The California Supreme Court issued a unanimous opinion on Thursday, February 10, 2011, holding that ZIP codes are “personal identification information” for purposes of the state’s Song-Beverly Credit Card Act of 1971, and therefore may not be recorded by a business as part of a credit card transaction. The Court found that a retail defendant’s practice of requesting a customer’s ZIP code at checkout when the customer used a credit card violated the Credit Card Act. While the decision may open a floodgate of litigation against retailers, there are also important exceptions in the Credit Card Act that indicate that many business practices which require a customer to provide a ZIP code do not contravene the law. Nonetheless, retailers who request any “personal identification information” should ensure their practices regarding the recording of such information complies with both state and federal law.

Decision of the Court

The California Supreme Court held in Pineda v. Williams-Sonoma Stores, Inc. (S178241) that ZIP codes are “personal identification information” under the Credit Card Act. In doing so, the Court overturned the Court of Appeal’s decision upholding the trial court’s sustaining of the defendant’s demurrer and dismissing the plaintiff’s complaint. The case is therefore remanded for further proceedings. The Credit Card Act prohibits businesses from requesting or requiring personal identification information for a credit card transaction. (Cal. Civil Code § 1747.08(a).) Under the Act, no “person, firm, partnership, association, or corporation that accepts credit cards” may request, or require as a condition of accepting a credit card for payment, that the cardholder supply his or her personal identification information as part of the transaction. (Cal. Civ. Code § 1747.08(a)(1).) Further, the Act bans businesses from requesting or requiring such information and recording it as part of the transaction. (Cal. Civ. Code § 1747.08(a)(2).) Significantly, however, the Act does allow a business to require a cardholder to provide “reasonable forms of positive identification” as a condition to accepting the credit card “provided that none of the information contained thereon is written or recorded.” (Cal. Civ. Code § 1747.08(d).)

The Court held that while a ZIP code is only a portion of an address, it is a piece of personal identification information for purposes of the Act because such an interpretation fits within the Act’s language, purpose, and legislative history. The Act specifically lists addresses and telephone numbers as examples of personal identification information. (Cal. Civ. Code § 1747.08(b).) The Court held that the ZIP code is part of an address, and that interpreting the prohibition to only apply to entire addresses would “render the statute’s protections hollow.” The Court grounded much of its opinion on the fact that a ZIP code, like addresses and telephone numbers generally, was not necessary to complete the sales transaction in question. The legislative history indicates that the Credit Card Act was intended to address the misuse of personal identification information for among other things, marketing purposes, and to “impose[] fair business practices for the protection of the consumers.” The Legislature enacted the prohibition on requesting or requiring personal identification information because “there would be no legitimate need to obtain such information from credit card customers if it was not necessary to the completion of the credit card transaction.”

Important Limitations

While the Court’s opinion at first blush appears to undercut a wide number of business practices, there are important exceptions in the Credit Card Act that should minimize its impact. The Court noted that exceptions to the prohibition on requesting and recording personal identification information include: (1) when the credit card is being used as a deposit; (2) when it is used for a cash advance; (3) when a contract requires personal identification information to complete the transaction, or it is required by federal law or regulation; and (4) when the information is necessary for incidental aspects of the transaction such as shipping, delivery, servicing, or installation. (Cal. Civ. Code § 1747.08(c).))

The practice of asking for an address, including a ZIP code, for delivery during Internet transactions is within the enumerated exception. Other common business practices, such as requiring a ZIP code at automated pay-at-thepump gas stations, may also fall within the exceptions, if the input of a ZIP code is a “reasonable form[] of positive identification” and is not recorded. This reading of the law is further supported by the Court’s emphasis on personal identification information requests that are not necessary for the completion of the transaction.

Implications for Businesses in California

The Court’s decision will have important implications, particularly for retailers. The Court refused to find that its opinion will only apply prospectively. Businesses may therefore be liable for having previously requested ZIP codes even if they now discontinue the practice. In addition, the Credit Card Act allows private individuals to enforce the Act, collect civil penalties of $250 for a first violation and $1,000 for each subsequent violation, and consolidate actions against businesses. (Cal. Civ. Code § 1747.08(e)(g).) (The Act does, however, provide a safe harbor for unintentional violations.)

Finally, the decision may cause some confusion for businesses that operate in states in addition to California, as “personal identification information” has different definitions under state and federal statutes, there is no uniform definition, and this opinion only applies within California.

Retailers and others are well-advised to contact their lawyers to determine if their practices conform with California law.