Massachusetts Supreme Court Data Privacy Ruling Will Challenge Retailers
Already home to one of the toughest data protection laws in the country, Massachusetts now joins California in having expansive protections for data exchanged during a credit card transaction.
On March 11, 2013, in Tyler v. Michaels Stores Inc., No. SJC-11145, (Mass. Mar. 11, 2013), Massachusetts' highest court held that a retailer can violate credit card data and consumer protection statutes if:
- a consumer pays in-store with a credit card; and
- that consumer's zip code is recorded at the point of sale.
Crucially, the violation can be triggered:
- even if no actual fraud was perpetrated; and
- even if no subsequent data theft occurs.
When courts in California reached a similar conclusion in the now infamous Pineda case (Pineda v. Williams-Sonoma Stores, Inc. (2011) 120 Cal.Rptr.3d 531, 246 P.3d 612), more than 150 class action lawsuits ensued.
Our initial recommendations are that retailers:
- review in-store and online data collection practices and modify as necessary to mitigate the risks raised by Tyler;
- establish a process to track consumer complaints related to marketing campaigns; and
- put a process in place to respond timely to such complaints and thereby leverage the available safe harbors.