On February 10, 2011, the California Supreme Court issued a decision in Pineda v. Williams-Sonoma which has the potential to throw shockwaves through the retail industry, affecting both bricks & mortar and Internet-based merchants who are located in California or do business with California consumers. In this case, the California Supreme Court held that a retailer who records any portion of a credit card holder’s personally identifiable information (aka “PII”), including any portion of their address (in that case, a ZIP code) in connection with a credit card transaction violates California Civil Code § 1747.08 and is subject to penalties under that statute. Such penalties can amount to as much as $250 for the first violation and $1,000 for each subsequent violation by the merchant.
The case specifically held that, when Williams-Sonoma routinely asked for and recorded the customer’s ZIP as part of completing a credit card transaction, and used that information to build a database of its customers, Williams-Sonoma was violating § 1747.08. Williams-Sonoma argued that, even though § 1747.08 prohibits merchants from collecting and recording PII from a credit cardholder customer, including specifically the cardholder’s address and telephone number, as a condition to accepting the credit card as payment for goods or service, since Williams-Sonoma was only asking for the cardholder’s ZIP code, it had not violated the statute. The California Supreme Court rejected that argument, holding that collecting and recording any part of the cardholder’s address in connection with a credit card transaction violated the statute. In its decision, the Supreme Court found a couple of facts particularly persuasive: (i) Williams-Sonoma used the customer’s ZIP code to do public records searches and locate additional address information about the customer and build-out its customer database, which could be used to send marketing materials to the customer; and (ii) there was no need for Williams-Sonoma to collect such information in order to complete the credit card transaction – it was being collected solely for Williams-Sonoma’s own commercial marketing purposes.
Already plaintiffs law firms throughout California are lining-up to file putative class action lawsuits against retailers located in, or selling to customers located in, California. Every retail business which makes sales to customers located in California and accepts credit cards as payment for those transactions could be a potential target for such as suit if they have ever asked for or required any part of a cardholder PII in connection with such transactions.
Although the Supreme Court’s holding in Pineda v. Williams-Sonoma is broad, it is not necessarily true that every business which collects a cardholder’s address, ZIP code, or other PII in connection with a credit card transaction is in violation of California Civil Code § 1747.08. For example, there are other laws in place in California which, in certain circumstances, actually mandate that merchants (typically, but not always, online merchants) collect a customer’s name, address, telephone number, and/or other PII in connection with transactions that often involve credit cards. There are also circumstances where merchants might collect PII from their customers separate and apart from completing a credit card transaction, even though the merchants’ business with those customers may also involve credit card transactions. Such practices, in and of themselves, should not trigger a violation of § 1747.08. In addition, when a cardholder’s PII is collected in order to allow the merchant to fulfill an intended part of the transaction (e.g. shipping goods to the customer’s address), Civil Code § 1747.08(c)(4) specifically permits a merchant to collect PII which is needed for that purpose. Likewise, Civil Code § 1747.08(c)(3) specifically permits the collection of PII in connection with a credit card transaction when the merchant is contractually required to collect such PII to complete the transaction. Thus, for example, if an online merchants is required by their agreement with their acquiring bank and/or under the rules of the applicable credit card association to collect and record a cardholder’s ZIP code or other PII in order to obtain an authorization for or payment for a transaction (such as for so called “AVS” services), such practices should be permissible under § 1747.08 so long as the information which is collected from the cardholder is limited to that information which is required for that purpose. Civil Code § 1747.08(e) also provides that a merchant can avoid the civil penalties imposed under the statute if the merchant can show, by a preponderance of evidence, that the violation was not intentional and resulted from a bona fide error made notwithstanding the merchant’s maintenance of procedures reasonably adopted to avoid that error.
In light of the broad holding in Pineda v. Williams-Sonoma, every merchant which is located in California or does business with customers in California and accepts credit cards as part of those transactions should carefully review their practices related to the collection and recording of PII from credit card customers in connection with those transactions. If the merchant finds that its practices involve the collection of PII which is not necessary or required for the completion of the transaction, or if the practices involve collecting more of the cardholder’s PII than is necessary or required for the completion of the transaction, the merchant should amend those practices immediately to bring them in compliance with the requirements of Civil Code § 1747.08. If the merchant faces or is threatened with litigation alleging a violation of Civil Code § 1747.08, they should consult with knowledgeable counsel as quickly as possible to assess the merits of and potential defenses to such claims.