A California court ruled last week that retailers could lawfully collect ZIP code information to reduce credit card fraud, efforts that result in lower prices for consumers. Following the California Supreme Court’s decision in Pineda v. Williams-Sonoma Stores, Inc.,1 retailers in the state have faced claims that collecting ZIP code information during a credit card transaction was illegal, subjecting stores to penalties of up to $1,000 per transaction.2 In Flores v. Chevron, the Court of Appeal held that collecting ZIP codes to ferret out fraud was a "special purpose" allowed by the Song-Beverly Credit Card Act, rejecting claims by so-called consumer protection lawyers that this form of fraud prevention was not allowed.3 The ruling brings welcome news, reassuring retailers that they can fight fraud without running afoul of the Act.
In the flurry of litigation that followed Pineda, plaintiffs’ lawyers argued that any collection of ZIP code information during a credit card transaction violated Song-Beverly, even if the information was used as part of an address verification service offered by credit card issuers or to otherwise prevent fraud.4 Retailers have argued that collecting information to rein in the $200 billion a year credit card fraud industry had to be allowed under the Act.
In Flores v. Chevron, the Court of Appeal answered the question of whether fraud prevention falls within the "special purpose" exception to the Act with a resounding "Yes."5 Under this exception, businesses are permitted to collect personal identification information (PII) if the information is "required for a special purpose incidental but related to the credit card transaction, including, but not limited to, information relating to shipping, delivery, servicing, or installation of the purchased merchandise, or for special orders."6 Plaintiffs’ lawyers argued that fraud prevention was not within this exception because it is not like the special purposes listed in the statute.7
In deciding Flores, the Court of Appeal rejected plaintiffs’ proposal to limit "special purposes" solely to activities requiring post-purchase contact with the consumer, and concluded that fraud prevention was a valid purpose for ZIP code collection.8 Specifically, the Court found that preventing fraud is incidental to the transaction because it is possible for the retailer to complete it without attempting to ensure the transaction is not fraudulent, but that it is related insofar as the retailer is trying to ensure that the transaction in question is not fraudulent.9
Although the Legislature already amended the Act after Flores was filed to add an exception designed to permit the conduct at issue in the case — a gasoline retailer’s collection of ZIP codes for pay-at-the-pump transactions — the Court of Appeal declined to consider whether the 2011 amendment was decisive in this case.10 Instead, the Court opted to send a strong message to all retailers committed to combatting fraud by reading a fraud prevention mechanism into the Act.
The Court of Appeal’s ruling in Flores goes a long way towards facilitating retailers’ ability to control fraud without the specter of Song-Beverly liability. While this ruling provides long-awaited good news, pending legislation would provide retailers broader leeway to fight fraud.11 The proposed amendment to the Act includes a specific and comprehensive exception permitting businesses to collect PII if it is used for the "detection, investigation, or prevention of fraud, theft, identity theft, criminal activity, or enforcement of terms of sale."12 Even without this legislative "fix," however, retailers can breathe a little easier now that the Court of Appeal has expressly acknowledged that fraud prevention falls within a statutory exception to the Act as enacted.