A recent decision of the California Supreme Court is sending a chill through a common retail practice: requesting a customer’s ZIP code during a credit card transaction for research and marketing purposes. The decision, in Pineda v. Williams-Sonoma Stores, Inc., found that the practice of collecting ZIP codes violates a California statute, the Song-Beverly Credit Card Act, which forbids businesses from requesting “personal identification information” during a credit card transaction.
The February 2011 decision has launched a flurry of class-action litigation within the California court system as plaintiff’s law firms target large retailers and other businesses that do a large volume of credit card transactions within the state. According to one report, in the weeks following the decision, more than 20 such actions were filed against retailers including Wal-Mart Stores Inc., Target Corporation, Coach Inc., Nordstrom Inc., Macy’s Inc. and Best Buy Co. The plaintiff’s bar is doubtlessly motivated, in part, by the availability of statutory fees: companies that violate the statute are subject to fines of $250 for the first violation and as much as $1,000 for each subsequent violation, potentially exposing a retailer to millions of dollars in fines.
Pineda has far-reaching implications for retailers with operations in California, and possibly for non-California merchants that transact business with California residents or over the Internet.
IMPLICATIONS OF PINEDA CASE
- Must businesses conducting in-person credit card transactions in California avoid requesting ZIP codes under all circumstances? A complete avoidance of requesting ZIP codes is not necessary. As the California Supreme Court recognized, under Song-Beverly, a business may require that a customer produce forms of identification (such as a driver’s license or California state identification card, both of which contain ZIP codes) as a condition to completing the credit card transaction. However, none of that information may be recorded. In addition, businesses may record personal identification information if (1) the credit card is being used as a deposit or for cash advances; (2) the entity accepting the card is contractually required to provide the information to complete the transaction or is obligated to record the information under federal law or regulation; or (3) the information is required for a purpose incidental to but related to the transaction, such as for shipping, delivery, servicing, or installation.
In the wake of Pineda, businesses taking advantage of these statutory exceptions should take precautions to make certain that their legitimate reasons for requesting ZIP code information are made clear to cardholders. Employees should also be trained accordingly, including when and for what purposes they may request or record personal identification information in such transactions in California.
- May a retailer request ZIP codes if it informs its customers that the collection of information is for marketing purposes (and is not necessary to complete the credit card transaction), and thereby avoid liability under the statute? The California Supreme Court’s discussion of the legislative history of the statute suggests that the answer is “no.” The court explained that it was the intention of the legislature to prevent a retailer “from making an end-run around the law by claiming the customer furnished personal identification information ‘voluntarily.’” It would therefore be difficult to argue in a California court that a customer in California may waive application of the statute by consenting to the retailer’s collection of ZIP codes.
- Are online merchants whose operations are located in California, or who sell to customers in California, subject to Song-Beverly? While a large portion of e-commerce involves shipping of tangible goods and therefore requires the merchant to request a ZIP code at some point during the transaction, other types of e-commerce, such as the purchase and download of software, do not involve shipping and a ZIP code may therefore not be required for such transactions. An earlier decision of the U.S. District Court for the Central District of California (Saulic v. Symantec Corp., January 5, 2009) held that the statute was not intended to apply to online sales. However, online merchants should be cautioned that the Saulic decision has not been reviewed by any California state court, which may reach a different conclusion.
- What about activity beyond the borders of California, such as a New York branch of a large national retailer that requests the ZIP code of a customer who happens to be a California resident? If that retailer does business in California, might they be subjected to suit in California for a violation of the Act based on the transaction that took place in New York? Some retailers are reportedly responding to Pineda by issuing new directives only to their California operations. However, the decisional law has not yet addressed the issue. One recently-filed class action lawsuit (Flores v. Chevron Corp. et al., Docket No. BC455706, Los Angeles Superior Court) limits its class definition to all persons “in the State of California” who patronized various retailers and had their ZIP codes collected by the retailer in connection with a credit card transaction. Given that the issue is untested, however, retailers are advised to proceed with caution.
BACKGROUND: THE SONG-BEVERLY CREDIT CARD ACT AND PINEDA
California’s Song-Beverly Credit Card Act provides, in pertinent part, that a person, firm, partnership, association, or corporation may not “[r]equest, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the person, firm, partnership, association, or corporation accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise.” Ca. Civ. Code § 1747.08 (a)(2).
The California Supreme Court in Pineda found that a broad interpretation of the definition of “personal identification information” (or “PII”) is consistent with the protective purpose of the statute. The Court noted that although the legislative history of the statute does not specifically indicate whether lawmakers intended a ZIP code to constitute PII, or whether “address” included components of a cardholder’s address, the legislative history does demonstrate the legislature’s intention to provide robust consumer protections by prohibiting retailers from requesting and recording information about the cardholder that is unnecessary to the credit card transaction.
The statute defines PII to mean “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.” Ca. Civ. Code § 1747.08(b).
In Pineda, the plaintiff filed a putative class action alleging that retailer Williams-Sonoma violated the Act by asking for her ZIP code when she made a purchase at the store with her credit card. She asserts that the defendant used her name and ZIP code to perform a “reverse append” to locate her home address. In a reverse append, retailers use customized computer software to perform reverse searches from databases containing names, email addresses, telephone numbers and street addresses that are indexed to resemble a reverse telephone book. By using this software and applying it to a customer’s ZIP code, the plaintiff alleges that the defendant was able to obtain her previously undisclosed address and use this information to market products, and, in some cases, sell the information it had compiled to other businesses.
In the proceedings below, the trial court in Pineda had concluded that a ZIP code alone did not constitute PII. The intermediate appellate court, the Court of Appeals, affirmed the trial court decision and reasoned that a ZIP code pertains to a large group of individuals who live within the ZIP code, and is not itself specific or personal information about an individual, and thus not PII.
The California Supreme Court rejected the holding and reasoning of the Court of Appeals. It identified several “problems” it perceived in that reasoning. First, the Supreme Court held that the word “address” in the definition of PII should be construed to encompass not only a complete address, but also the components of an address. The Court expressed concern that unless components of an address were also protected, a retailer could circumvent the statute by collecting almost all the components of an address but simply leave out one aspect (such as the house number).
Second, the California Supreme Court rejected the Court of Appeals’ assumption that a complete address and telephone number identified an individual, and thus was distinguishable from ZIP codes that applied to a group of people rather than only an individual. The Supreme Court reasoned that a complete address and telephone number may not be specific to an individual; rather, it could be possible that a complete address or telephone number could pertain to a group of individuals in one household. Thus, it rejected the Court of Appeals reasoning that a ZIP code was dissimilar to a full address or telephone number, and thus not PII, because it pertained to individuals other than the cardholder.
Third, and most importantly, the California Supreme Court found that the Court of Appeals ignored the fact that a ZIP code is unnecessary to the completion of a credit card transaction, and when a ZIP code is used in conjunction with other cardholder data available to the retailer, including cardholder name and credit card number, the cardholder’s full address can be located.
We do not expect courts outside of California to import the reasoning in Pineda into cases involving other laws designed to protect personal information. Such statutes generally have their own definitions of what constitutes such information. We caution, however, that California is regarded as a trendsetter in some areas of the law, and with the rapid increase in recent years of laws protecting personal information in virtually every state, businesses should have their collective ear to the ground for statutes prohibiting the collection of ZIP codes being introduced outside of California.