A ruling earlier this year on collection and use of consumer ZIP code data in California has prompted a flurry of activity among plaintiffs' lawyers nationwide, as they try to determine whether consumer protection statutes in other states provide similar protections and similar statutory damages.
Back in February, the California Supreme Court held in Pineda v. Williams-Sonoma Stores, Inc., 51 Cal. 4th 524 (Feb. 10, 2011), that the mere collection of a customer's ZIP code during a credit card transaction violated a California consumer protection statute, the Song-Beverly Credit Card Act of 1971, because the ZIP code was a component of the cardholder's address. See www.wileyrein.com/zip_codes. The California statute prohibits businesses from collecting and recording "personal identification information" during credit card transactions. CAL. CIVIL CODE § 1747.08 defines personal identification information as "information concerning the cardholder . . . including, but not limited to, the cardholder's address and telephone number." The statute provides a private right of action and permits recovery of up to $250 for the first violation and up to $1,000 for each subsequent violation.
According to published reports, plaintiffs' attorneys believe several other states' consumer protection statutes are similar to the Song-Beverly Credit Card Act. Just recently, for instance, a lawsuit has been filed in Massachusetts, alleging that by collecting customers' ZIP codes, Michaels Stores violated Mass. Gen. Laws ch. 93 § 105, which prohibits retailers from writing on the credit card transaction form any personal identification information not required by the credit card issuer when accepting payment by credit card. Tylerv. Michaels Stores, Inc., No. 1:11-cv-10920-WGY (D. Mass. Filed May 23, 2011). The plaintiffs' bar reportedly is evaluating the viability of similar suits in New York, Delaware, Washington DC, Georgia, Kansas, Maryland, Massachusetts, Minnesota, Nevada, New Jersey, Ohio, Oregon, Pennsylvania, Rhode Island and Wisconsin. See Terry Baynes, Breaking the Zip Code: Is Massachusetts Next?, California Legal, June 29, 2011. However, not all state consumer protection statutes provide a private right of action or the same level of statutory penalties authorized by California's Song-Beverly Credit Card Act.
Conduct Issues Unresolved
There are also unresolved questions about the circumstances under which courts will find collection of consumer ZIP code information to be actionable. In Pineda, although the retailer collected only the customer's ZIP code, it used the consumer's ZIP code to search large consumer databases and obtain the customer's full address. Collecting and storing the entire address would certainly be considered a violation of the California statute; thus, the court reasoned that collecting the ZIP code alone in order to obtain the entire address was a violation as well. Moreover, in the Pineda case, the retailer both was using the address for its own marketing purposes and selling information from its customer database to other retailers, making a profit on personal information obtained from consumers during credit card transactions. If the ZIP code were not being used for profit in selling consumer personal information, courts might not be as ready to recognize a cause of action. In fact, the California law already recognizes exemptions for fraud prevention and shipping needs.
More than 150 lawsuits have been filed in California alone since Pineda, targeting a wide variety of retailers. Many of these suits raise questions about how far the statute's prohibitions on collecting ZIP code information reach. For instance, suits have been filed against gas stations in California, alleging that requiring cardholders to enter their ZIP codes when paying at the pump violates the Song-Beverly Act. At least one California suit also has challenged a similar requirement by a retailer using self-service kiosks. These cases may implicate scenarios where a retailer is being contractually required to obtain personal information to process credit card transactions. Another question is the extent to which a valid cause of action exists against online retailers under the Song-Beverly Credit Card Act and other state statutes. A federal court in California has held that the Song-Beverly Act was not intended to apply to non-brick-and-mortar businesses. Saulic v. Symantec Corp., 596 F. Supp. 2d 1323 (C.D. Cal. 2009).
Recognizing that the scope of Pineda and the Song-Beverly Act may be overbroad, a bill has been introduced in the California legislature that would limit the ZIP code collection ban to those transactions where the customer physically hands a credit card to a store clerk and the card is electronically read at the point of sale. See California Business Protection Act of 2011, AB 1219 (introduced Feb. 18, 2011). Also, the sponsors of the bill want to include language to ensure that Pineda only applies prospectively. Even while California considers amending its law to limit its application and avoid unintended consequences after the Pineda ruling, consideration of ZIP code litigation under state consumer protection statutes in other jurisdictions progresses.