In a recent decision, the Massachusetts Supreme Judicial Court (SJC) determined that customer ZIP Codes are “personal identification information” that retailers are prohibited from collecting during credit card transactions.  With this decision, the Massachusetts high court may have set off a wave of new class-action lawsuits against retailers that collected customer ZIP Codes.  Especially vulnerable are those retailers that collected customer ZIP Codes and used them to send unwanted marketing materials or sold the ZIP Codes or information derived from them to third parties.  But any retailer that has collected ZIP Codes should be on alert and should evaluate its past (and present) data collection practices to avoid future liability.

The SJC case began when plaintiff Melissa Tyler filed an action for herself and on behalf of a class of customers who shopped at Michaels Stores, Inc., paid with a credit card, and were asked for a home ZIP Code as part of the transaction.  As alleged by Ms. Tyler, Michaels Stores used her (and the class members’) names and ZIP Codes to find their mailing addresses and telephone numbers through commercially available databases and then sent them unwanted marketing materials.  Ms. Tyler sued under Massachusetts General Laws chapter 93, § 105(a), which prohibits businesses that accept credit cards from writing or requiring the customer to write “personal identification information” that is not required by the credit card issuer on the credit card transaction form.  Under that statute, personal identification information is stated to include, but is not limited to, the credit card holder’s address or phone number; information needed for shipping merchandise and for warranties is excluded from the statute’s coverage.

Ms. Tyler initially filed her case in Massachusetts federal district court, and although that federal court agreed that a ZIP Code was “personal identification information” under the Massachusetts statute, that federal court dismissed the case because there was no injury to her from the collection of her ZIP Code.  Nevertheless, the federal district court certified questions about the Massachusetts statute to the SJC for it to answer.  In taking up these questions, the SJC made three important rulings about the statue:

  1. ZIP Codes are personal identification information;
  2. a customer may bring a lawsuit pursuant to Massachusetts General Laws chapter 93, § 105(a) even if there is no identity theft or fraud, if the store used the customer’s personal identification information to send the customer unwanted marketing materials or sold the personal identification information or information derived from it to a third party; and
  3. a credit card transaction form may be an electronic form and need not be in paper.

The SJC decided that ZIP Codes are personal identification information for two reasons: (a) the statute is “explicitly nonexhaustive” in its definition of what is personal identification information (i.e., the statute says that personal identification information “shall include, but shall not be limited to,” a card holder’s address or phone number) (emphasis added), and (b) with a customer’s name, a retailer can use a customer’s ZIP Code to find his address or phone number through available databases, information which is explicitly included as personal identification information under the statute.  The SJC also concluded that because the Massachusetts statute primarily was drafted to protect against invasion of consumer privacy by merchants and not identity theft, customers may bring lawsuits without showing any identity theft, so long as they experience actual injuries.  The injuries that qualify under the statute are broad in scope, and can include receipt of unwanted marketing materials or the retailer’s sale of personal identification information or other information derived from it to a third party.  Finally, acknowledging that the statute’s plain terms do not limit its coverage to just paper credit card transaction forms, and that limiting the statute to paper forms would render the statute largely useless for 21st century commerce, the SJC ruled that electronic credit card transaction forms are covered by the statute.

This decision has already led to a flurry of lawsuits in Massachusetts against retailers that collected ZIP Codes from customers as part of credit card transactions  including cases against Williams-Sonoma and Restoration Hardware.  A similar decision in California has had the same effect.  As such, retailers are advised to evaluate their data collection practices immediately.