Philip L. Gordon, Esq. and Ryan L. McClelland, Esq


A wave of class action privacy litigation recently reached tsunami-like proportions but now appears to be losing some of its momentum. These suits allege violations of the Fair and Accurate Credit Transactions Act (the FACT Act) because a non-truncated credit or debit card number and/or an expiration date appears on a printed receipt. Since December 2006, more than 200 such class actions have targeted the gamut of national chain operations - including, for example, retailers, hoteliers and restaurateurs - which rely heavily on credit and debit card transactions with consumers.

Plaintiffs' class action lawyers have seized upon this new genre of privacy litigation because of a critical difference between the FACT Act and virtually all other privacy and data protection legislation. Plaintiffs in FACT Act cases can recover up to $1,000 in statutory damages for a willful violation even if they suffered no actual harm. In other privacy-based lawsuits, the plaintiff typically must prove that the alleged privacy breach proximately caused actual pecuniary loss, often an insurmountable hurdle to recovery.

Given the number of credit and debit card receipts printed by a national, consumer-oriented business in one day, plaintiffs' class action attorneys have been calculating their potential recoveries in the hundreds of millions or even billions of dollars. As a consequence, defense lawyers have been working furiously to forestall potentially devastating judgments against the lawsuits' targets, many bearing household names. With the outcome still in the balance, the initial thrust of these class action filings appears to be subsiding and the likelihood of success less certain in light of recent legal rulings.

Background of the FACT Act
The Fact Act, enacted in 2003, is a package of amendments to the Fair Credit Reporting Act (FCRA), intended to reduce the risk of identity theft and to assist ID theft victims. The Fact Act provision underlying the "credit card receipt litigation" prohibits a business which accepts credit or debit cards from printing, in the words of the law, "more than the last five digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction." The compliance deadline was January 1, 2005, for point-of-sales devices put into use after that date, and December 4, 2006, for devices put into use before January 1, 2005. Because the FACT Act itself establishes no remedies for a violation, those seeking to enforce the law's "truncation requirement" must rely upon the FCRA's enforcement provisions.

Critical to understanding this new wave of class action privacy litigation is the distinction in the FCRA's enforcement provisions between a "negligent" and a "willful" violation. Plaintiffs alleging a negligent violation can recover only the actual damages caused by a business' printing of a non-truncated card number or an expiration date on the receipt. Because such proof either is non-existent or extremely difficult to obtain, the chances of recovering any money damages for a negligent violation of the truncation requirement are remote. By contrast, FCRA provides up to $1,000 in statutory damages per violation for a "willful" violation of the truncation requirement, regardless of whether the person who receives the offending credit or debit receipt suffered any actual pecuniary loss.

The U.S. Supreme Court's June 2007 Decision Defining "Willful"
When plaintiffs' class action lawyers began filing credit card receipt class actions, there was no definitive guidance on FCRA's meaning of the term "willful." FCRA itself contains no definition; the Federal Trade Commission (the administrative agency responsible for enforcing FCRA) has issued no regulatory guidance; and the federal district and appellate courts have reached conflicting conclusions. Ironically, in mid-January 2007, just weeks after this wave of litigation began gathering force, the U.S. Supreme Court heard oral argument in Safeco Insurance Company of America v. Burr, which raised that very question (albeit in a different context).

On June 4, 2007, the Supreme Court issued its highly anticipated opinion, interpreting FCRA's willfulness requirement for statutory damages. The court held that "willful" includes a violation committed "recklessly," but also requires an action entailing "an unjustifiably high risk of harm that is either known or so obvious that it should be known." In the court's words, "a company subject to FCRA does not act in reckless disregard of [the act's requirements] unless the action is not only a violation under a reasonable reading of the statute's terms, but shows that the company ran a risk of violating the law substantially greater than the risk associated with a reading that was merely careless."

The Supreme Court's ruling appears to add a powerful weapon to the defense lawyers' arsenal - at least for those companies that did truncate the card number but failed to remove the expiration date, a relatively common occurrence. To date, most defendants in FACT Act lawsuits have argued that they did not act willfully because they were unaware of the requirement to remove the expiration date. Under the Supreme Court's ruling, these defendants could be liable for $1,000 per offending receipt only if the sole appearance of an expiration date subjected the consumer to "an unjustifiably high risk of harm that is either known or so obvious that it should be known." While the issue has yet to be litigated, the standard appears to be near-fatal for lawsuits against businesses that did truncate the card number but continued to print the expiration date after the compliance deadline.

Recent Decisions Denying Class Certification
Putting aside the need to prove a willful violation, plaintiffs' class action lawyers have confronted another potentially, case-ending obstacle. In the past few months, the federal district court in Los Angeles has refused to certify FACT Act lawsuits as class actions in five different cases. These decisions mean that the claims of anywhere from thousands to millions of customers for up to $1,000 each cannot be pursued in a single lawsuit seeking a multi-million or multi-billion dollar recovery, but instead must be pursued as individual claims of up to $1,000 each plus an award of attorneys' fees, not a particularly remunerative endeavor for a plaintiff's attorney.

The federal district court's opinion in the case against Avis Rental Cars illustrates the reasoning underlying all of the decisions to deny class certification. Under the Federal Rules of Civil Procedure, a court should permit a case to proceed as a class action only if class treatment would be superior to litigating the claims of class members in numerous individual lawsuits. The Avis Court reasoned that "class treatment is not the superior method of adjudication because Avis' liability "would be enormous and completely out of proportion to any harm suffered by the plaintiff." The court noted that Avis could be subject to liability of $1.66 billion for a willful violation of the truncation requirement in the absence of any actual harm to consumers.

Interestingly, in the Avis case, the court relied on testimony from Avis' expert witnesses that the appearance of an expiration date and only a truncated card number could not possibly cause any actual injury. The Avis court also emphasized that the company promptly had begun the process of removing the expiration date after discovering non-compliance.

These significant victories for the defense bar are not quite yet nails in the coffin. In three of the cases, plaintiffs' counsel has asked the United States Court of Appeals for the Ninth Circuit to review the trial court's decision denying class certification. Those requests currently are pending.

Internet Credit Card Transactions: The Next Wave of FACT Act Litigation?
In what appears to be the next wave of FACT Act litigation, class action lawsuits have been filed against online retailers, including Apple Computer, Inc., and Expedia, Inc. On August 8, 2007, a federal lawsuit alleged that Apple included credit card expiration dates on its Apple Store online receipts. Expedia, an online travel agency (doing business as recently was accused of similar conduct. However, because each business electronically generates their receipts as opposed to "electronically print[ing]" them (as required by the FACT Act), it is unclear whether the FACT Act's statutory requirements will apply to these online vendors.

Risk Management and Conclusion
Even with the pendulum swinging toward the defense side in these FACT Act lawsuits, the area remains ripe for additional court filings in light of the potentially huge damages recoveries. Despite the rash of class action filings, many businesses continue to print credit and debit card receipts that do not comply with the FACT Act's requirements.

Given these circumstances, privacy professionals at consumer-oriented businesses, whether online or offline, should investigate point-of-sale practices immediately and, if necessary, redact all but the last five digits of the credit or debit card number and the expiration date from all electronically printed customer receipts. This process may require working with third-party vendors to ensure that any updates are done properly. If the investigation reveals past violations of the truncation requirement, which have not yet been raised in a lawsuit, the business should begin developing the foundations of its litigation defense so that this newest wave of privacy-based litigation will hit the shore without causing any damage to the organization.

Philip Gordon is a shareholder in Littler Mendelson's Denver office and chairs the firm's Privacy and Data Protection Practice Group. He also authors the blog, "Workplace Privacy Counsel" ( He can be reach at

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

or +303.362.2858.
Ryan McClelland is an associate in Littler Mendelson's Los Angeles office. He can be reached at

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

or +310.772.7263.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is sold out! But you can still add your name to the wait list, and we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Call for Speakers open! Join the Forum in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

Call for Speakers open! This year, we're bringing P.S.R. to San Diego. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

Call for Speakers open! The Congress is your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Submit a proposal by March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»