In a closely watched case with a somewhat unexpected result, the highest Massachusetts court decided in Tyler v. Michaels Stores that zip codes are “personal identifying information” that may not be collected and recorded as part of a credit card transaction. A consumer could establish a violation of the state’s unfair business practices statute based on retailers’ collection and entry of zip codes at the point of sale, if some distinct injury or harm was met, said the Mass. Supreme Judicial Court (“SJC”).
Plaintiff’s privacy claim, which was also brought as a class action, was permitted to move forward even though the collection of zip codes did not cause the plaintiff to become a victim of identity fraud. The Court found that the plaintiff could establish a claim merely by showing that she received unwanted marketing materials from the merchant as a result of disclosing her zip code, or that the merchant sold the zip code information for a profit to a third party.
With the Court’s ruling, even zip code information that does not directly identify the consumer is nevertheless “personal identifying information” because, the court noted, it can be combined with other information enabling merchants to identify the consumer’s address and telephone number through publicly available databases. The SJC cautioned that c. 93, Sec. 105(a) (referred to hereafter as "c.93"), protects against obtaining unnecessary personal information to complete credit card transactions.
At the same time, the SJC pointed out in a footnote that merely collecting zip code information, without using that information for any purpose thereafter, would not give rise to a cause of action for damages. And while the Court also ruled that a violation occurs whether the transaction is in paper or electronic form, the SJC did not resolve the question of whether the particular electronic form used by Michaels was an “electronic credit card transaction form” within the meaning of c. 93; that was a factual question to be resolved by the trial court.
The SJC also did not address the scope of an exception to c. 93, which permits retailers to request information necessary for the shipping, delivery, or installation of merchandise, or for warranty purposes. It remains to be seen how the Court’s ruling will affect business practices in Massachusetts.
Zip Codes are “Personal Identifying Information”
Plaintiff Melissa Tyler filed suit in federal court in Boston on behalf of herself and as a class action alleging that Michaels violated Massachusetts unfair and deceptive business practices statute, G.L. c. 93A., by requesting zip code information from her when she made credit card purchases. The federal court, which had originally dismissed the case, requested that the SJC resolve three state law questions that were presented by Tyler’s complaint:
- whether a zip code can be “personal identifying information” which c. 93 prohibits merchants from collecting,
- whether plaintiffs could bring such a privacy claim even if they are not the victims of identity fraud, and
- whether such a privacy claim may be brought if the transaction is electronic and not in paper form?
The Court answered “yes” to all three questions.
As to the key question of whether zip codes may be “personal identifying information” prohibited by c. 93 when collected as part of a credit card transaction, the Court found that the purpose of c. 93 was not merely to prevent identity fraud. Instead, based on the wording and history of the statute, the Court found that its true purpose was to safeguard consumer privacy, and to prevent retailers from sending unwanted solicitations to consumers using their identifying information.
Identity Theft Not an Issue
The Court rejected Michaels’ argument that a consumer must be a victim of identity fraud to bring a claim under c. 93A. The statute contained no limitation to that effect, and the overriding purpose of the statute was the protection of consumer privacy, not identity fraud. In answering this question, however, the Court explained that a c. 93A plaintiff must show some harm which is more than the violation itself. Examples of sufficient harm could be shown, it said, where the merchant used personal identifying information to send unwanted solicitations to a consumer, or where a merchant sells personal identifying information to a third party.
Paper v. Electronic Transactions
The Court found that c. 93 may be applied whether the credit card transaction is in paper or electronic form. The statute might be rendered ineffective if it was interpreted as applying only to paper transactions, and the Court therefore rejected Michaels’ argument that Tyler could not bring a claim because her transaction was purely electronic and not “written” on paper.
The Tyler decision signals clearly that the SJC takes an expansive view of the consumer privacy protections of c. 93, and favors a broad reading of its key terms. It is also worth noting, however, that the Court’s decision specifically addresses credit card transactions under a particular statute, and it does not appear to prohibit the collection of zip code information in the context of other non-credit card transactions. Additionally, the decision applies specifically to c. 93, and does not appear to extend the notification requirements under the Massachusetts data breach statute or the obligations under the Massachusetts data security regulations.
Nevertheless, the Court’s extension of privacy protection to zip code information is not an isolated decision. A similar result was reached by the California Supreme Court in Pineda v. Williams-Sonoma Stores, Inc., which held that the practice of collecting zip code information violated a California statute, the Song-Beverly Credit Card Act. See Edwards Wildman Client Advisory - California Supreme Court's Zip Code Decision Exposes Retailers to New Litigation Hazard, Statutory Fines (April 2011).
For the moment Tyler should be considered a further alert to businesses operating in Massachusetts in the handling of consumer information.