A recent federal court decision in Carr v. BG Retail, LLC & Caleres, Inc. (involving FamousFootwear.com) could have broad implications for ecommerce businesses that collect customer emails during checkout. 

The court allowed a class action to proceed under Massachusetts’ Chapter 93A and the Consumer Privacy in Commercial Transactions Act (CPICTA) – laws governing unfair or deceptive business practices related to credit card transactions.  Specifically, CPICTA  prohibits businesses that accept credit cards from “writ[ing], causing to be written, or requir[ing] a cardholder to write personal identification information not required by the card issuer on a credit card transaction form, except where necessary for shipping, delivery, installation, or a warranty.”  MASS. GEN. LAWS ch. 93, § 105(a). 

The plaintiff claims Famous Footwear required customers paying by credit card to provide their email address, even though an email was not necessary to complete the purchase and that FamousFootwear then used that information to send marketing emails without the plaintiff’s consent.  Accordingly to the court’s summary of plaintiff’s claims:

Famous Footwear’s online checkout requires all credit card customers, whether purchasing for shipment or for pickup at a store, to enter an email address.  Carr asserts that an email address is not required by card issuers and is unnecessary for order fulfillment because customers must also provide a shipping address and telephone number.  She alleges that Defendants previously displayed a marketing consent checkbox at checkout but sent promotional emails regardless of whether the box was checked, and that the current checkout includes only a link in small print to the privacy policy near the email field. 

The court, in denying the Motion to Dismiss, ruled that:

• An email address qualifies as personal identification information under Massachusetts law and CPICTA can apply to online transactions, not just in-store sales.
• For purposes of the motion to dismiss, Plaintiff’s allegations of receiving unwanted marketing emails were a sufficient injury to establish a basis for the litigation to proceed.
• Whether or not the email capture was part of the “credit card transaction form” as required by CPICTA, and whether or not the shipping and delivery exceptions applied to the collection of the email address on the checkout page, were both issues of fact to be resolved based on evidence at later stages of the case.

Why It Matters for Ecommerce Businesses

For ecommerce sellers, the case highlights growing legal scrutiny of data collection and marketing consent practices. Key takeaways include:

• State laws may create higher burdens than federal rules. Even if a business complies with CAN-SPAM, state laws like Chapter 93A could impose stricter consent standards for the collection of data to be used for marketing purposes.
• Transparency and choice is essential. Consumers should understand how the data they’re providing will be used to market to them. Using an email collected for a receipt or order update to send promotions could be deemed deceptive if consent is not clear.

Cases like Carr v. BG Retail show how state laws continue to create significant risks for ecommerce businesses and how the law in these areas continue to evolve. The EIA continues to advocate for policies that protect consumers while giving ecommerce innovators clear, practical compliance frameworks.

Join the EIA today to help strengthen and shape policies that affect all ecommerce businesses. Together, we can continue to create the future of ecommerce. Subscribe to EIA email updates to stay informed on key developments and their impact on your business.