Massachusetts’ highest court ruled on March 11, 2013 that a consumer could bring a claim under a state statute based on a merchant’s recording her ZIP code when she used her credit card to make a purchase. The decision, Tyler v. Michaels Stores, Inc., No. SJC-11145, 2013 Mass. LEXIS 40 (March 11, 2013), may lead to the filing of similar lawsuits, as occurred following a similar ruling by California’s Supreme Court in Pineda v. Williams-Sonoma Stores, Inc., 246 P.3d 612 (Cal. 2011).
Background. The Tyler case was filed as a class action in federal court. The plaintiff alleged that Michaels Stores had requested her ZIP code when she used her card, even though the ZIP code was not required by the issuer to process the transaction, and that Michaels used the information to find her address and telephone number and to send her unwanted marketing materials. The case reached the state high court on a series of three certified questions from the federal district court. The questions all concerned application of Massachusetts General Laws Chapter 93, Section 105 (Section 105), which prohibits a merchant from “writ[ing]” any “personal identification information” on a “credit card transaction form.” A violation of Section 105 can serve as the basis of a private claim under Massachusetts’ unfair or deceptive acts or practices statute, General Laws Chapter 93A.
The Holdings. The Supreme Judicial Court concluded that Section 105 was meant to protect consumer privacy, not merely to prevent identity fraud. Following this conclusion, the court concluded that a ZIP code could constitute “personal identification information” as contemplated by Section 105 because (according to the plaintiff’s allegations) the ZIP code, combined with the plaintiff’s name, was sufficient to enable the merchant to find her address and telephone. Any contrary result, the Court reasoned, would undermine the statute’s privacy protection. Although the Court did not cite the Pineda decision from California, it reached this same result.
Second, the Court concluded that a claim could be brought even without identity fraud, because the statute’s purpose was to protect consumer privacy. However, the Court reasoned that a plaintiff must still demonstrate an “injury.” With an injury, the plaintiff could seek actual damages, nominal damages (Chapter 93A provides for recovery of $25 as a minimum damages award), and attorney’s fees. The court explained the injury requirement as follows:
The invasion of a consumer’s legal right (a right, for example, established by statute or regulation), without more, may be a violation of [Chapter 93A] § 2, and even a per se violation of § 2, but the fact that there is such a violation does not necessarily mean the consumer has suffered an injury or a loss entitling her to at least nominal damages and attorney’s fees; instead, the violation of the legal right that has created the unfair or deceptive act or practice must cause the consumer some kind of separate, identifiable harm arising from the violation itself. … [A] plaintiff bringing an action for damages under [Chapter 93A] must allege and ultimately prove that she has, as a result, suffered a distinct injury or harm that arises from the claimed unfair or deceptive act itself.
Returning to [Section 105], there appear to be at least two types of injury or harm that might in theory be caused by a merchant’s violation of the statute: the actual receipt by a consumer of unwanted marketing materials as a result of the merchant’s unlawful collection of the consumer’s personal identification information; and the merchant's sale of a customer's personal identification information or the data obtained from that information to a third party. When a merchant acquires personal identification information in violation of [Section 105] and uses the information for its own business purposes, whether by sending the customer unwanted marketing materials or by selling the information for a profit, the merchant has caused the consumer an injury that is distinct from the statutory violation itself and cognizable under [Chapter 93A]. [footnotes omitted; emphasis added]
It is significant that the Massachusetts Supreme Judicial Court did not find an injury existed based on a putative statutory violation, standing alone, or “[t]he invasion of a consumer's legal right (a right, for example, established by statute or regulation), without more, … [to] mean the consumer has suffered an injury or a loss entitling her to at least nominal damages and attorney’s fees.” When the federal court, which certified this question to the Massachusetts Court, takes the case back up, it will be interesting to see whether the harms identified by the Massachusetts Court—marketing and information acquisition—are sufficient to find the degree of “injury in fact” necessary to support federal constitutional “standing.”
In numerous federal precedents, the types of harms cited by the Massachusetts Court would be considered far too speculative, remote or attenuated to find constitutional standing, although this would not inhibit such claims in Massachusetts courts. While federal courts have increasingly tended to find that alleged statutory violations standing alone are sufficient for standing, a question that the U.S. Supreme Court declined to answer definitively (when it declined to decide the First American Financial v.Edwards case in June 2012), the Massachusetts Court has removed that avenue as a basis for standing since the state court’s interpretation of what is required under its own laws will govern the federal court. However, the Massachusetts decision on what constitutes a privacy “harm” or “injury” would not necessarily control the federal court, which is constitutionally obligated to determine its own subject matter jurisdiction.
Finally, the Court held that the statutory term “credit card transaction form” was broad enough to include electronic records. Any other holding, according to the Court, would render the statute meaningless because electronic records have all but replaced paper records in this area.
Conclusion. The Pineda decision in California led to the prompt filing of scores of class actions against other merchants. A similar outcome may well follow in Massachusetts, be they federal or state claims. Merchants should also consider the reasons for which they may be collecting ZIP codes and other information about cardholders in Massachusetts—including for identity verification, fraud control, and other purposes—and whether those purposes are within the scope of the statute.