The Massachusetts Supreme Judicial Court ruled recently in a case involving a class action brought by a plaintiff who alleged that a retailer requested her name, credit card number, and ZIP code in connection with credit card purchases she made. After that request, she allegedly began to receive unwanted marketing materials from the retailer. According to the court, Massachusetts General Law Section 105 governs a company's ability to obtain a customer's ZIP code—assuming the credit card issuer does not require it—during a credit transaction. The state law reads: "No person, firm, partnership, corporation or other business entity that accepts a credit card for a business transaction shall write, cause to be written or require that a credit card holder write personal identification information, not required by the credit card issuer, on the credit card transaction form." This law is similar to one that has been more widely litigated in California, commonly referred to as California's Song-Beverly Act. Although the federal court that certified questions to the Massachusetts Supreme Court ruled that the purpose of the statute was to combat identity fraud, the Massachusetts Supreme Court stated that "[t]here is nothing in the actual language of [the state statute] to suggest that its purpose is confined to preventing identity fraud. Rather, by its inclusive terms, [the law] reflects concern about, and an intent to limit, disclosure of personal information leading to the identification of a particular consumer generally." In addition, in looking at whether a customer's ZIP code is "personal identification information," the court reached a conclusion similar to courts in California, namely that it is personally identifiable because it allows companies to obtain other personal information, such as address and phone number. Finally, even though it seems that the Massachusetts statute requires a "credit card transaction form" for the law to be invoked, the court ruled that a credit card transaction form can "refer equally to an electronic or a paper transaction form."
TIP: This case suggests that plaintiffs may be looking to states outside of California when bringing cases involving the collection of personal information during a credit card transaction. In addition to California and Massachusetts, other states also have laws that restrict this particular information collection practice. National retailers should thus exercise care when designing any information collection programs, especially if the information will be collected at the point of purchase.