Earlier this month, we reported on the privacy case against craft giant Michaels Stores (see our blog post here, as well as our client alert here) in which the plaintiff alleged that Michaels illegally collected zip codes during credit card transactions. The case was ultimately dismissed by the federal district court, but questions of law were sent to the Massachusetts Supreme Judicial Court (“SJC”), including whether zip codes are “personal identification information” under Mass. Gen. Laws ch. 93 § 105. In the Michaels case, the SJC held that zip codes are personal identification information under the consumer protection law relating to credit card transactions.

Another important question sent to the SJC through the Michaels case was whether legal action could be brought under the statute where there was no evidence of identity fraud. The SJC found that a case can be brought even if there is no evidence of identity fraud, as the statute is intended to “address invasion of consumer privacy by merchants…” The SJC listed two specific harms that constitute an injury under the statute:

  1. the actual receipt by a consumer of unwanted marketing materials as a result of the merchant’s unlawful collection of consumer personal identification information; and
  2. the merchant’s sale of a consumer’s personal identification information to a third party.

Both of these injuries are alleged in in two putative class action complaints against defendant Bed Bath & Beyond (“BBB”).  One complaint recently filed by the same plaintiff in the Michaels case, and another filed by by plaintiff Kelley Whiting. Both complaints were filed in federal district court and allege that BBB  violates customers’ privacy by collecting zip codes during credit card transactions. The complaints assert that BBB does not ask customers for their zip codes because the credit company requires the information or for verification purposes, but rather for “its own business purpose.”  The purpose?  The complaints allege that BBB (a) uses that information to identify the customer’s address and/or telephone number, which it locates using commercially available databases, (b) uses the enhanced information for its own direct marketing (i.e. junk mail) and/or (c) sells the information to third parties.