.
Can a Web Screen Shot Count as a Receipt Under FACTA? Two Key Court Precedents
As described above, FACTA applies to electronically-printed receipts that are provided to the customer. It's obvious that such receipts include the printouts that consumers typically receive at point-of-sale terminals. But what about online receipts presented to the customer via screen shot -- including "order confirmation" pages, and "your order has shipped" messages? Do these also count as electronically-printed receipts under FACTA? I will discuss two recent suits that raised the question.
The first suit, Kelleher v. Eaglerider , Inc. was filed in the U.S. District Court for the Northern District of Illinois. The suit arose as follows: James Kelleher and Yoav Yaakoby each separately used the web to reserve a rental motorcycle from Eaglerider, Inc. At the end of the reservation process, the plaintiffs allege, they saw a booking confirmation that included their credit cards' expiration dates on their computer screens. As a result, they sued Eaglerider under FACTA, contending that the confirmations they received were "electronically printed" receipts subject to FACTA's truncation requirements. They both sought statutory damages.
Eaglerider moved for summary judgment, on the ground that the screenshots were not printed "receipts" within the meaning of FACTA. By contrast, Kelleher and Yaakoby argued that there is no basis in FACTA for treating the screenshots differently from ordinary paper receipts.
The court sided with Eaglerider. In so doing, it pointed to the only appellate court decision on the matter, the ruling by the U.S. Court of Appeals for the Seventh Circuit in Shlahtichman v. 1-800 Contacts, Inc.
In Shlahtichman , the plaintiff purchased contact lenses from an online retailer, and received an e-mail confirmation that included the expiration date of his credit card. The Seventh Circuit rejected his contention that the email was an "electronically printed" receipt under FACTA -- and that therefore the retailer had violated FACTA by including the credit-card expiration date.
The Court noted that "[W]hen one refers to a printed receipt, what springs to mind is a tangible document." Moreover, the ordinary or natural meaning of the term "print" refers to a recording to paper, not a recording on a computer screen.
The Court also indicated that the legislative history of FACTA "as a whole clearly shows that the statute contemplates transactions where receipts are physically printed using electronic point of sale devices like electronic cash registers or dial-up terminals." Thus, FACTA "makes no use of terms like ‘Internet' or ‘email' that would signal an intent to reach paperless receipts transmitted to the consumer via e-mail." To the contrary, the Court pointed out, FACTA's reference to receipts that are printed and "provided to the cardholder at the point of the sale or transaction" contemplates in-person transactions in a brick-and-mortar store or some comparable physical location. The Court also reasoned that Congress' purpose in enacting FACTA—to curb specific types of identity theft, like dumpster diving-- was not consistent with the plaintiff's argument that FACTA applies to e-commerce transactions.
Finally, the Court found no "willful" violation of FACTA in the case before it, as the statute requires. The court deemed it objectively reasonable for the defendant retailer to believe that FACTA's requirements for receipts did not apply to e-mail generated receipts, because no contrary opinion from an appellate court had suggested anything to the contrary.
Although the Courts Are Likely Correct that FACTA Does Not Apply, Wise Online Merchants Will Still Take Precautions
Despite the two rulings discussed above, retailers engaged in e-commerce should still consider complying with FACTA's credit-card-information truncation requirements. Other courts may interpret FACTA differently. And even if they do not, merchants may want to follow FACTA in the e-commerce sphere anyway, simply as a matter of good business practice.
After all, consumers are concerned about the security of their email and other electronic records containing personal data. Regardless of the legal requirements, a prudent policy may impress potential customers, and give them peace of mind -- by assuring them that they are as well-protected when transacting online with credit cards as they are in the brick-and-mortar context.
Anita Ramasastry, a FindLaw columnist, is the D. Wayne and Anne Gittinger Professor of Law at the University of Washington School of Law in Seattle and a Director of the Shidler Center for Law, Commerce & Technology. She has previously written on business law, cyberlaw, computer data security issues, and other legal issues for this site, which contains an archive of her columns
Ramasastry is currently on leave from the University to work for the federal government. The views expressed in this column are solely those of Ramasastry in her personal capacity and do not necessarily represent the views of any of her employers, past or present.