A court ruling in California could pit privacy-conscious credit card users against retailers in a conflict over how companies can use customer information. In a February decision, the California Supreme Court ruled that online merchants selling digital downloads can ask for shoppers' personally identifiable information, such as ZIP codes and phone numbers, even if that information doesn't directly pertain to the sale.

The Song-Beverly Credit Card Act has governed credit card transactions in California for the past two decades. Retailers operating in California and in other states often fall back to the Act's rules as a lowest common denominator for their nationwide policies. Under California's previous rules, retailers could only ask for address and contact information when arranging delivery of shipped goods, when processing a security deposit or cash advance, or when required by either a credit card payments network or a federal regulation.

The court ruled in opposition to a lawsuit from an Apple customer who contended that the company did not need his telephone number or address to authorize the sale of downloaded content through iTunes. The court suggested that online retailers lack the same protection against credit card fraud as merchants with physical storefronts who can verify a customer's identity by asking for photo identification. However, the court did not account for merchant agreements with credit card networks that specifically prohibit retailers from checking identification at the point of sale.

According to Evan Schuman at StorefrontBacktalk, retailers like Home Depot have already used customer databases to merge online purchase histories with in-store activity records. When used effectively, consumer information can help retailers improve product selection and make appropriate suggestions for future purchases. Under the new ruling, a retailer with both online and virtual storefronts can collect key information during digital download orders that can then be merged with receipts from in-person sales.

Opponents of the ruling suggest that marketers could put customers at risk of identity theft, especially when merging information from external profiles. Writing on a University of California Berkeley blog, technology law scholar Babak Siavoshy noted that many corporate data breaches involve personally identifiable information stored without a specific purpose or a data governance process in place. Digital wallet services, such as Visa's V.me program, can prevent credit card numbers from being stored in retailers' databases. However, participating merchants must still take precautions to secure other customer information.