We recently reported on the landmark ruling in Tyler v. Michaels Stores, Inc., 464 Mass. 492 (2013), where the Massachusetts Supreme Judicial Court (SJC)  held that a common credit card processing practice—recording customers’ zip codes—violates a Massachusetts statute regulating consumer privacy in credit card transactions, Mass. Gen. Laws ch. 93, § 105(a). The Massachusetts federal district court had dismissed this putative class action in 2012, concluding that the mere collection of a customer’s zip code, in the absence of actual identity theft, is insufficient to give rise to an injury. However, upon certified questions to the SJC, the SJC ruled that the plaintiff’s receipt of unwanted marketing mail constituted an injury under the Massachusetts Consumer Protection Act, Mass. Gen. Laws ch. 93A, allowing the class action to proceed. 

In order to establish a violation of ch. 93, § 105(a) entitling the plaintiff to damages and attorneys’ fees, the plaintiff must suffer an “injury.” The SJC’s ruling in Tyler is significant because it interpreted this injury requirement broadly, noting that there are “at least two types of injury”: (1) the receipt of unwanted marketing materials; and (2) the retailer’s sale of the customer’s personal information to a third party. The decision, in effect, opens the door to liability for retailers who have collected zip codes or other personal information in the credit card transaction process for their own business or marketing purposes.

We noted in our prior article that the legal precedent set by the SJC is concerning for retailers and could lead to a surge of class action lawsuits, much like what happened in California following the California Supreme Court’s similar decision in Pineda v. Williams–Sonoma Stores, Inc., 51 Cal. 4th 524 (2011) in 2011. That fear has now become a reality. In less than two months, six additional lawsuits have been filed under ch. 93, § 105(a):

  1. D’Esposito v. Michaels Stores, Inc.;
  2. Whiting v. Bed Bath & Beyond Inc.;
  3. Brenner v. Williams-Sonoma, Inc.;
  4. Rich v. Williams-Sonoma, Inc.;.
  5. Monteferrante v. Restoration Hardware Holdings, Inc.; and
  6. Brenner v. Kohl's Corporation.


D’Esposito has been consolidated with Tyler v. Michaels Stores, Inc. The Tyler plaintiff has also joined as a plaintiff in Whiting v. Bed Bath & Beyond Inc., which has been consolidated at In Re: Bed Bath & Beyond, Inc., Zip Code Litigation.

The SJC’s decision in Tyler may also have ripple effects on other jurisdictions with similar laws prohibiting the collection of personal information in the credit card transaction process, including Rhode Island, New York, New Jersey, D.C., Maryland, Pennsylvania, Ohio, and Kansas. These jurisdictions could experience a similar flurry in related class action litigation. Retailers are well-advised to reconsider their existing data privacy practices in light of the Tyler ruling and the resulting lawsuits, which may only represent the tip of the iceberg.