The California Supreme Court held last week that a California law, the Song-Beverly Credit Card Act of 1971 (Cal. Civil Code § 1747 et. seq.), prohibits merchants from requesting and storing consumers' zip codes in the course of completing credit card transactions.

In Pineda v. Williams-Sonoma Stores, Inc., No. S178241 (Cal., Feb. 10, 2011), the high court reversed two lower court decisions -- the underlying case that was on appeal before the court and Party City Corp. v. Superior Court, 169 Cal. App.4th 497 (2008), which had previously held that zip codes were not "personal identification information" (PII).

The Supreme Court held that zip codes are PII and therefore cannot be collected by merchants during credit card transactions.

The decision has triggered a wave of new class action filings against California businesses that have relied on the 2008 Party City case to justify their collection of customer zip code information. The penalty for violating the Song-Beverly Act is up to $250 per violation for a first-time violation and up to $1,000 for subsequent violations.

Companies are seeking guidance regarding what transactions are subject to the rule and what information they can collect from their customers.

Key points that emerge following the Pineda decision include:

  • Merchants may not require consumers to provide PII as a condition to accepting a credit card as payment for the purchase of a product or service if such information is written down or otherwise recorded.
  • PII includes the consumer's telephone number, address, including zip code, email address, and any other information concerning the cardholder other than the information that is shown on the credit card.
  • The Supreme Court will read the Song-Beverly statute broadly to support its purpose of protecting consumers and preventing the misuse of PII by businesses for marketing or other purposes unrelated to the transaction.
  • The existing federal case authority indicates that the statute does not apply to online transactions. See Saulic v. Symantec, 596 F.Supp.2d 1323 (C.D. Cal. 2009). The California Supreme Court has not addressed this question.
  • The prohibition does not apply to transactions where the PII is not written down or otherwise recorded. As such, the statute does not restrict merchants from requiring the production of a drivers' license, personal identification card or even PII (such as the entry of a zip code at a gas station pump) for authentication purposes so long as the information is not recorded.
  • The law does not apply to transactions involving the return of merchandise. See, e.g. Romeo v. Home Depot USA, Inc., No. 06-CV-1505, 2007 WL 3047105, at *7 (S.D. Cal. Oct. 16, 2007); Korn v. Polo Ralph Lauren Corp., 644 F.Supp.2d 1212 (E.D. Cal. 2008); TJX Cos., Inc. v. Superior Court, 163 Cal.App.4th 80 (2008).
  • The statute does not prevent merchants from collecting PII that is incidental to completing the transaction, such as shipping, servicing, delivering or installing merchandise for the consumer.  

Some of the issues that remain open following the Pineda decision include:

  • Can merchants obtain zip code information from consumers that is not linked to other information that would allow the merchant to identify the consumer? The Pineda court was concerned that zip code information, together with the customer's name, gave the merchant the ability to obtain the customer's address through the use of reverse data mining. Where a merchant tracks zip code data solely for the purpose of understanding where its customers live generally, separate from any other PII and not for marketing purposes, such collection might not offend the statute.
  • Can merchants "request" consumer information at the time of a credit card transaction as long as it is clear that the consumer is not obligated to supply the information in order to complete the transaction? The courts in California have not fully addressed this question, indicating that the collection of PII before a credit card transaction is prohibited where the consumer actually believes, or could reasonably believe, that it is required to complete the transaction. See Florez v. Linens 'N Things, 108 Cal.App.4th 447 (2003); Shabaz v. Polo Ralph Lauren Corp., 586 F.Supp.2d 1205, 1210 (C.D.Cal. 2008); Korn, 644 F.Supp.2d at 1216. However, no court has addressed whether the prohibition applies where the consumer is fully aware that the PII is not required to complete the credit card transaction. But see, Florez , 108 Cal.App.4th at 453 ("a 'request' for personal identification information [is] prohibited if it immediately precede[s] the credit card transaction, even if the consumer's response [is] voluntary and made only for marketing purposes").

Companies that have relied on the Party City case to justify gathering zip code or other PII in the past should promptly adjust their policies and procedures to comply with the guidance provided by this new decision.