The California Supreme Court recently ruled, in a long awaited decision, that requesting and recording a cardholder’s zip code, without more [more what?], violates the Song-Beverly Credit Card Act. The Act prohibits retailers from collecting personally identifiable information during a credit card transaction. In the case, the court reasoned that a cardholder’s zip code constitutes personally identifiable information within the meaning of the statute. The defendant took the customer’s name and zip code, which it recorded, and performed reverse searches through various databases to fill out the rest of the information. It then used the customers’ full mailing addresses to market products and sell that information to other businesses.
TIP: California retailers should use caution if considering collecting personally identifiable information in a retail environment, in particular if the collection is from a shopper who is making a credit card purchase. This case underscores how broad the definition of personal information can be. You should review your current practices to make sure that they do not run afoul of the Song Beverly Credit Card Act, or similar laws that exist in some other jurisdictions.