Any franchisee or retailer in California that collects ZIP code information in connection with credit card transactions should cease doing so immediately. In recent weeks, more than 100 class action lawsuits have been filed against California companies for collecting ZIP code information as part of a credit card transaction. The lawsuits follow a recent decision by the California Supreme Court in Pineda v. Williams-Sonoma Stores, Inc., 246 P.3d 612 (Ca. Feb. 10, 2011), which held that collecting a ZIP code in connection with a credit card transaction violates the state's Song-Beverly Credit Card Act.
The Song-Beverly Act prohibits retailers from collecting and recording "personal identification information" in connection with credit card transactions. As defined in the Act, "personal identification information" is "information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder's address and telephone number." The Act was originally enacted to protect against theft arising from credit card transactions by restricting the information that might be scribbled on copies of credit card receipts. Certain exceptions apply, such as when the credit card provides an advance deposit or collection/recording of the information is required by federal law or regulation. Violations of the law are punishable by statutory damages of up to $250 for a first violation and $1,000 per subsequent violation with no requirement of a showing of harm.
In Pineda, the plaintiff was asked for her ZIP code when using a credit card to make a purchase at a Williams-Sonoma store, but was not informed of the reason for the request. The store subsequently matched the plaintiff's name and ZIP code with her street address by obtaining information from a data broker, a practice known as "reverse lookup." Williams-Sonoma then added her name and address to a marketing list.
Williams-Sonoma argued that a ZIP code is not "personal identification information." In a case of statutory interpretation, the California Supreme Court disagreed. It held that a ZIP code is information "concerning" a person. Concluding that construing the Act broadly was consistent with the legislative purpose of the Act, the Court held that asking for and recording any information about the cardholder (including his or her ZIP code) during the credit card transaction may give rise to statutory damages under California law. In contrast, a retailer may ask to see a driver's license or similar identification to verify the identity of a customer paying by credit card but may not record that information.
Significantly, the Court also said that its ruling would apply retroactively. Not surprisingly, plaintiffs' attorneys have seen this as an open invitation to file, and, in the few weeks following the Pineda decision, have filed numerous class action lawsuits against California merchants and retailers, relying on the statutory damages provision of the law. Potential damages could reach billions of dollars. In the wake of Pineda, retailers should ensure that, when processing a credit card transaction, they record only the customer's credit card information-not any personal identification information.