CITY AND COUNTY OF SAN FRANCISCO et al., Petitioners and Respondents, v. HOMEAWAY.COM, INC., Respondent and Appellant.
The City and County of San Francisco, along with the city tax collector and treasurer (collectively, the City), obtained an order from the superior court granting their petition to enforce an administrative subpoena. The subpoena requires HomeAway.com, Inc. (HomeAway) to disclose data about rental transactions involving accommodations located in San Francisco that were arranged using a HomeAway Web site.
On appeal, “[w]e review de novo the question whether the subpoena meets the standards for enforcement. [Citation.]” (State ex rel. Dept. of Pesticide Regulation v. Pet Food Express (2008) 165 Cal.App.4th 841, 854, 81 Cal.Rptr.3d 486.) HomeAway contends that the City's subpoena does not meet these standards because it violates the Stored Communications Act, 18 U.S.C. §§ 2701–2712 (the SCA),1 which regulates the government's ability to compel disclosure of some electronic data stored on the Internet. HomeAway also contends that enforcing the subpoena would violate its customers' constitutional rights. Finally, HomeAway argues that the subpoena is not enforceable under local or state law. We affirm the order.
II. FACTUAL AND PROCEDURAL BACKGROUND
A. HomeAway's Business
In the trial court, HomeAway offered evidence about its business and storage of electronic records by filing the declaration of Steve Davis, HomeAway's chief digital and cloud officer. Davis described HomeAway as an “online forum that allows property owners to list their properties for short-term rentals and connect with individuals who are looking to rent a house or apartment when visiting a city, rather than stay in a hotel.” Davis explained that HomeAway is not a party to home rental transactions; it operates Web sites that owners and travelers use to locate each other and arrange their own bookings and rentals.
Listing a property on a HomeAway Web site involves the following steps. First, the owner must register for an account, which requires him or her to complete forms “that ask for personal information, such as name, address, telephone number, and credit card information.” Then the owner uses his or her account to post a listing, which provides pertinent information about the property, including the rental rate and other details. HomeAway processes the owner's “data,” and stores it so that it can be used in connection with future listings and other services that HomeAway offers.
HomeAway offers two alternative services to owners and travelers to assist them with making “arrangements to book and rent properties” listed with HomeAway. First, they can send messages to each other “through HomeAway's website (a service called HomeAway Secured Communication).” All arrangements can be made via this service, or the parties may elect to complete their transactions by “exchanging telephone numbers or personal email addresses.” Both owners and travelers (who also create online accounts) “may” retain their messages, which are then stored by HomeAway.
Alternatively, rental arrangements can be made using HomeAway's online reservation service. Online booking data does not necessarily correlate with completed transactions because reservation may be cancelled offline. Furthermore, HomeAway's data about these transactions may not be comprehensive because it uses a third-party Internet service to process online payments.
Davis estimated that, in the past five years, more than 10,000 San Francisco properties have been listed on a HomeAway Web site. According to Davis, the “vast majority” of bookings and rentals involving San Francisco properties have been arranged by direct communications between owners and travelers, and the only “data” HomeAway has about these transactions are the communications themselves, which “may show that users reached agreements for bookings and rentals.” Davis also estimated that “there are hundreds of thousands of messages concerning San Francisco listings in the last four and one-half years,” and he opined that searching through these messages for specific data would be “enormously burdensome.”
Finally, Davis emphasized that owners who list their properties with HomeAway “agree that ‘they are responsible for and agree to abide by all laws, rules, ordinances, or regulations applicable to their listings and rental of their properties, including ․ requirements relating to taxes.’ ” As proof of this agreement, Davis attached a copy of a set of “Terms and Conditions” that HomeAway posts on its Web site (the HomeAway Terms) as an exhibit to his declaration.
B. The City's Subpoena
On April 5, 2016, the City's tax collector served a subpoena on HomeAway (the 2016 subpoena). The 2016 subpoena was issued pursuant to article 6, section 6.4-1, subdivision (c) of the San Francisco Business and Tax Regulations Code (the B&TR Code), which states that the tax collector “may order any person or persons, whether taxpayers, alleged taxpayers, witnesses, or custodians of records, to produce all books, papers, and records which the Tax Collector believes may have relevance to enforcing compliance with the provisions of the [B&TR] Code for inspection, examination, and copying at the Tax Collector's Office during normal business hours.”
The 2016 subpoena ordered HomeAway to produce “all data, documents, records, and other material described in Exhibit A attached hereto.” Exhibit A requested that HomeAway provide two categories of information.
The City's first request was for “data identifying all hosts who have offered accommodations located in the [City] through [HomeAway] or any affiliated websites between January 1, 2012 and the date of HomeAway's response to this subpoena.” For each host, the City requested data showing the location(s) of the accommodations; the host's contact information; and all “identifying information” that HomeAway had created or retained about the host.
The City's second request was for “data identifying all bookings for rental transactions of which you are aware that involved accommodations located in the [City] during the period between January 1, 2012 and the date of HomeAway's response to this subpoena.” The City requested data as to all bookings that were made through a service offered by HomeAway or an affiliate, whether or not the rental transaction ultimately took place. For each booking, the City requested data showing the location(s) of the accommodations; the host's contact information; and all identifying information that HomeAway created or obtained regarding the host and the booking.
In outlining these requests for what we will refer to as (1) host data and (2) booking data, the City offered extensive examples of the types of information it was seeking, which typically included very specific identifying information, such as names, street addresses, telephone numbers, e-mail addresses, host codes, dates of birth, and driver's license numbers.
C. The City's Petition
On June 21, 2016, the City filed a petition to enforce compliance with the 2016 subpoena, which was supported by the following material allegations:
First, HomeAway is registered to do business in California and has being doing business in the City for several years by providing “internet-based platforms on which San Francisco property owners, renters and/or managers or their agents (collectively, ‘Owners') advertise residential properties to potential renters, usually tourists, seeking temporary lodging in San Francisco.”
Second, the B&TR Code requires (1) owners who rent out property to obtain a business registration certificate from the treasurer (B&TR Code, art. 12, § 853), and (2) renters of short-term rental properties in the City must pay a transient occupancy tax (TOT) (B&TR Code, art. 7, §§ 501–515.2). Unless the rental transaction is arranged through a qualified Web site company, the owner is required to collect the TOT at the time rent is paid for the short-term accommodation, and to file monthly or quarterly returns remitting the TOT to the tax collector. (B&TR Code, art. 6, § 6.9-2 & art. 7, § 504.)
Third, the B&TR Code imposes a duty on the tax collector to collect taxes imposed by the code (B&TR Code, art. 6, § 6.3-1), and authorizes the tax collector to investigate possible noncompliance with the code, and to “issue and serve subpoenas” in order to carry out the tax provisions of the code (B&TR Code, art. 6, § 6.4-1).
Fourth, pursuant to its authority under the B&TR Code, the tax collector made several attempts to secure information from HomeAway that would enable the City to identify (1) owners who listed properties for rent on HomeAway's Web sites, and (2) resulting rental transactions. Initially, the tax collector made an informal request for this information, which HomeAway denied. In October 2015, the tax collector issued and served a subpoena demanding that HomeAway produce these two categories of information. HomeAway objected to the subpoena and refused to comply voluntarily with it. In April 2016, the tax collector issued and served an updated subpoena (i.e., the 2016 subpoena), demanding the production of the same two categories of information. In a letter to HomeAway's counsel, the City responded to HomeAway's objections to the 2015 subpoena, and offered to work with HomeAway to limit the scope of the subpoena to address concerns that some language was vague and/or overbroad.3 Again, HomeAway objected and refused to comply.
Finally, the City alleged that the tax collector had good cause to obtain the information sought from HomeAway as evidenced by a recent policy analysis report on short-term rentals in San Francisco, which showed that most owners were not in compliance with B&TR Code requirements applicable to their rental transactions.4 Accordingly, the City requested that the superior court exercise its authority to order HomeAway to comply with the 2016 subpoena.
In August 2016, HomeAway filed its opposition to the City's petition, arguing that the 2016 subpoena was invalid for the following reasons: (1) the City was using the subpoena to collect an invalid tax; (2) the subpoena was overbroad and burdensome; (3) enforcing the subpoena would impinge on the First Amendment rights of HomeAway customers; and (4) the subpoena violated provisions of the SCA that restrict a government entity's ability to compel disclosure of electronic data stored with an Internet service provider.
At an August 25, 2016 hearing on the petition, the parties focused almost exclusively on questions of whether the SCA applied, and if so, whether the City had complied with the statutory requirements for compelling disclosure of HomeAway's customer records. At the conclusion of the hearing, the court invited the parties to submit additional authority regarding the SCA, and continued the matter. On September 20, 2016, the court granted the City's petition, but stayed its ruling so HomeAway could seek appellate review.
The court formalized its rulings in an order that was signed on September 28 and filed on October 4, 2016 (the October 2016 order), which states in part: “There is insufficient support in the record to establish that HomeAway is either an Electronic Communications Service or a Remote Computing Service within the mean of the [SCA]. There is insufficient evidence to show that the subpoena was burdensome or overbroad. The subpoena does not violate First Amendment rights. The Court does not need to reach the issue of the City's authority under the hotel tax. The subpoena is sufficiently related to the tax ordinances to permit the subpoena to be enforced.”
A. The SCA
HomeAway's first argument is that the order enforcing the 2016 subpoena must be reversed because the City failed to comply with the requirements of the SCA.
1. Statutory Framework
“The Electronic Communications Privacy Act of 1986 (‘ECPA’), Pub. L. 99-508 (1986) addresses various areas of electronic surveillance including wiretaps, tracking devices, stored wire and electronic communications, pen registers, and trap and trace devices. [Citation.]” (United States v. Anderson (D. Nev., Apr. 27, 2016, Case No. 2:15-cr-0020-KJD-PAL) 2016 U.S. Dist. LEXIS 103387, at *23–24.) The SCA, which is contained in Title II of the ECPA, “governs access to stored electronic communications.” (Ibid.)
“Congress passed the SCA ․ to fill a gap in the protections afforded by the Fourth Amendment.” (Juror Number One v. Superior Court (2012) 206 Cal.App.4th 854, 860, 142 Cal.Rptr.3d 151 (Juror Number One).) “The Fourth Amendment provides no protection for information voluntarily disclosed to a third party, such as an Internet service provider (ISP). [Citations.] [¶] To remedy this situation, the SCA creates a set of Fourth Amendment-like protections that limit both the government's ability to compel ISP's to disclose customer information and the ISP's ability to voluntarily disclose it.” (Id. at p. 860, 142 Cal.Rptr.3d 151, citing Kerr, A User's Guide to the Stored Communications Act—And a Legislator's Guide to Amending It (2004) 72 Geo. Wash. L.Rev. 1208, 1212–1213 (Kerr User's Guide).) 5
“ ‘The [SCA] reflects Congress's judgment that users have a legitimate interest in the confidentiality of communications in electronic storage at a communications facility. Just as trespass protects those who rent space from a commercial storage facility to hold sensitive documents, [citation], the [SCA] protects users whose electronic communications are in electronic storage with an ISP or other electronic communications facility.’ [Citation.]” (Juror Number One, supra, 206 Cal.App.4th at p. 860, 142 Cal.Rptr.3d 151.) Importantly, the SCA “is not a catch-all statute designed to protect the privacy of stored Internet communications; instead it is narrowly tailored to provide a set of Fourth Amendment-like protections for computer networks.” (Kerr User's Guide, supra, at p. 1214.)
These protections, contained in sections 2702 and 2703, provide network account holders with “statutory privacy rights against access to stored account information held by network service providers.” (Kerr User's Guide, supra, at p. 1212.) Section 2702, which is not directly at issue, limits the ability of a network service provider or ISP voluntarily to disclose information about its customers or subscribers to the government. In this case, we focus on section 2703, which “creates limits on the government's ability to compel providers to disclose information in their possession about their customers and subscribers.” (Kerr User's Guide, supra, at p. 1212, fn. omitted.)
Specifically, section 2703 regulates government access to (1) the content of a wire or electronic communication that is processed or stored on an electronic communication service (ECS) or a remote computing service (RCS), and (2) an electronic record or other information about a subscriber or customer of an ECS or RCS. Section 2703 contains different sets of procedures for compelling disclosure of these two categories of evidence, each of which affords different levels of privacy protection. (In re Search Warrant for [Redacted] @yahoo.com (C.D. Cal. 2017) 248 F.Supp.3d 970, 974–975.)
Consistent with other provisions of the SCA, section 2703 affords a higher level of privacy protection to stored electronic communications than to customer records.6 Several factors dictate what procedure(s) the government entity may use to compel disclosure of an electronic communication, including whether the record is stored on an ECS or an RCS, the amount of time that the record has been in storage, and the purpose for which the record was stored. Electronic communications that enjoy the highest level of protection afforded by the SCA cannot be obtained by a government entity without a warrant. (§ 2703(a).) For other types of electronic communications covered by section 2703, the government can compel disclosure if it either (1) obtains a warrant, or (2) gives prior notice to the subscriber or customer who generated the communication and then obtains either an administrative subpoena authorized by state or federal statute, a grand jury subpoena, a trial subpoena, or a court order. (§ 2703(a) & (b)).
Section 2703 procedures for obtaining customer records covered by the SCA afford two distinct layers of protection to the customer or subscriber. First, a government entity may compel disclosure of records that identify the customer and provide details about the customer's use of the provider's service by issuing an administrative subpoena authorized by a federal or state statute. (§ 2703(c)(1)(E) & (c)(2).) Second, to compel disclosure of other customer records pertaining to a subscriber or customer of an ECS or RCS (not including content of communications) the government entity must obtain one of the following: (1) a warrant from a court of competent jurisdiction; (2) a court order based upon a showing that the information is pertinent to an ongoing criminal investigation; (3) consent of the customer or subscriber; or (4) authorization pursuant to a written request to a law enforcement agency investigating telemarketing fraud. (§ 2703(c)(1)(A)–(D).)
2. Issues Presented
HomeAway argues the 2016 subpoena violates the SCA because: (1) HomeAway is “covered” by the SCA as an ECS provider, (2) HomeAway is “covered” by the SCA as a RCS provider, (3) the City attempts to compel disclosure of electronic communications without securing a warrant or providing prior notice to HomeAway subscribers; and (4) the 2016 subpoena was not issued pursuant to a state or federal statute.
“Whether an entity is acting as an RCS or an ECS (or neither) is context dependent, and depends, in part, on the information disclosed. [Citations.]” (Low v. LinkedIn Corp. (N.D. Cal. 2012) 900 F.Supp.2d 1010, 1023.) “[T]he key is the provider's role with respect to a particular copy of a particular communication, rather than the provider's status in the abstract. A provider can act as an RCS with respect to some communications, an ECS with respect to other communications, and neither an RCS nor an ECS with respect to other communications.” (Kerr User's Guide, supra, at pp. 1215–1216, fns. omitted.)
Therefore, the enforceability of the 2016 subpoena does not depend on whether HomeAway is somehow “covered” by the SCA. Even if we assume that HomeAway's platform qualifies as an ECS and/or a RCS, HomeAway cannot establish a violation under the SCA without demonstrating that the City failed to use an authorized procedure for compelling HomeAway to disclose the evidence sought by the 2016 subpoena. As discussed below, the 2016 subpoena does not require HomeAway to disclose electronic communications. Furthermore, the procedure the City used to compel disclosure of HomeAway's customer records was authorized by the SCA.
3. The City Is Not Requesting Electronic Communications
Throughout appellant's opening brief, HomeAway argues that most of the records responsive to the 2016 subpoena are electronic communications generated by HomeAway subscribers. The record does not support this argument. The two requests incorporated into the 2016 subpoena are broad in scope, but seek very specific information about hosts who use HomeAway to offer to rent property located in San Francisco, and about bookings of rental property located in San Francisco. Importantly, the 2016 subpoena does not expressly or implicitly command HomeAway to produce any electronic communication generated by a HomeAway user. Furthermore, when the City served the 2016 subpoena it advised HomeAway's counsel that it was not seeking the production of users' login information, or “posts made in discussion forums.” And, in the lower court the City repeatedly stated that it was not seeking to compel HomeAway to disclose the content of electronic communications.
In appellant's reply brief, HomeAway contends that the 2016 subpoena necessarily demands disclosure of electronic communications because “it seeks information that often would be shared through personal communications.” We disagree with this conclusion. If HomeAway has collected information about its users that is covered by the subpoena, it cannot withhold that information from the City simply because that information might also be included in the content of a user's electronic communication. By the same token, to the extent HomeAway has exercised some right to mine the electronic communications stored on its system, the information it has extracted for its own business uses would not meet the definition of an electronic communication stored on an ISP service.
At oral argument before this court, counsel for the City reiterated that the 2016 subpoena does not compel disclosure of electronic communications, and HomeAway's appellate counsel accepted this representation, which she characterized as a concession. Accordingly, we now confirm and adopt the parties' stipulation that the 2016 subpoena does not compel the disclosure of any electronic communication generated by a customer or subscriber of a HomeAway service. In light of this stipulation, the pertinent issue under the SCA is whether the City followed an authorized procedure for compelling the disclosure of a service provider's customer records.
4. SCA Requirements Pertaining to Customer Records
As noted in our overview of the SCA, section 2703 contains different sets of procedures for compelling disclosure of two categories of records pertaining to a customer of an ECS and/or a RCS. First, the government entity may use an administrative subpoena authorized by a federal or state statute to compel disclosure of certain types of customer records that are listed in section 2703(c)(2), which pertain to the identity of the subscriber and the services he or she has utilized. Second, for all other customer records the government may not use an administrative subpoena to compel disclosure, but must instead use one of several alternative procedures outlined in section 2703(c)(1).
HomeAway contends that most of the information demanded by the 2016 subpoena “goes far beyond” the basic customer identification data covered by section 2703(c)(2). We do not accept this contention for two related reasons.
First, section 2703(c)(2) is broader than HomeAway assumes. It authorizes the use of an administrative subpoena to compel the disclosure of the following records pertaining to the subscriber or customer: name; address; telephone connection records, records of session times and durations; length of service and types of services utilized; subscriber identification numbers, including telephone numbers or temporarily assigned network addresses; means and sources of payment, including credit card information and bank account numbers. (§ 2703(c)(2)(A)–(F).)
Second, the 2016 subpoena is construed reasonably as requesting the types of customer identification evidence and customer transaction records that are delineated in section 2703(c)(2). The request for host data seeks specific identifying information about HomeAway customers who used its service during a given period to offer an accommodation in San Francisco. The request for booking data also seeks specific information about specific customers' use of HomeAway's services to book rentals—names, dates, addresses, and payment information. Though potentially voluminous, the information that the City seeks is very specific data identifying HomeAway's customers, specifying what services those customers used and when, and identifying the source and method of payments made to HomeAway for those services.
The fact that the 2016 subpoena contains some language that could be construed as applying to some other type of customer record that HomeAway retains on its systems does not mean the 2016 subpoena is unenforceable. Undisputed evidence demonstrates that the City was consistently willing to meet and confer with HomeAway to resolve concerns that the language of this subpoena was vague and or overbroad. HomeAway's supposition that some unspecified records fall outside the scope of section 2703(c)(2) may turn out to be a ground for withholding that evidence, but does not support HomeAway's claim that the entire subpoena is unenforceable under the SCA.
HomeAway contends that the 2016 subpoena is invalid even if limited to the categories of information listed in section 2703(c)(2) because it was issued pursuant to a local law as opposed to a state or federal statute. We disagree with this argument.
The SCA does not state that an administrative subpoena must be issued “pursuant” to a state or federal statute, as HomeAway contends. Rather, the administrative subpoena must be “authorized” by a state or federal statute. (§ 2703(c)(2)(F); see also § 2703(b)(1)(B)(i).)
Article X, section 7 of the California Constitution states: “A county or city may make and enforce within its limits all local, police, sanitary, and other ordinances and regulations not in conflict with general laws.” This state statute authorizes cities to levy taxes for city purposes. (Willingham Bus Lines, Inc. v. Municipal Court for San Diego Judicial Dist. (1967) 66 Cal.2d 893, 896, 59 Cal.Rptr. 618, 428 P.2d 602 [“ ‘Whether or not state law has occupied the field of regulation, cities may tax businesses carried on within their boundaries and enforce such taxes by requiring business licenses for revenue and by criminal penalties.’ [Citations.]”; City of San Bernardino Hotel/Motel Assn. v. City of San Bernardino (1997) 59 Cal.App.4th 237, 242-243, 69 Cal.Rptr.2d 97; People ex rel. Flournoy v. Yellow Cab Co. (1973) 31 Cal.App.3d 41, 46, 106 Cal.Rptr. 874.) Thus, the 2016 subpoena, which was issued pursuant to the City's B&TR Code, was an exercise of the City's power to tax as authorized by a state statute, i.e., the California Constitution.
For all these reasons, we conclude that HomeAway has failed to demonstrate that the October 2016 order enforcing the 2016 subpoena violates the privacy protections that the SCA affords to HomeAway customers.
B. HomeAway's Constitutional Claims
In a separate set of arguments, HomeAway contends that the order enforcing the 2016 subpoena violates the constitutional rights of HomeAway customers who exchange private communications on HomeAway's housing Web sites.
Preliminarily, HomeAway fails to demonstrate that it has standing to assert these claims. HomeAway posits, without analysis, that it may invoke constitutional “defenses” that could otherwise be asserted by its customers or subscribers, citing NAACP v. State of Alabama (1958) 357 U.S. 449, 459, 78 S.Ct. 1163, 2 L.Ed.2d 1488.) In that case, the Supreme Court held that the NAACP was the appropriate party to assert the free association rights of its members by refusing to produce the group's “rank-and-file” membership lists. (Ibid.) The Court reasoned that the NAACP and its members were “in every practical sense identical” in that the association was the medium through which its individual members sought to exercise their own First Amendment rights to express their political views and advance their beliefs and ideas. (Id. at pp. 459–460, 78 S.Ct. 1163.)
In this case, by contrast, HomeAway has not demonstrated that it is an appropriate party to assert the constitutional rights of its subscribers. HomeAway is an Internet business as opposed to a political association, and its commercial relationship with owners and travelers who pay to use its services is not comparable to the NAACP's relationship with its members. Further, even if HomeAway does have standing, its substantive claims lack merit.
HomeAway first contends that the Fourth Amendment bars the City from getting the information it seeks without first obtaining a warrant. We disagree. The Fourth Amendment does not protect information voluntarily disclosed to a third party, which is why the SCA created a set of Fourth-Amendment-like protections for customer information stored on ISPs. (Juror Number One, supra, 206 Cal.App.4th at p. 860, 142 Cal.Rptr.3d 151.) As discussed above, the City has not violated those statutory protections by using its authority under state law to compel HomeAway to disclose customer identification records.
Insisting that Fourth Amendment protections extend to “online communications and content” generated by HomeAway customers, HomeAway cites United States v. Warshak (6th Cir. 2010) 631 F.3d 266 (Warshak). In Warshak, the appellant appealed his fraud convictions on the ground that the government violated his Fourth Amendment rights by compelling his Internet service providers to disclose thousands of his private emails. (Id. at pp. 281–282.) In finding a Fourth Amendment violation, the Warshak court emphasized the “fundamental similarities between email and traditional forms of communication” and it reasoned that a “commercial ISP” is the “functional equivalent of a post office or a telephone company” because it is the “intermediary that makes email communication possible.” (Id. at pp. 285–286.) Warshak is not relevant here because the 2016 subpoena does not compel HomeAway to disclose private e-mails or any electronic communication generated by a HomeAway subscriber.
In a separate argument, HomeAway claims that the compelled disclosure of the identities of HomeAway customers would violate the First Amendment right to private association. “The privacy of personal association is protected by the First and Fourteenth Amendments of the United States Constitution. [Citations.] The freedom to associate with the persons of one's choice, without unwarranted governmental intervention or interference, is divided into two components: the freedom of intimate association and the freedom of expressive association. [Citation.]” (Pacific–Union Club v. Superior Court (1991) 232 Cal.App.3d 60, 70–71, 283 Cal.Rptr. 287.) Intimate association is constitutionally protected as a fundamental element of personal liberty “because ‘choices to enter into and maintain certain intimate human relationships must be secured against undue intrusion by the State ․’ [Citation.]” (Id. at p. 71, 283 Cal.Rptr. 287.) The constitution also protects expressive association “as an ‘indispensable means of preserving’ the liberty to ‘associate for the purpose of engaging in those activities protected by the First Amendment—speech, assembly, petition for the redress of grievances, and the exercise of religion. [Citations.]” (Ibid.)
We conclude that the use of HomeAway's platform to arrange a short-term rental does not constitute an intimate association or an expressive association, but a commercial association for the purpose of executing a business transaction. HomeAway appears to concede that its users engage in commercial speech, but it argues that online “messages also may contain any number of private and highly personal disclosures, including requests for romantic restaurant ideas, daycare recommendations, Wi-Fi passwords, and political opinions.” (Italics omitted.) We need not speculate about such matters, however, because the 2016 subpoena does not compel HomeAway to disclose electronic communications between owners and renters.
C. Remaining Contentions Regarding Local and State Law
Finally, HomeAway contends the 2016 subpoena is invalid because it is not authorized by local or state law. We disagree.
The pertinent local law is article 6, section 6.4-1 of the B&TR Code (section 6.4-1), which is titled “Records; Investigation; Subpoenas.” Section 6.4-1 imposes obligations on every taxpayer to keep business records that may be relevant to the tax liability for a period of five years, and to comply with requests by the tax collector to produce those records for inspection and copying. (B&TR Code, art. 6, § 6.4-1, subds. (a)–(b).) Also, section 6.4-1 authorizes the tax collector to “order any person or persons, whether taxpayers, alleged taxpayers, witnesses, or custodians of records, to produce all books, papers, and records which the tax collector believes may have relevance to enforcing compliance with the provisions of the [B&TR] Code.” And, the Tax Collector is expressly authorized to “issue and serve subpoenas to carry out these provisions.” (B&TR Code, § 6.4-1, subd. (f).)
We find that the tax collector acted within its authority under section 6.4-1 by issuing the 2016 subpoena because the data he requested “may have relevance” to his investigation regarding whether individuals who participate in short-term rentals are complying with the City's tax ordinances. As the City alleged in its petition, the tax collector issued the 2016 subpoena in the course of an investigation regarding possible noncompliance with two tax ordinances: (1) the “Tax on Transient Occupancy of Hotel Rooms” ordinance, B&TR Code, article 7, sections 501–515.2 (the TOT ordinance); and (2) the “Business Registration” ordinance, B&TR Code, article 12, sections 851–853.
HomeAway contends that the subpoena is not authorized by local law because (1) the TOT ordinance imposes a “Hotel Tax” that cannot be lawfully applied to HomeAway users who arrange short-term rental transactions, and (2) many of its users may qualify for an exemption from the business certificate requirement imposed by the Business Registration ordinance. The City disputes both of these claims. However, these issues are beyond the scope of the present appeal; we do not need to resolve them here, outside the context of an actual case or controversy, in order to determine whether the tax collector acted within its authority. The pertinent local law is section 6.4-1 of the B&TR Code, which establishes a broad standard of relevancy, confers broad investigative authority on the tax collector, and expressly authorizes the tax collector to issue an administrative subpoena under the circumstances presented here. This power to make administrative inquiry is broad. (Arnett v. Dal Cielo (1996) 14 Cal.4th 4, 8, 56 Cal.Rptr.2d 706, 923 P.2d 1.) It does not depend on a case or controversy, but authorizes investigation “ ‘ “merely on suspicion that the law is being violated, or even just because it wants assurance that it is not.” ’ [Citation.]” (Ibid.)
HomeAway argues that it has a due process right to challenge the tax collector's interpretation of the TOT ordinance in this proceeding because there is no other way for it to bring such a challenge, as it is not the entity who will be subjected to the tax. This argument, unsupported by authority, only highlights the fact that the issues HomeAway attempts to litigate here are not ripe for judicial review. Indeed, the general rule is that “a tax may be challenged only after it has been paid.” (Batt v. City and County of San Francisco (2007) 155 Cal.App.4th 65, 71, 65 Cal.Rptr.3d 716, disapproved on other ground in McWilliams v. City of Long Beach (2013) 56 Cal.4th 613, 155 Cal.Rptr.3d 817, 300 P.3d 886.)
Finally, HomeAway contends that the 2016 subpoena is overbroad under state law, citing Union Pacific R.R. Co. v. State Bd. of Equalization (1989) 49 Cal.3d 138, 260 Cal.Rptr. 565, 776 P.2d 267 (Union Pacific). In that case, the Supreme Court held that “an assessee is entitled to prepayment judicial relief from an assessor's demand for information if the assessee can show that the information is not reasonably relevant to the proposed tax.” (Id. at p. 147, 260 Cal.Rptr. 565, 776 P.2d 267, fn.omitted.) The court reasoned that the state constitutional ban on judicial relief prior to payment of a tax applies to a tax board's “demands for information because they are the first step in the assessment and collection of taxes,” but that this “ ‘ban on prepayment judicial review ․ must yield, of course, to the requirements of the federal Constitution.’ ” (Id. at p. 146, 260 Cal.Rptr. 565, 776 P.2d 267.) Union Pacific does not support HomeAway's position in the present case for two independent reasons. First, no tax has been assessed against HomeAway or anyone HomeAway represents. Second, the information sought by the 2016 subpoena is reasonably relevant to the tax collector's investigation conducted pursuant to his authority to enforce the provisions of the B&TR Code discussed above.
The order granting the City's petition is affirmed. The City may recover costs of appeal.
1. Subsequent citations to a statutory provision refer to the SCA, unless otherwise stated.
3. The City attached copies of its correspondence with HomeAway's counsel to the petition. In an April 2016 letter, the City stated: “San Francisco is not seeking at this time to have HomeAway produce host credit card or banking information, passwords, login information, posts made in discussion forums, or property photographs.”
4. This report was attached as an exhibit to the City's petition. Additional pertinent evidence regarding the short-term rental business in San Francisco was filed in the lower court as part of a declaration from an employee of the City's budget and legislative analyst's office.
5. Like the court in Juror Number One, supra, 206 Cal.App.4th at page 860, 142 Cal.Rptr.3d 151, the parties in this case use the Kerr User's Guide to frame their discussion of SCA.
6. According to Kerr, this aspect of the SCA is “intuitive” in that the “actual contents of messages naturally implicate greater privacy concerns than information (much of it network-generated) about those communications.” (Kerr User's Guide, supra, at p. 1228.)
RUVOLO, P. J.
We concur: REARDON, J. STREETER, J.