Over the last year, several data privacy bills, as previously discussed on White & Case's Technology Newsflash, have been introduced in Congress directed at protecting an individual's personally identifiable information ("PII"). While these bills tend to define PII broadly, none of these proposed bills appear to expressly suggest that ZIP codes should be considered personally identifiable information. However, based on the recent Massachusetts federal court decision in Tyler v. Michaels Stores, Inc.1, it appears that at least some courts would be willing to consider ZIP codes as PII even though a statute may not explicitly classify a ZIP code as such. In Tyler, the Court determined that, at least for the purposes of a credit card transaction under Ch. 93 §105(a) of the Massachusetts General Laws, ZIP codes should be considered PII even though §105(a) does not specifically classify a ZIP code as PII. §105(a) only states that PII "shall include, but shall not be limited to, a credit card holder's address or telephone number."
The defendant Michaels Stores, Inc. ("Michaels") argued that unlike an address or telephone number that identifies an individual, a ZIP code is a numbered coding system that only identifies a post office geographic area and therefore, cannot be considered PII. Plaintiff Tyler conversely relied on the California Supreme Court decision in Pineda v. Williams-Sonoma Stores, Inc.2 to argue that a ZIP code is part of the address and that the Massachusetts statute was intended to include all components of the card holder's address within the meaning of PII. The Massachusetts district court, however, determined that §105(a) of the Massachusetts statue was much narrower in scope than the California statue. The court further found that while the intent of the California legislature was to prevent retailers from directly or indirectly obtaining PII for marketing purposes, the main concern of the Massachusetts legislature was to prevent exposing the customer to an unnecessary risk of identity fraud by using PII on a transaction form, not otherwise required for the credit card transaction. The Court also dismissed the Plaintiff's argument that a ZIP code should be considered PII under §105(a) because a ZIP code could be used in conjunction with other data such as the individual's name to obtain the full address of the individual as the Plaintiff had argued. Rather, the Court reasoned that because in some circumstances the credit card issuer may require the ZIP code to authorize a transfer of funds, as a debit card issuer requires a PIN number, both a ZIP code and a PIN number may be used fraudulently to assume the identity of the card holder. As a result, just as a merchant puts a customer at risk of identity fraud by recording a PIN number on the transaction form, a merchant puts a customer in a similar risk of identity fraud by recording a ZIP code on the transaction form. Therefore, the Court determined that ZIP codes are considered PII under §105(a).
These cases indicate that the concept of PII is still an evolving concept, and as technology increases the ability to identify individuals using a collection of different types of information, the legal definition of what encompasses PII will also likely continue to expand.