Retailers that request zip code information from customers may now be violating state law. Point of sale data collection practices, to the extent they do not serve a legitimate non-marketing purpose related to the transaction, such as for shipping or fraud prevention, must comply with consumer protection statutes of the host state.
In Pineda v. Williams-Sonoma Stores, Inc., ____Cal. Rptr. 3d ____(Cal. 2011), the California Supreme Court overturned the dismissal of a class action suit that alleged violations of California's Song-Beverly Credit Card Act of 1971, a consumer protection statute prohibiting retailers from recording customer personal identification information during credit card transactions. Indeed, the court explicitly ruled that retailers may not ask customers for their zip code during credit card transactions. Violators are subject to maximum statutory penalties of up to $250 for the first violation and $1,000 for each subsequent violation.
Although the court's opinion considered only requests for zip codes, other information that can be used to develop customer addresses may also be deemed to violate state law. While this decision only applies to California retailers, many other states have similar consumer protection laws. Challenges, therefore, should be expected, as this ruling has widened the scope of prohibited inquiries and strengthened consumer privacy rights.
Retailers should immediately review their point of sale data collection practices and ensure that only information necessary to complete the credit card transaction is collected. If additional information is requested, it must have a legitimate non-marketing purpose. By taking these necessary precautions, retailers can protect themselves from unwanted litigation involving claims of consumer privacy rights violations.