Many California retailers have been impacted in recent years by lawsuits brought by self-styled privacy advocates seeking damages and other redress, resulting from retailers' gathering customer addresses, email addresses, telephone numbers or other personal information during the course of a credit card transaction.

The Supreme Court of California issued a decision on February 10, 2011, that appears to render the privacy landscape even riskier for retailers. In Pineda v. Williams-Sonoma Stores, Inc.,1 the state supreme court ruled that a customer's ZIP code constitutes "personal identification information" and that requesting and recording the customer's ZIP code during the course of certain credit card transactions may subject the requesting party to claims for up to $1,000 per transaction, plus other liabilities.

The basis of the court's ruling in Pineda was the Song-Beverly Credit Card Act of 1971.2 Many provisions of the Song-Beverly Credit Card Act were intended to parallel the federal Truth in Lending Act,3 but the California law covers additional topics. One of its provisions, Civil Code section 1747.08, prohibits businesses that accept credit cards from doing any of the following:

  1. Requesting, or requiring as a condition of accepting the credit card as payment in full or in part for goods or services, the cardholder to write any personal identification information upon the credit card transaction form or otherwise.
  2. Requesting, or requiring as a condition of accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information that the person, firm, partnership, association or corporation accepting the credit card writes, causes to be written or otherwise records upon the credit card transaction form or otherwise.
  3. Utilizing, in any credit card transaction, a credit card form that contains preprinted spaces specifically designated for filling in any personal identification information of the cardholder.

The Song-Beverly Credit Card Act provides many exceptions to this prohibition. A retailer may record information that is on the face of the credit card.4 The retailer may demand reasonable identification, but may not record identification information, such as a driver's license number, phone number or address, on the transaction record or elsewhere. The law does not apply to security or damage deposits; cash advance transactions; Internet, telephone and mail order transactions; refund transactions and a variety of other instances for which personal identification information is required for a special purpose incidental but related to the individual credit card transaction.

Only the California attorney general can seek injunctive relief under the Song-Beverly Credit Card Act, but private parties pursuing individual claims and class actions can obtain civil penalties of up to $1,000 per transaction, plus costs and legal fees. Potential also exists for violations to draw parallel claims based on other California consumer statutes, such as the Consumers Legal Remedies Act5 or the Unfair Competition Law.6

Numerous class action suits have been brought under the Song-Beverly Credit Card Act. Plaintiffs typically contend that they made a purchase and were asked to provide a ZIP code, address or telephone number that was then typed into the cash register, and that they were led to believe that providing this information was a mandatory condition of the transaction. They allege a panoply of potential losses of privacy and misuse of their personal information, but the core of their claims—and a potentially significant risk to retailers and others dealing with California consumers—is the $1,000 civil penalty per transaction, as well as attorneys' fees.

Many retailers request ZIP codes from customers, not for the purpose of reconstructing their customers' addresses to send them junk mail, but for perfectly legitimate purposes such as determining where to locate new stores or focus newspaper advertising. Until this month, retailers who requested only ZIP codes enjoyed a temporary respite from liability under the Song-Beverly Credit Card Act based on lower court holdings, such as Party City v. Superior Court, that a ZIP code does not constitute "personal identification" under the statute.7

However, in Pineda v. Williams-Sonoma, the supreme court disapproved the Party City ruling and others like it. The court held that a credit card customer's ZIP code—even when provided with nothing more—constitutes "personal identification information," and that businesses are subject to liability for requesting and recording it during a credit card transaction, irrespective of what they do with the information.

In so holding, the supreme court dismissed arguments that the statute violates due process because it could result in substantial penalties that might be confiscatory in nature. The court noted that the statute provides flexibility to courts in setting penalties, because the $1,000 figure is a maximum penalty, and a court is free to award a lower amount "or even the proverbial peppercorn we all encountered in law school."

The supreme court also dismissed defense arguments that its new ruling should apply only prospectively, thereby potentially exposing businesses to liability if they relied on Party City or similar cases in thinking that they were compliant with the Song-Beverly law by requesting customer ZIP codes and nothing more.

What This Means for Companies

All businesses who accept credit card payments from California consumers should consider assessing their credit card transaction and information-capture policies and procedures for compliance with the Song-Beverly Credit Card Act and other pertinent laws and regulations.