On March 11, 2013, the Supreme Judicial Court of Massachusetts ruled in Tyler v. Michaels Stores, Inc. that a retailer’s collection of ZIP codes while processing credit cards can violate Mass. Gen. Laws ch. 93, § 105(a), a Massachusetts statute restricting the collection of personal identification information during credit card transactions. The state court decision, which concluded that the statute was aimed at protecting privacy rather than preventing identity fraud, bolsters a putative class action against the craft retailer that was brought in Massachusetts federal court. The ruling also is likely to precipitate an increase in privacy class action litigation against retailers, particularly those conducting business in Massachusetts.
In May 2011, Melissa Tyler filed suit against Michaels Stores, Inc. (“Michaels”) on behalf of herself and a putative class of Michaels customers in the federal District Court of Massachusetts. Tyler alleged that Michaels’ electronic recording of customer ZIP codes violated a Massachusetts statute restricting the collection of personal identification information (“PII”) during credit card transactions, thereby permitting her to assert a claim under the Massachusetts Unfair Trade Practices Act, G.L. c. 93A, § 2. Michaels filed a motion to dismiss Tyler’s complaint. The District Court agreed with Tyler that ZIP codes constituted PII under the state’s privacy statute and that Michaels’ electronic terminal contained “credit card transaction forms” within the meaning of the statute. The court ultimately determined, however, that Tyler had not alleged a cognizable injury sufficient to state a claim under the Massachusetts Unfair Trade Practices Act, and therefore granted Michaels’ motion to dismiss Tyler’s complaint.
Tyler then filed a motion to certify three questions regarding the proper interpretation of the state privacy statute to the Supreme Judicial Court of Massachusetts (“SJC”), which serves as the ultimate authority for interpreting the meaning of Massachusetts law. The three questions certified were: 1) whether a ZIP code constitutes PII under the privacy statute; 2) whether a plaintiff could bring an action under the privacy statute without showing identity fraud; and 3) whether the privacy statute’s reference to a “credit card transaction form” could apply either to an electronic or a paper transaction form.
The Massachusetts high court, in a unanimous opinion, ruled on all three questions in favor of Tyler. On the first question, the court determined that a ZIP code constitutes PII under the state statute because, when combined with the consumer’s name, the ZIP code provides the merchant with enough information to identify through publicly available databases the consumer’s address or telephone number—the very information the state privacy statute expressly identifies as PII. On the second question, the court concluded that a plaintiff could sustain an action under the statute without showing identify fraud because, after examining the legislative history and statutory text, the court decided that the principal purpose of the statute was to guard consumer privacy, not protect against identity theft. Finally, based on its reading of the statutory text, the court held that the term “credit card transaction form” applied to both electronic and paper forms.
Notably, in ruling that Tyler could sustain an action under the privacy statute absent identity fraud, the SJC expanded its analysis and considered what injury or loss must be alleged in order to state a claim under the Massachusetts Unfair Trade Practices Act. The court observed that the receipt of unwanted marketing materials or the sale of customer data to third parties could suffice to state a cognizable injury. Tyler may now return to federal court and attempt to proceed with her case, assisted by the SJC’s authoritative interpretation of Massachusetts law.
The implications of the SJC’s interpretation of Massachusetts statutory law in Tyler’s favor extend well beyond the Tyler case. The decision is reminiscent of a 2011 opinion by the Supreme Court of California, Pineda v. Williams-Sonoma Stores, Inc., holding that ZIP codes can qualify as PII under the California Song-Beverly Credit Card Act. The Pineda ruling led to a wave of consumer class action lawsuits regarding the ZIP code collection practices of California retailers, although Pineda has since been narrowed so as not to apply to online purchases in which the product is downloaded electronically, under the rationale that certain safeguards against fraud, such as visually inspecting the credit card, are not available to online merchants. As in the wake of the Pineda ruling in California, increased consumer privacy litigation should be expected in Massachusetts.
Retailers operating in Massachusetts should review their current data collection and use policies regarding ZIP codes and other types of information in light of the Tyler decision. Retailers in other states should do so as well. As a number of other states have statutes limiting the type of information retailers can collect from customers (including Delaware, Georgia, Kansas, Maryland, Minnesota, Nevada, New Jersey, Ohio, Oregon, Rhode Island, and the District of Columbia), the Tyler opinion may encourage lawsuits not only against businesses operating in Massachusetts, but also those operating in other jurisdictions.