In Pineda v Willliams-Sonoma Stores, Inc, S178241 (Cal Supreme Court, February 10, 2011) (Pineda), the California Supreme Court held that the Song- Beverly Credit Card Act of 1971 (the “Credit Card Act”) prohibits businesses from requesting and recording a cardholder’s ZIP code as a condition to accepting the credit card as a form of payment, and that a ZIP code constitutes “personal identification information” (“PII”) under the Credit Card Act. The case has drawn significant attention because of the broad language of the court’s opinion and its impact on retailers who do business in California.

impact of pineda

If you do business as a “brick and mortar” retailer in California, Pineda undoubtedly necessitates a reassessment of your data collection and use practices. If you operate a website or online service and collect PII from California consumers should you be similarly concerned about the impact of Pineda on your data collection and use practices or on your privacy policy? For now, the answer is a cautious “no.” Pineda applies only to the Credit Card Act and it should not be assumed that a court would apply the reasoning in Pineda to interpret another statute in which the definition of PII (or a similar term) is at issue, e.g., the California Online Privacy Protection Act. Moreover, there is a relatively recent Federal district court case, Saulic v. Symantec, 596 F.Supp.2d (1323) (2009) (Saulic), in which the court held that the Credit Card Act does not apply to online transactions. But it is important to bear in mind that there is no published California state court opinion holding that the Credit Card Act does not apply to online transactions. Thus, if that issue was presented to a California court and Saulic was cited as authority, the California court certainly would consider the holding in Saulic, but would not be required to treat it as binding precedent if the court arrived at a different conclusion. Moreover, in view of the increasing attention and scrutiny that the Federal Trade Commission and governmental authorities in the European Union have been giving to the collection, use and sharing of a consumer’s personal information, and considering the broad language of Pineda, clearly there are issues that need to be tracked.

facts and procedural history

Pineda arose from a purchase that the plaintiff, Jessica Pineda, made at a store operated by the defendant, William-Sonoma Stores, Inc. In the course of the purchase transaction the cashier requested the plaintiff’s ZIP code, which was ultimately recorded in the defendant’s database along with the plaintiff’s credit card number and name. Through the use of customized software the defendant performed “reverse searches” from databases that contain millions of names, e-mail addresses, telephone numbers and street addresses. By doing so, the defendant generated complete contact information for the plaintiff, including the plaintiff’s previously undisclosed address, and recorded such contact information in its own database. According to the court, the defendant uses its database to market products to customers and may also sell the information that it compiles to other businesses. The plaintiff’s lawsuit claimed that the defendant’s actions violated the Credit Card Act and constituted both unfair competition and an invasion of privacy. The trial court ruled in favor of the defendant on all claims and the Court of Appeals affirmed the trial court’s ruling. The California Supreme Court granted review only of the claimed violation of the Credit Card Act and, in a unanimous decision, reversed the Court of Appeals decision as to this claim.

legal analysis

Key Issues

The primary issue before the California Supreme Court was whether a business violates Section 1747.08(a) of the Credit Card Act if, during the course of a credit card transaction, it requests and subsequently records a cardholder’s ZIP code. Section 1747.08(a) of the Credit Card Act provides, in part, as follows:

“[N]o person, firm, partnership, association, or corporation that accepts credit cards for the transaction of business shall … [r]equest, or require as a condition to accepting the credit card as payment in full or in part of goods or services, the cardholder to provide personal identification information, which the person, firm, partnership, association, or corporation accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise.”

To decide this issue, the court first needed to determine whether a ZIP code, without more, constitutes PII under Section 1747.08 of the Credit Card Act. Section 1747.08(b) of the Credit Card Act defines PII as:

“information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.”

In reaching the conclusion that a ZIP code, without more, does constitute PII under Section 1747.08 of the Credit Card Act, the court first analyzed the statutory language and then devoted a considerable portion of the opinion setting out the policy and legislative history-based reasons for its conclusion.

Analysis of Statutory Language

The court first focused on use of the broad term “concerning” (meaning “pertaining to, regarding, having a relation to or respecting”), and concluded that a ZIP code is certainly information that “pertains to or regards” an individual. The court then examined the decision of the Court of Appeals, which, in affirming the trial court’s ruling, had held that a ZIP code, without more, does not constitute PII under the Credit Card Act. The decision of the Court of Appeals relied largely on a prior Court of Appeals case, Party City Corp. v. Superior Court (2008), 169 Cal. App 4th 497 (Party City), which had reached the same conclusion. The reasoning of the Court of Appeals was that an address and telephone are “specific in nature regarding an individual” but that a ZIP code pertains to a group of individuals. Consequently, the Court of Appeals held that a ZIP code, without more, is different in kind than the other items of information enumerated in Section 1747.08(b).

The court rejected this reasoning, pointing out that an address and telephone number may pertain to a group of individuals residing in the same household (or working at the same location) just as the ZIP code would similarly pertain. Thus, the reasoning for the purported distinction between address and telephone number and a ZIP code is unsound. The court also noted that, from a practical standpoint, a ZIP code is readily understood to be part of an address. When a person addresses a letter, a ZIP code is always included. The question then for the court was whether the legislature had intended for PII to refer only to a complete address, or also to the individual components or combinations of components that comprise the complete address. The court concluded that the latter interpretation must be correct because the former interpretation would lead to illogical results. For example, under the former interpretation a business would not be prohibited from requesting a cardholder to provide street name, city and a ZIP code as long as it did not also request the house number. The court stated that this interpretation cannot be correct because it would render the protections of the statute meaningless.

The court’s analysis of the statutory language concluded with an observation that the decision of the Court of Appeals overlooks another reasonable interpretation that is directed to the commonalities that the enumerated items of information (address, telephone number and ZIP code) share: they constitute information that is unnecessary to complete a sales transaction and alone or in combination with other data, e.g., a cardholder’s name or address, they can be used to locate a cardholder’s complete address.

Policy and Legislative History

As to the policy underlying the Credit Card Act, the court stated that its broad interpretation is more consistent with the rule that courts should liberally construe remedial statutes in favor of their protective purpose. Citing to the legislative history of the Credit Card Act, the court noted that the Credit Card Act was enacted in 1971 “to impose fair business practices for the protection of ... consumers” and when amended in 1990 the legislature’s intent was “to address the misuse of personal identification information for, inter alia, marketing purposes” by prohibiting businesses from requiring information that was not necessary to complete the transaction. Thus, the court held that the decision of the Court of Appeals was inconsistent with the protective purposes of the Credit Card Act because it would permit retailers to “end run” the statutory prohibitions by enabling them to obtain a cardholder’s complete address or telephone number indirectly. The court also held that the Court of Appeal’s interpretation results in a conflict between Sections 1747.08(a) and (d). Specifically, under the Court of Appeal’s interpretation that a ZIP code, without more, does not constitute PII, a business would not be prohibited under Section 1747.08(a) from requesting and recording a cardholder’s ZIP code. However, under Section 1747.08(d), a business that requires a cardholder to furnish positive identification, such as a driver’s license or California state id card, as a condition to accepting a credit card is permitted to do so, as long as none of the information in the cardholder’s identification is written or recorded on the credit card transaction or otherwise. Given that “information included in the cardholder’s identification” would invariably include a ZIP code, the court held that the legislature could not have intended such an “inconsonant result.”

conclusion

The reactions to Pineda have ranged from summaries that applaud the decision as a significant pro-consumer case to summaries that are critical, assert that Pineda will make it difficult for retailers to maintain contact with its customers, and predict that retailers will re-consider doing business in California because of the increased risk of liability. Under the Credit Card Act, the maximum penalty is $250 for the first violation and $1000 for each subsequent violation.

Regardless of the impact of I on retailers, and even if a California court followed the reasoning of Saulic and held that the Credit Card Act does not apply to online transactions, Pineda still serves as a reminder of the ever-increasing interest and focus that government agencies and authorities in the U.S. and the European Union have been exhibiting with respect to the protection of consumers’ personal information. To that point, the preliminary report issued in December 2010 by the Federal Trade Commission (FTC) entitled “Protecting Consumer Privacy in an Era of Rapid Change” is relevant. In particular, in its report the FTC made reference to the continuing loss of a distinction between PII and non-PII, resulting from technology changes and the ability to re-identify consumers from supposedly anonymous data. Thus, it is important for businesses that collect, use and share PII in the ordinary course of their operations and who are subject to (or are potentially subject to) the restrictions set forth in the Credit Card Act, to be aware of the issues addressed in Pineda (and related cases) and to understand the relevant statutes and, in some instances, the underlying policy and legislative history.