The Supreme Court of California held that it is a violation of California law for businesses to request and record a credit card holder’s ZIP code in connection with credit card transactions. Under California’s Song-Beverly Credit Card Act of 1971, businesses are prohibited from requesting that cardholders supply personal identification information in connection with credit card transactions.

On February 10, 2011 in the case of Pineda v. Williams-Sonoma Stores, Inc., California’s Supreme Court held that it is a violation of California law for businesses to request and record a credit card holder’s ZIP code in connection with a credit card transaction, subject to limited exceptions. Notably, the Supreme Court ruled that its decision is retroactively effective.

In June 2008, plaintiff Jessica Pineda sued Williams-Sonoma stores alleging, among other claims, that Williams-Sonoma violated California’s Song-Beverly Credit Card Act of 1971 (the Credit Card Act) when a Williams-Sonoma cashier asked plaintiff for her ZIP code during a credit card transaction. Plaintiff provided the information, believing that doing so was a condition to completing the purchase. Williams-Sonoma subsequently ran the plaintiff’s name, credit card number, and ZIP code information through computer software that conducts reverse look-up searches and traced the plaintiff’s street address – previously unknown to Williams-Sonoma; the store then stored plaintiff’s information in its database. According to the complaint, it was Williams-Sonoma’s practice to use that information for marketing purposes and for potential sale to third party businesses.

Under the Credit Card Act, businesses are prohibited from requesting that “cardholders” (defined as natural persons to whom a credit card is issued for consumer credit purposes) supply “personal identification information” in connection with a credit card transaction, and later recording such information. Both the trial court and the California Court of Appeals had held that ZIP codes were not “personal identification information,” but the California Supreme Court reversed the lower court decisions.

The Supreme Court reasoned that the language and context of the statute supported an interpretation that included a ZIP code as “personal identification information.” As the Credit Card Act expressly characterizes a cardholder’s street address as “personal identification information,” the Supreme Court reasoned that components of a street address (e.g., a ZIP code) should be similarly classified. The mere fact that a ZIP code could apply to multiple individuals as opposed to just the cardholder does not render it dissimilar to a street address that can also reach more than one person. The Supreme Court also noted that the Credit Card Act allows a business to request that a cardholder show reasonable forms of identification in order to complete the transaction (identification that typically includes a street address with ZIP code), but even in such circumstances the business is prohibited from writing down or otherwise recording any such information.

Perhaps more significantly, the Supreme Court underscored that broadly interpreting the meaning of “personal identification information” to include ZIP codes furthers a purpose of the statute, which is to protect consumers against businesses using personal information unnecessary to a credit card transaction for marketing purposes or for sale to third parties. Because retailers now have the technology to use certain cardholder information to trace previously unknown information such as a complete street address, telephone number, or e-mail address, permitting the collection of ZIP codes would “vitiate” the effectiveness of the statute’s protective purpose.

Penalties for violation of the Credit Card Act are up to $250 for a first violation, and up to $1,000 for each subsequent violation against any and all cardholders.

Limited Statutory Exceptions

The Credit Card Act expressly permits businesses to collect “personal identification information” for “special purpose(s) incidental but related to” the credit card transaction such as shipping, delivery, installation, or servicing of the merchandise, or for special orders. For example, in 2008, the Court for the Southern District of California held that AutoZone’s practice of requesting consumer telephone numbers in connection with registering merchandise for a warranty was a “special purpose,” as such information was necessary to connect the identity of the customer to the covered product, and to identify potential fraud.

Businesses may also collect “personal identification information” if there is a contractual or legal obligation to do so in order to complete the transaction.

What Businesses Should Do Now

As the Supreme Court’s decision is applied retroactively, there has been a spike in class-action lawsuits alleging violation of the Credit Card Act. Businesses engaging in credit card transactions with consumers should mitigate risk by reviewing their data collection policies to ensure that consumer “personal identification information” being collected and stored is necessary to the transaction. One way to accomplish this may be to refrain from requesting and recording information that is not contained on a consumer’s credit card itself. Furthermore, businesses may consider training their sales associates not to indicate, directly or indirectly, that providing certain “personal identification information,” beyond the consumer’s credit card information and ID to verify card ownership, is a requirement to completing a credit card transaction.