Massachusetts has joined California as the second state where zip codes are considered personally identifiable information. In Tyler v. Michaels Stores, Inc., the Supreme Judicial Court of Massachusetts recently held that zip codes constituted "personal identification information", within the meaning of a Massachusetts law that prohibits businesses from writing personal identification information of consumers not required by the credit card issuer on credit card transactions forms.
The question of whether zip codes are personally identifiable information has perplexed the retail industry since the California Supreme Court unanimously held in Pineda v Williams-Sonoma Stores, Inc. in 2011 that the Song-Beverly Credit Card Act prohibits merchants from asking for zip codes as part of credit card transactions. In reaction to that decision, businesses that included California residents among their customers were advised to cease requesting zip codes for reasons other than as necessary for order fulfillment. The ruling resulted in an avalanche of class action litigation against retailers, and the potential penalties of up to $250 for the first violation and $1,000 for each subsequent violation, served as sufficient motivation for these businesses to change their practices.
Now, with the Massachusetts Supreme Judicial Court's decision, businesses have another jurisdiction to be concerned with. In the Michaels case, the plaintiff brought a putative class action suit in federal district court claiming that the Michaels stores' electronic recording of customer zip codes violated §105(a) of Chapter 93 of the General Laws of Massachusetts prohibiting retailers from writing personal identification information on credit card transaction forms. The plaintiff asserted that a violation of that section constituted an unfair or deceptive act or practice as defined in Massachusetts G.L. §93A. The Court also looked at whether a plaintiff may bring an action for this privacy violation absent identity fraud. It determined that since the statute did not expressly state that to be entitled to redress, the plaintiff had to be a victim of identity fraud, it was not inclined to impose such a requirement.
The plaintiff does, however, have to allege injury resulting from the violation that is unfair or deceptive, and therefore unlawful. A per se violation of the statute, without more, does not necessarily mean the consumer has suffered an injury or a loss. The Court concluded that the violation of privacy rights that has created the unfair or deceptive act or practice must cause the consumer some kind of separate identifiable harm arising from the violation itself.
Like the California law, the Massachusetts law includes a statutory exception for collecting personal identification information when the entity accepting the card is contractually required to provide the information to complete the transaction, or where it is necessary for shipping, delivery, or installation of purchased merchandise or services. The exception may help with some retailers, but the plaintiff's bar, and Ms. Tyler in particular, will find other retailers to sue. No sooner had the Massachusetts court issued its decision, than Ms. Tyler filed a similar class action suit against the New Jersey-based retailer Bed Bath & Beyond in U.S. District Court in Boston. It would appear another avalanche of litigation is on the way in Massachusetts.