A significant legal development has occurred that directly impacts any retailer with business operations in California.

Retailers who ask customers for their ZIP codes at the time of a credit card purchase may now find themselves the subject of class action claims alleging violations of California’s Song-Beverly Credit Card Act (the Credit Card Act). There has been a recent flood of plaintiffs’ cases filed in California state and federal courts. These class action lawsuits request a penalty of up to $1,000 for each customer whose ZIP code was requested by a retailer in the last 12 months. Thus, the penalties requested for alleged violations of the Credit Card Act are astronomical.

The Credit Card Act, codified at California Civil Code § 1747.08, prohibits vendors from requesting and recording “personal information” in connection with credit card transactions. The statute defines “personal information” as “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.” (Civil Code § 1747.08(b).) California courts once held that ZIP codes did not constitute “personal information” under the Credit Card Act; however, on February 10, 2011, the California Supreme Court drastically changed that landscape.  

The Credit Card Act – An Overview  

Section 1747.08(a)(2) of the Credit Card Act states that a company that accepts credit cards for a transaction may not:  

Request, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the person, firm, partnership, association, or corporation accepting the credit card writes, causes to be written, or otherwise records upon the credit transaction form or otherwise.  

Civil Code § 1747.08(a)(2).

Courts interpreting this section have found violations even where the request for personal identification information is not a “condition to accepting the credit card as payment.” In sum, certain California courts have held that it is sufficient that the information be requested. See, e.g., Florez v. Linens N Things, Inc., 108 Cal.App.4th 447 (2003). The Florez court looked to the legislative intent underlying the statutes, which it stated was to protect the personal privacy of consumers and to prevent retailers from requesting personal identification information and then matching it with the consumer’s credit card. (Id.) The Florez court reasoned that a 1991 amendment to the statute inserting the term “request” was designed to prevent retailers from making “an end-run” around the law claiming the data was provided voluntarily. (Id. at 453.) The court rejected the retailer’s argument that responding to the request was voluntary and made before the method of payment was known. (Id.)

Thus, to succeed, plaintiffs argue that they do not need to establish that the personal identification information was required to complete the transaction. They will argue that simply requesting the information – and recording it anywhere – is sufficient.

In addition, California courts have held that it is the subjective understanding of the consumer which is important – not the subjective understanding of the seller. Florez, 108 Cal.App.4th at 451. In other words, if consumers would perceive the store’s “request” for information as a “condition” of the use of a credit card, then a violation may be stated. (Id.)

Section 1747.08(a)(3) of the Act contains additional prohibitions. It states that a seller cannot:

Utilize, in any credit transaction, a credit card form which contains preprinted spaces specifically designated for filling in any personal identification information of the cardholder. Civil Code § 1747.08(a)(3).  

However, because most retailers no longer use preprinted spaces, this section of the Act is generally not as commonly litigated.  

California courts have held that there is a one-year statute of limitations that applies to the Credit Card Act. Shabaz v. Polo Ralph Lauren Corp., 586 F.Supp.2d 1205 (C.D. Cal 2008); TJX Companies, Inc. v. Superior Court, 163 Cal.App.4th 80 (App. Dist. 2008) (modified on denial of rehearing, review denied). Thus, the recently-filed class actions generally date back 12 months from the date they were filed.  

“Personal Information” and ZIP Codes  

On February 10, 2011, the California Supreme Court held that requesting and recording a cardholder’s ZIP code may violate the Credit Card Act. In Pineda v. Williams-Sonoma Stores, Inc. 2011 WL 446921 (Cal.) (Cal. 2011), the California Supreme Court expressly disapproved a prior Court of Appeal decision, Party City Corp. v. Superior Court, 169 Cal. App.4th 497 (2008) that had previously held that ZIP Codes did not constitute “personal identification information” under the Credit Card Act.  

In Pineda, the plaintiff alleged that while she was paying for a purchase with her credit card in one of Williams-Sonoma’s stores, the cashier asked plaintiff for her ZIP code. (Id.) at 1. The cashier entered the plaintiff’s ZIP code into the electronic cash register and then completed the transaction. The plaintiff alleged that she believed it was necessary to complete the transaction and therefore gave her ZIP code to the cashier. Plaintiff also alleged that the defendant retailer subsequently used her name and ZIP code to locate her home address. (Id.) The court noted that the defendant used customized computer software to perform reverse searches from the database, which contained millions of names, email addresses, telephone numbers and street addresses that were apparently indexed like a reverse telephone book. (Id.) The court also noted that the defendant was thereby able to access the plaintiff’s previously undisclosed address, which it maintained in its own database that it used to market its products and/or allegedly sell that information to other businesses. (Id.)

Plaintiff filed a putative class action alleging the defendant had violated the Credit Card Act. Williams-Sonoma moved to dismiss the plaintiff’s claims in part because ZIP codes were not “personal identification information.” The trial court agreed and ruled that a ZIP code did not constitute “personal identification information.” A court of appeal affirmed the trial court’s dismissal of the Credit Card Act claims, relying on Party City Corp. v. Superior Court, 169 Cal.App. 4th 497 (2008). The Party City court had concluded that a ZIP code, without more, did not constitute personal identification information. (Id. at 2.)

Thus, the sole issue before the California Supreme Court in Pineda was whether Section 1747.08 is violated when a business requests and records a customer’s ZIP code during a credit card transaction. The California Supreme Court concluded that in light of the language of the statute and its legislative history, a ZIP code constitutes “personal identification information” as used in Section 1747.08. (Id. at 3.) The court concluded that “requesting and recording a cardholder’s ZIP code, without more, violates the Credit Card Act.” In so ruling, the Pineda court explicitly disapproved the holding of Party City. (Id. at 5.)

The Pineda court explained that the Legislature’s intention that a ZIP code does constitute personal information is derived from the fact that a ZIP code is well-understood to be part of an address. (Id. at 3.) The court construed the word “address” in the act to encompass not only a complete address, but also any of it components. (Id.)

The Supreme Court rejected the reasoning that because a cardholder’s ZIP code pertains to other individuals in addition to the cardholder, it is dissimilar to an address or telephone number. (Id. at 4.) The court analogized a person’s ZIP code to his or her work address or work telephone number, which may also pertain to a large number of people. (Id.)

The court stated that it believed its newly-adopted interpretation of the Credit Card Act would be more consistent with the rule that courts should liberally construe remedial statutes in favor of their protective purpose, which, in the case of section 1747.08, includes addressing “the misuse of personal identification information for, inter alia, marketing purposes.” (Id.) ( citing Absher v. AutoZone, Inc. (2008) 164 Cal.App.4th 332, 345, 78 Cal.Rptr.3d 817). The court expressed its concern that any other interpretation would allow retailers to make an “end-run” around the statute’s purpose by allowing retailers “to obtain indirectly what they are clearly prohibited from obtaining directly.” (Id. at 4.)

The Implications of Pineda: There has been a recent flood of plaintiff class actions alleging violations of the Credit Card Act. Dozens of major retailers with operations in California have been named as defendants.

With respect to potential damage exposure to retailers, Section 1747.08(e) provides potentially substantial penalties for violations of the Act:

Any person who violates this section shall be subject to a civil penalty not to exceed two-hundred fifty dollars ($250) for the first violation and one thousand dollars ($1,000) for each subsequent violation, to be assessed and collected in a civil action brought by the person paying with a credit card, by the Attorney General, or by the District Attorney or City Attorney of the county or city in which the violation occurred. However, no civil penalty shall be assessed for violation of this section if the defendant shows by a preponderance of the evidence that the violation was not intentional and resulted from a bona fide error made notwithstanding the defendant’s maintenance of procedures reasonably adopted to avoid that error. When collected, the civil penalties shall be payable, as appropriate, to the person paying with the credit card who brought the action, or to the general fund of whichever governmental entity brought the action to assess this penalty.  

Civil Code § 1747.08(e).

There have been relatively few cases interpreting the civil penalty under this statute. At least one case has held that civil penalties are mandatory, although the amount of the penalty is within the court’s discretion. TJX Companies v. Superior Court, 163 Cal.App.4th 80 (2008). The Pineda court rejected a due process argument that the penalty provision was unconstitutionally oppressive because it could result in penalties “approaching confiscation of the entire business.” (Id. at 7.)  

Plaintiff’s counsel will argue that the civil penalty does not require a finding that the defendant willfully acted with knowledge of and/or intent to violate Civil Code § 1747.08. While § 1747.08(e) provides a safe haven for “bona fide” errors, the defendant must have procedures adopted to avoid the error. However, if a company was simply ignorant of the statute, but collected personal information, plaintiffs have and will continue to argue that such a company could still be subject to the civil penalty. Plaintiffs assert the same argument it would if a company acted negligently. In sum, defendants named in a putative class involving the Credit Card Act will face allegations that they are liable for a civil penalty under the Act even if there is no intentional, willful violation of § 1747.08.  

Given the fact that these putative actions can date back 12 months from the date they were filed, retailers who are sued as defendants are faced with the prospect of allegations that thousands of customers’ rights were violated, and that courts should enact penalties up to $1,000 for each separate violation.

How courts will treat newly-filed cases remains to be seen. However, there appears to be an argument that the Pineda decision should not be used to support a putative class action at this time. The reason, in part, involves the one-year statute of limitations. The newly-filed cases generally assert that class members are “all persons in California from whom the defendant requested and recorded personal identification information (i.e., ZIP codes) with a credit card transaction within one (1) year of the filing of this case.” That would necessarily include a vast majority of customers whose ZIP codes were requested and recorded before the Pineda decision disapproved the Party City court’s ruling that ZIP codes did not constitute personal identification information under the Act.

While the Pineda court stated that under the facts of the case before it, its decision should be applied retroactively, there is a colorable argument that those facts are distinguishable. The Pineda court noted that both Williams-Sonoma’s conduct and the filing of the plaintiff’s complaint pre-dated the Party City decision. (Id. at 7.) Thus, the Pineda court stated “it therefore cannot be convincingly argued that the practice for asking customers for their ZIP codes was adopted in reliance on Party City.” (Id.) The court noted that “it is difficult to see how a single decision by an inferior court could provide a basis to depart from the assumption of retroactive operation.” (Id.) The court concluded that Williams-Sonoma identified no reason that would justify a departure from the usual rule of retrospective application.” (Id.)

However, retailers who have recently been – or will be – sued should not be precluded from arguing against retrospective application of Pineda because Party City was in fact the applicable law during the majority of the last 12 months. Allowing putative class actions to proceed against defendants whose conduct was arguably legal at the time is a very different fact scenario than addressed by Pineda.  

In conclusion, retailers with operations in California need to be aware of the new Pineda decision and its implications. Retailers that continue to collect ZIP codes may very well find themselves the subject of putative class actions, the penalties for which could be substantial.