In answering a certified question from the United States District Court for the District of Massachusetts, the Massachusetts Supreme Judicial Court recently held that a merchant violated state privacy law when it recorded a customer’s zip code during a credit card transaction. According to the unanimous view of the justices of the highest court of Massachusetts, a zip code constitutes an “address” and is thus “personal identification information,” the collection of which in a credit card transaction is prohibited by a state consumer data protection statute.

The question of a zip code’s status was among three questions certified to the Court in Tyler v Michaels Stores, a class action filed in federal district court by a plaintiff who claimed the defendant retailer illegally collected and used her zip code information to send her unsolicited marketing materials.  According to the complaint, a Michaels Stores employee asked the plaintiff for her zip code while she was using her credit card to pay for a retail purchase. Allegedly under the mistaken impression that the zip code was required to complete the credit card transaction, the plaintiff provided her zip code.  Michaels allegedly used the plaintiff’s zip code, together with the plaintiff’s name, to find her address in publicly available databases, and then mailed her unwanted and unsolicited marketing materials. 

The federal district court, taking the allegations of the complaint as true for threshold legal interpretive purposes, held that Michaels Stores’ alleged conduct violated a Massachusetts statute prohibiting a business from recording on a credit card transaction form any “personal identification information” not required to complete the credit card transaction. However, the district court determined that the state law interpretations required to reach that holding were sufficiently complex and important to merit consideration by the state’s highest court. The district court thus certified the zip code status question, as well as two other questions (“may a plaintiff bring an action for this privacy right violation absent identity fraud?” and “may the words ‘credit card transaction form’ refer equally to an electronic or paper transaction form?”) for review by the state court.

In its recent decision, the Massachusetts Supreme Judicial Court found that a consumer’s zip code constitutes “personal identification information” for several reasons, largely informed by current-day realities of information availability and the public policy goals underlying the Massachusetts statute.  The statute lists addresses and telephone numbers as non-exhaustive examples of “personal identification information.”  The court reasoned that the purpose of the statute -- to protect consumer privacy -- would be undermined by interpreting “personal identification information” to exclude a consumer’s zip code, as that would effectively mean a merchant could simply collect a consumer’s zip code and use it, together with the consumer’s name, to identify through publicly available databases, and then record and use, the consumer’s address or telephone number. (On the other two certified questions, the court held that a consumer may bring a claim under the statute even if she is not the victim of identity fraud (but cannot prevail without showing actual injury from the unlawful collection of the zip code) and that the statute applies equally to both written and electronic credit card transactions.)

Click here to see the diagram.

The reasoning of the Massachusetts Supreme Judicial Court in Michaels Stores is similar to that of the California Supreme Court in its 2011 decision in Pineda v. Williams-Sonoma Stores, Inc. In Pineda, the California Court similarly opined that permitting a retailer to obtain a consumer credit card holder’s zip code, when obtaining the consumer’s address or phone number is an express violation of state privacy law, would allow an “end-run” around that law, because zip code information could then “easily be used to locate the cardholder’s complete address or phone number.” As we wrote at the time, the Pineda decision has “broad exposure implications” for business, as it means that virtually any information pertaining to a consumer may be “protected” under state credit card privacy laws.  The Massachusetts decision underscores this point, and indicates that courts may be increasingly willing to interpret consumer privacy laws broadly to take account of the possibilities for accessing extensive personal information using bits and pieces of data that, in and of themselves, may be innocuous from a privacy perspective.