ORDER (1) DENYING PLAINTIFF’S MOTION TO CERTIFY CLASS AND (2) DENYING REQUESTS FOR JUDICIAL NOTICE
I.
PROCEDURAL BACKGROUND
On April 7, 2008, plaintiff Don Saulic (“plaintiff’ or “Saulic”) filed a Motion for Class Certification (“the Motion”) and Request for Judicial Notice. On April 21, 2008, defendant Symantec Corporation (“Symantec”) filed opposition. The same day, defendant Digital River, Inc. (“Digital *1325 River”) (Symantec and Digital River collectively, “defendants”), filed opposition and a Request for Judicial Notice. On May 5, 2008, plaintiff filed a reply thereto. On May 12, 2008, Digital River filed Objections and a Motion to Strike Evidence in reply. On May 19, 2008, the matter was heard by the Court and taken under submission. On May 22, 2008, plaintiff filed a Notice of Issuance of Court of Appeal Opinion. On May 29, 2008, Symantec filed a Notice of Later-Decided Supplemental Authority in Opposition to the Motion to Certify. On December 23, 2008, Digital River filed a Notice of Later-Decided Supplemental Authority in Opposition to the Motion to Certify.
II.
SUMMARY OF COMPLAINT
Plaintiff is a consumer of defendants’ products, which it sells online. This class action suit challenges defendants’ use of a credit card form with a preprinted space for a customer’s personal identifying information (“PII”) in the consummation of its online sales as a violation of the Song-Beverly Credit Card Act, California Civil Code § 1747.08 (“section 1747.08”). The Song-Beverly Act imposes on businesses three substantive prohibitions:
(a) Except as [otherwise] provided ... no person, firm, partnership, association, or corporation that accepts credit cards for the transaction of business shall do any of the following:
(1) Request, or require, as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to write any personal identification information upon the credit card transaction form or otherwise.
(2) Request, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the ... corporation accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise.
(3)Utilize, in any credit card transaction, a credit card form which contains preprinted spaces specifically designated for filling in any personal identification of the cardholder.
Cal. Civ.Code § 1747.08(a).
The Act provides for civil penalties of $250.00 for the first violation and $1,000.00 for each subsequent violation. See . id. § 1747.08(e).
Plaintiff alleges Symantec, using Digital River as its online retailer, violates the statutory requirements of section 1747.08 in the following ways: (1) defendants use credit card forms with preprinted spaces specifically designed for filling in PII of the cardholder in violation of section 1747.08(a)(3); (2) defendants request or require PII as a condition of accepting credit card payments in violation of section 1747.08; and (3) these violations are ongoing.
III.
SUMMARY OF PARTIES’ CONTENTIONS
A. Plaintiffs Motion
1. Motion for Certification
On January 26, 2007, plaintiff made an online purchase of Norton AntiVirus 2007 (“NAV”) from a website owned and/or operated by defendants and entitled www. symantec.com. The purchase allowed him to download NAV to his computer but did not involve the physical shipment of a product. At the purchase screen, Saulic *1326 was presented with a credit card form with spaces for filling in PII, and it required that he disclose both his address and telephone number. Using his credit card, which also functions as a debit card, plaintiff completed the purchase and downloaded NAV.
On or about March 12, 2008, plaintiff made a renewal purchase of NAV through www.symantecstore.com, which is owned by Symantec and operated by Digital River. Saulic was again presented with a form on which to fill in his credit card information and his address and phone number. He filled in this information and completed the purchase of the renewal rights. The transaction did not involve shipment of a product.
Defendants’ use of a computer screen form with spaces for filling in PII and a request for and/or requirement of the disclosure of such information in the context of credit card transactions is in violation section 1747.08(a)(1) and (2). Plaintiff brings the action on behalf of himself and others similarly situated in North and/or South America who have made purchases of goods and/or services from defendants within the prior three years or applicable statute of limitations period.
Plaintiff seeks the following relief: (1) civil penalties pursuant to section 1747.08(e) “not to exceed two hundred fifty dollars ($250.00) for the first violation and one thousand dollars ($1,000.00) for each subsequent violation”; (2) entry of a preliminary injunction followed by a permanent injunction to bar defendants’ continued violations of section 1747.08; and (3) attorney’s fees and costs.
a. Certification under Rule 23
Plaintiff brings the action on behalf of himself and others similarly situated as stated above, the proposed class to be limited to those persons: (1) who downloaded defendants’ products from the Internet without a physical product being sent to them; (2) who used a credit card as payment; (3) whose transactions fall under California law; and (4) from whom defendants required or requested PII and/or used a credit card form in violation of section 1747.08.
i. Numerosity
The class is so numerous as to make joinder impracticable. The numerosity requirement is clearly satisfied because there are millions of class members throughout the United States, Canada, and Latin America. Certification will serve judicial economy.
ii. Commonality/Typicality
Plaintiffs claims, even though there are two defendants, are common and typical because there is a core of salient facts. While Saulic purchased the Symantec NAV from a website that Digital River operated, Saulic was the victim of a “common corporate practice” that extends from Symantec to its agents at Digital River.
See Dukes v. Wal-Mart, Inc.,
*1327 Questions of law and fact are common to the class. There is a system-wide practice employed by and centralized with Symantec that results in the violation of the Act. Under an online sales agreement, Digital River is Symantec’s agent. It is therefore appropriate to pursue relief from both parties.
Saulic’s claim is typical of the class. Although he purchased NAV through Digital River, the same practice of requesting personal information in violation of the Act is practiced across all Symantec sales hosts at Symantec’s direction.
iii. Adequacy of Representation
Saulic is an adequate representative. He is familiar with the gravamen of the claim and has monitored the action. He also has no conflict of interest and, therefore, will represent members of the class fairly.
Moreover, Saulic’s attorneys are well qualified to conduct the proposed litigation. They have more than ninety years combined experience, including multiple prior class action representations.
b. Certification under Rule 23(b)(2)
Certification pursuant to Rule 23(b)(2) is permissible where injunctive relief predominates the claims, even where money damages are sought. Here, plaintiff seeks injunctive relief because there would be no end to defendants’ unlawful practices without it. Moreover, where monetary relief does not depend upon individualized computations and is easy to calculate, courts have found it secondary to injunctive relief.
c. Certification under Rule 23(b)(3)
Alternatively, the Court may certify this action under Rule 23(b)(3) because common issues predominate. Violation of section 1747.08 is the primary issue, and the amount of civil penalties awarded is merely a question of determining their amount and calculating them on behalf of the class.
Class treatment is preferable to individual suits because each plaintiff has incurred only a small amount of damages. There is no need to engage in separate prosecution where the damages award is not more than $1,000.00 per violation. Attorneys will be able to manage the class through the Internet, and defendants’ customer e-mail lists will enable notice and class communication.
d.Defining the Class
The class should be defined as all who live in North America/South America and who have made purchases from defendants within the last three years or the applicable statute of limitations period. California law applies to these transactions by either operation of law, the agreement between the customer and defendants, or the transfer of products to California residents. The class is limited to those who used a credit card as payment in full or in part and for whom defendants requested PII as defined in section 1747.08.
B. Defendants’ Opposition
1. Symantec
a. Certification under Rule 23(b)(2) Is Unavailable
Under Rule 23(b)(2), a court should not certify a class where a plaintiff is ineligible for injunctive relief. Here, section 1747.08 provides that only the attorney general may seek injunctive relief, and thus, plaintiffs claim fails. A separate section of the statute provides for penalties for private persons. Thus, injunctive relief is not an available remedy for plaintiff.
See Religious Tech. Ctr. v. Wollersheim,
While Rule 23(b)(3) does permit certification for a class seeking damages, it does not apply here because Saulic fails the “superiority” requirement. If the Court certifies the class, the defendants’ potential liability would be enormous and completely out of proportion to any harm plaintiff suffered.
London v. Wal-Mart Stores, Inc.,
b. This Class Cannot Be Certified under Rule 23(a) Because Saulic Is Not Typical of the Proposed Class
Saulic cannot seek certification under Rule 23(a) because he lacks standing and is subject to unique defenses. For certification to be appropriate, a class representative must have a claim and injury related to each defendant. Saulic’s transactions do not relate to Symantec, only Digital River. Saulic attempts to circumvent this defect by arguing an unfounded interpretation of the statute and claiming that Symantec would ultimately receive the information. The statute, however, cannot be applied so broadly, and Digital River is Symantec’s independent contractor. Thus, Saulic does not demonstrate typicality.
Class certification also is inappropriate when the putative class representative is subject to unique defenses. Saulic tried to manufacture his claims rather than just purchase a product as a regular consumer, which makes him unique and renders him an inadequate class member.
c. The Proposed Class Is Not Ascertainable
Saulic’s proposed class is vague as to time and membership, which causes it to fail. Plaintiff seeks to certify people in numerous countries and apply California law to all of them, which overlooks principles of due process and comity. Saulic does not establish a legally cognizable basis to extend California’s regulation of credit card transactions to the rest of the world.
2. Digital River
a. The Injunctive Relief Sought Is Unavailable and Secondary
Section 1747.08 does not permit a private plaintiff to sue for injunctive relief. Under principles of statutory construction, if the statute does not include a provision, it is excluded. Because injunctive relief is addressed in a different subsection than civil penalties, it is not available to plaintiff. Moreover, the claim is not among the limited forms of injunctive relief enumerated in California Code of Civil Procedure § 526(a). Lastly, injunctive relief is unavailable because plaintiff is not exposed to continuing adverse effects. He was not injured when he made the purchase and, therefore, cannot be experiencing harm that an injunction could cure.
b. The Putative Class Lacks Commonality and Predominance
At least two categories of transactions must be excluded from plaintiffs purported class as a matter of law: corporate cards and debit cards. This is because section 1747.08 applies only to credit cards. Hundreds of thousands of mini-trials would be required to determine which claims are proper, which is made more difficult because strict encryptions are placed on all customers’ card information. As such, commonality and predominance are absent. Moreover, plaintiff fails to *1329 specify the time period of the proposed class, and claims under section 1747.08 are subject to a one-year statute of limitations. See Cal.Code Civ. Proc. § 340(a).
c.A Class Action Is Not Superior Because of the Gross Disproportionality
Plaintiff suffered no harm and provides no evidence that any putative class members have suffered harm. To determine if any of the putative class members were harmed, more mini-trials would be required. Without any determinable harm, the imposition of civil penalties would greatly outweigh that harm,
d.Choice of Law Issues Predominate
Section 1747.08 can only apply to putative class members’ transactions if choice of law principles allow it. There are several distinct groups of transactions for which the Court must determine choice of law. For example, Minnesota law expressly governs the majority of purchases made after February 12, 2008, based on the terms and conditions accepted at the time of purchase. Additionally, California law does not apply to Digital River because, contrary to plaintiffs argument, Symantec’s End User License Agreement does not apply to the sale transaction and Digital River is not a party to that contract. See Cal. Civ.Code §§ 1550, 1558, 1580. Further, customers who contracted for the extended download service agreed to Minnesota law at the time of purchase. Consequently, the Court would be required to inquire into each putative class member’s purchase to adequately determine choice of law.
It would be improper and unconstitutional to apply California law to extraterritorial purchases. Plaintiff relies on
Wershba v. Apple Computer, Inc.,
Plaintiff also fails to meet his burden of demonstrating a suitable and realistic plan for trial of the class claims. Plaintiff does not explain how each of the states and countries included in the putative class balance their interests in preventing fraud and identity theft with California’s concern of protecting PII. This failure also defeats certification.
e.Plaintiff Is Atypical and Inadequate
Plaintiff lacks standing because he made his purchase with a debit card. The majority of the class used a credit card, and plaintiffs interests are antagonistic to the other putative class members. Plaintiff made a second online purchase with another card but did so only to shore up his standing. A person cannot establish injury and standing by spending money solely to pursue litigation.
See Buckland v. Threshold Enters., Ltd.,
f.Counsel Are Inadequate as Class Counsel
Plaintiffs counsel are inadequate because they lack class action experience. They fail to argue tenable legal positions, fail to provide an adequate class definition, and fail to provide a realistic plan to manage the case. Thus, counsel are inadequate to perform as class counsel.
C. Plaintiffs Reply
1. This Action Should Be Certified under Rule 23(b)(2)
The Court should certify under 23(b)(2) because that provision does not require
*1330
class notice or opt-outs. Also, the injunctive remedy predominates where damages are easily calculated by a uniform measure across the class.
DeMarco v. Nat’l Collector’s Mint, Inc.,
Certification under 23(b)(2) is not limited to civil rights cases. Courts certify many consumer class actions. Plaintiff has the right to pursue an injunction under California law under California Code of Civil Procedure § 526, and section 1747.08 is not as narrow as defendants read it. If the legislature intended to restrict section 1747.08 in that fashion, it would have written the law in that language.
2.Certification Is Proper under Rule 23(b)(3)
Plaintiff has no conflict of interest with the class and will vigorously prosecute the matter. Plaintiffs renewal of his subscription was not illegal, and his prior experience as a plaintiff makes him better able to participate in the case. Additionally, plaintiff suffered an injury: not being able to withhold his PII, which is what he testified to at deposition. Plaintiffs interests also are not contrary to the class because there is no exception in section 1747.08 for the prevention of fraud.
Symantec designed the website, which Digital River manages, to look like it is controlled by Symantec, and plaintiff made his purchases in essence from both; moreover, plaintiffs debit card functions as both a debit card and credit card, and, thus, he has standing to bring suit against both defendants. Because a violation occurs upon the mere presentation of a credit card form that asks for PII, any consumer subjected to such a violation has standing to enjoin a future occurrence for the same illegal act.
Friends of the Earth, Inc. v. Laidlaw Env’t Serv., Inc.,
3. Common Issues of Law and Fact Predominate
Defendants admit they employ a uniform practice of requesting and requiring customers to disclose their personal information, which is sufficient alone to prove commonality. This vitiates the need for mini-trials to determine whether a plaintiff used a particular type of card. Additionally, defendants cannot attempt to avoid a class suit merely because their own encryption process makes it more difficult to determine the class members.
Six Mexican Workers v. Ariz. Citrus Growers,
Moreover, defendants fail to conclusively prove that there is a choice of law issue. Defendants must show a conflict between California law and those of other states, which they did not do. There is no choice of law impediment to certifying the class.
4. Discretion To Award Penalty Does Not Render Class Inferior
There is no danger here of “annihilating” damages because section 1747.08 provides for a fixed minimum penalty. Ninth Circuit law holds that class action complaints seeking statutory penalties should *1331 not be denied certification for concern of annihilating damages. See id. at 1309-10. The due process doctrine should not be used to frustrate class action certification.
5. The Class Is Adequately Defined
The statute of limitations is unquestionably three years and does not prevent class certification. Additionally, defendants acknowledge that over 90% of the transactions are by credit card, so the class is ascertainable. The purchase of extended download service is irrelevant to determining class members because those customers were still requested to provide PII. Lastly, the class must include all purchasers who are California residents, and defendants’ choice-of-law concerns cannot limit the class because they made their product available broadly.
IV.
DISCUSSION
A. Legal Standard for Plaintiff To Bring Suit against Defendants
The Court of Appeals for the Ninth Circuit has held that standing may be addressed before class certification where, as here, the court is not considering a global class settlement.
Easter v. Am,. W. Fin.,
To establish standing, a plaintiff must show, among other things, he has suffered an injury in fact, defined as “an invasion of a legally protected interest which is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical.”
Lujan v. Defenders of Wildlife,
1. Plaintiffs Standing under the Act
The Act has no separate or additional standing requirement. It merely requires that a consumer engaged in a credit card transaction in which PII was requested or required in violation of the Act; See Cal. Civ.Code § 1747.08(a).
Plaintiff alleges defendants violated the statute with regard to him first on January 26, 2007, when he made an online purchase of NAV and was required to submit his address and telephone number as a condition of completing an online transaction, and second on March 12, 2008, when he renewed his NAV product online and was again required to submit his address and telephone number. (See Mot. Ex. 17, Saulic Deck, pp. 3-4, ¶¶ 10-14.)
2. Plaintiffs Standing to Sue Symantec
Symantec argues plaintiff lacks standing as against it because plaintiff never purchased anything from Symantec. While the purchases were for Symantec *1332 products, the transactions in which the PII were requested occurred through Digital River. Therefore, plaintiff did not suffer any wrong at the hands of Symantec.
The degree of proof necessary to establish standing differs at various stages of the proceedings.
Lujan,
Here, plaintiff shows that he visited a website with the “Symantec” name that sold “Symantec” branded products. While it is true that Digital River manages the sales of Symantec products, a review of Symantec and Digital River’s “Second Amended and Restated Symantec Online Store Agreement” (the “Agreement”) suggests that Symantec is a proper party. (Mot. Ex. 16, p. 236.) The Agreement entered into with Digital River makes Digital River the online distributor for Symantec products. The Agreement requires that the online “Storefront” for Symantec products “meet Symantec’s specifications and ... contain all features, including graphical components that comprise the ‘look and feel’ of Symantec’s Storefront.” (Id. at 239.) Additionally, Digital River is to prominently identify itself as “Symantec’s contracted vendor.” (Id.) The Agreement also states that Symantec “shall have sole discretion regarding the Content (other than pricing information for Symantec Products), structure and look and feel of the Storefront.” (Id. at 240.) The Agreement specifies that “Digital River shall permit Customers to make orders directly through the Internet via online order forms.” (Id. at 242.) This evidence suffices to establish Symantec as a proper party.
B. Transactions Covered by the Act
Plaintiff contends that if his transaction was of the type defined by the statute and if the information requested was of a type prohibited by the statute, he has standing to sue even if he did not suffer any personal harm or loss. While no injury in fact is required under the statute, the Court finds, as set forth below, that plaintiffs transaction was not of a type defined by the statute.
The Act’s subdivisions, paraphrased, prohibit defendants from “(1) having the cardholder write personal information on the credit card form, (2) having the cardholder furnish personal information for [defendants] to write on the credit card form, and (3) using forms containing preprinted space for personal information.”
TJX Cos., Inc. v. Superior Court,
Plaintiff does not cite, and the Court does not find, any state or federal case in which a violation of the Act is found based on an online transaction.
See Korn v. Polo Ralph Lauren Corp.,
No. CV S07-02745,
1. Interpreting the Act and Its Purpose
Where statutory language is clear and unambiguous, it will be applied according to its terms.
Wilson v. Safeway Stores, Inc.,
To interpret a statute, the Court should look first to its plain language, and then construe the law with its object and policy concerns in mind.
United States v. 475 Martin Lane,
2. Applying National Federation of the Blind v. Target Corp.
Plaintiff cites
National Federation of the Blind v. Target Corp.,
The basis for the court’s decision in
National Federation
does not assist in the analysis of the Act. In
National Federation,
defendants argued that the Ninth Circuit’s determination that places of “public accommodation” under the ADA are “actual, physical places” and accordingly Target.com can only violate the ADA if it “denies physical access to Target’s brick- and mortar stores.”
Id.
at 954 (citing
Weyer v. Twentieth Century Fox Film Corp.,
Here, plaintiff does not offer, and the Court does not find, a similar justification for expanding the application of the Act to online transactions. Consistent with National Federation, application of the Act to online transactions must advance the Act’s purpose.
3. The Act’s Purpose
While the legislative purpose of the Act was to “address the misuse of personal information for,
inter alia,
marketing purposes,” recent state and district court decisions give deference to a competing interest: fraud prevention through PII collection.
Absher,
Rejecting a reading of the statute which would extend its application to refund transactions, a California appeals court cited the legislative history of the Act, noting that in adopting the Act the legislature found “no need for the retailer to request” PII to complete a credit card transaction “since the credit card issuer already has that information.”
TJX Cos.,
4. Fraud Concerns with Online Transactions
As in refund transactions, an online transaction raises fraud concerns. Defendants point out that there are numerous differences between a “brick and mortar” purchase and an online purchase and the merchant’s ability to ensure the cardholder is who she claims to be. For example, an in-person transaction provides the merchant with the opportunity to check the customer’s signature on her credit card against the signature on the credit card slip. (Deck of Andrew Barker ¶ 44 (“Barker Deck”).) Additionally, the merchant can ask for picture identification to compare the person in front of them to the name on the credit card. (Id.) Certain credit cards even include the consumer’s picture imprinted on the card, allowing the merchant to confirm that the cardholder is who she claims to be. In an online transaction, -without a request for PII, online merchants must ultimately accept payment with nothing more than a name and credit card number — there is no “verification.”
Plaintiff asserted at oral argument the existence of numerous ways to confirm the identity of the cardholder in an online transaction without relying on PII. Defendants counter, however, with an extensive explanation of the Digital River fraud prevention process wherein PII is compared against various “data point for conflicts and irregularities” that flags a potentially fraudulent transaction. (Id. ¶ 47.) When Digital River’s “fraud indicators” suggest a potentially fraudulent transaction, they call the consumer to verify the transaction. (Id. ¶ 51.) In addition, Digital River notes that its payment processor, “Paymentech,” also uses customer PII to run its own fraud checks. (Id. ¶ 52.) Digital River also uses the customer’s phone number to address any online delivery problems that cannot be resolved through e-mail. (Id. ¶ 55.)
The Court must recognize plaintiffs argument that identity theft is a potential concern where PII is shared. But, plaintiff did not offer, and the Court does not find, any support for protecting this interest in online transactions in the Act or its legislative history. Instead, the Act ap *1336 pears to be concerned with the use of PII for unsolicited marketing. In keeping with the precedents finding that refund transactions are outside the category of transactions covered by the Act because of the unique fraud concerns created by those transactions, the Court also finds online transactions are not encompassed within the Act. Thus, plaintiffs claim cannot be maintained.
V.
CONCLUSION
For the foregoing reasons, the Court denies plaintiffs Motion for Class Certification. Plaintiffs and Digital River’s Requests for Judicial Notice are denied and evidentiary objections are overruled.
IT IS SO ORDERED.
IT IS FURTHER ORDERED that the clerk shall serve a copy of this Order on counsel for all parties in this action.
Notes
.
See also Party City Corp. v. Superior Court,