As a merchant, do you request that consumers provide their ZIP codes as part of a credit-card transaction? If so, you may have inadvertently turned yourself into a class-action target under a California Supreme Court ruling earlier this month that held that ZIP code collection and recording amount to impermissible acquisition of Personally Identifiable Information (“PII”) under California’s Song-Beverly Credit Card Act. The ruling exposes merchants that engage in this practice to the possibility of millions of dollars in defense costs and billions of dollars in potential liability in litigation that undoubtedly will span the country for the next several years.

What Happened

In 2008, a putative class action plaintiff sued Williams-Sonoma because in one of the merchant’s California stores, the cashier requested the consumer’s ZIP code and entered it into an electronic cash register. Pineda v. Williams-Sonoma Stores, Inc., 2011 WL 446921 (Cal. Feb. 10, 2010). The transaction resulted in the consumer’s credit card number, name, and ZIP code being stored in a database.

The plaintiff claimed, among other things, that the collection and storage of her ZIP code violated California’s Song-Beverly Credit Card Act, Cal. Civ. Code § 1747, et seq., which says that “[n]o person, firm, partnership, association, or corporation that accepts credits cards for the transaction of business shall . . . [r]equest, or require as a condition of accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the person, firm, partnership, association, or corporation accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise.” Id. at § 1747.08(a)(2). “Personal identification information” is defined as “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.” Id. at § 1747.08(b).

The critical question before the California Supreme Court was whether, in referring to a cardholder’s address, the statute covered a ZIP code in isolation from the rest of the address. Although the trial court and intermediate court of appeals found that it did not, the California Supreme Court disagreed and ruled for the consumer.

The questions that naturally follow are: What is the harm, and aren’t damages, if any, minimal? The unfortunate response for defendants is that the statute provides for maximum statutory penalties of $250 for the first violation and $1,000 for each subsequent violation. Thankfully, the statute gives the trier of fact the ability to award less than those statutory maximums. Nevertheless, plaintiffs’ class-action lawyers are almost certain to spend the next several years litigating these cases and trying to maximize statutory damage awards. In fact, The Wall Street Journal reported on February 22, 2011, that the California Supreme Court’s decision has “unleashed a rash of lawsuits against big retailers that ask customers to provide zip codes when making purchases with a credit card.” The Wall Street Journal, C7, Feb. 22, 2011. Among defendants already sued, according to the Journal, are Best Buy, Coach, Nordstrom, and Macy’s.

What it Means

The decision means that if you are a merchant of goods or services and are collecting ZIP codes (or addresses or telephone numbers) in conjunction with credit card transactions, you should consider revising your practices (note that other states, such as Kansas, Rhode Island, and Oregon, have similar credit-card laws). More generally, the decision highlights once again how crafty plaintiffs’ class action lawyers are formulating new theories of consumer privacy breach, to the detriment and chagrin of companies that, despite the best intentions, are finding that their seemingly innocuous business practices are winding up costing them millions of dollars in defense costs.

What You Should Do

Over the past 12 to 24 months, privacy litigation, legislation, and regulatory activity have exploded. Navigating this minefield is not for the faint of heart or the ill-informed.