Massachusetts Supreme Court Data Privacy Ruling Will Challenge Retailers

Already home to one of the toughest data protection laws in the country, Massachusetts now joins California in having expansive protections for data exchanged during a credit card transaction.

On March 11, 2013, in Tyler v. Michaels Stores Inc., No. SJC-11145, (Mass. Mar. 11, 2013), Massachusetts' highest court held that a retailer can violate credit card data and consumer protection statutes if:

  • a consumer pays in-store with a credit card; and
  • that consumer's zip code is recorded at the point of sale.

Crucially, the violation can be triggered:

  • even if no actual fraud was perpetrated; and
  • even if no subsequent data theft occurs.

When courts in California reached a similar conclusion in the now infamous Pineda case (Pineda v. Williams-Sonoma Stores, Inc. (2011) 120 Cal.Rptr.3d 531, 246 P.3d 612), more than 150 class action lawsuits ensued.

Retailers in Massachusetts need to promptly review, therefore, not only their in-store point-of-sale practices but their online sales and marketing activities as well. A critical first step is development of careful, auditable means to distinguish between use of consumer data collected online and data separately collected from the same consumer in-store. Otherwise, a lawful online campaign conducted with full disclosure under a compliant privacy policy may, if point-of-sale data is also collected, be sufficient to sustain a cause of action by an entire class of plaintiffs, at least through the costly summary judgment phase.

Our initial recommendations are that retailers:

  • review in-store and online data collection practices and modify as necessary to mitigate the risks raised by Tyler;
  • establish a process to track consumer complaints related to marketing campaigns; and
  • put a process in place to respond timely to such complaints and thereby leverage the available safe harbors.