On February 11, 2011, the California Supreme Court issued Pineda v Williams-Sonoma Stores, Inc, 2011 WL 446921, -- Cal. 4th -- (Cal. Feb. 11, 2011) ("Pineda"), which held that a ZIP code constitutes "personal identification information" under the Song-Beverly Credit Card Act, California Civil Code § 1747.08, and that requesting and recording ZIP codes as part of a credit card transaction violates the Act. Id., at *1. The immediate impact has been swiftly felt; dozens of class actions have been filed in the days after this important decision.
The Song-Beverly Credit Card Act
The Song-Beverly Credit Card Act of 1971 (codified at Cal Civ. Code § 1747 et seq.) (the "Act") imposes various restrictions on the issuance and use of credit cards. Among these restrictions, the Act generally prohibits retailers from collecting "personal identification information" from customers using credits cards for their purchases. Cal. Civ. Code § 1747.08(a). "Personal identification information" is defined as "information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder's address and telephone number." Cal. Civ. Code § 1747.08(b). Businesses that violate this provision of the Act are subject to civil penalties not to exceed two hundred fifty dollars ($250) for the first violation and one thousand dollars ($1,000) for each subsequent violation.
The Act itself provides for several important exceptions, and the courts have found further limitations on its reach. Section 1747.08(c)(3) excludes information collection that is mandated by contract or federal law, and Section 1747.08(c)(4) excludes the collection of information for "incidental" purposes, including delivery or service requirements. California courts have also excluded return transactions (TJX Companies, Inc. v. Superior Court, 163 Cal. App. 4th 80 (2008)) and applied a one-year statute of limitations (id.), and the United States District Court for the Central District of California recently held that the Act does not apply to online transactions at all because it is necessary to collect personal identification information for security reasons. Saulic v. Symantec Corp., 596 F. Supp. 2d 1323, 1336 (C.D. Cal. 2009). Pineda, however, reversed another significant court-made exception identified in Party City Corp. v. Superior Court, 169 Cal. App. 4th 497 (2008), which had held that ZIP codes do not fall within the statutory definition of "personal identification information."
The California Supreme Court's Decision in Pineda
In Pineda v. Williams-Sonoma Stores, Inc., the plaintiff alleged that she made a purchase at a Williams-Sonoma store with her credit card and the clerk asked her for her ZIP code, which she provided. The clerk then allegedly recorded the ZIP code and, according to the plaintiff, Williams-Sonoma "subsequently used her name and ZIP code to locate her home address." Pineda, slip op. at 2. The plaintiff brought a class action on behalf of herself and all other customers who are similarly situated, alleging, inter alia, a violation of Section 1747.08.
Williams-Sonoma demurred to the complaint, arguing that ZIP codes are not "personal identifying information" under the Song-Beverly Act, and the trial court agreed, relying on Party City. The Court of Appeal affirmed in all respects. Pineda, slip op. at 3. The Supreme Court granted review on the ZIP code question.
In a unanimous opinion, the Supreme Court reversed the appellate court's decision. The court found that, "the only reasonable interpretation of section 1747.08 is that personal identification information includes a cardholder's ZIP code." Pineda, slip op. at 11. The court noted that several considerations weighed in favor of a broad reading of the statute, including the expansive language of the statute and the liberal construction owed to consumer-protection statutes. Id. at 6, 9.
While Williams-Sonoma argued that a ZIP code is not unique to a particular individual and therefore does not personally identify anyone, the California Supreme Court rejected that argument because it proved too much. The same could be said for a cardholder's street, or even, for most people, the street number or even telephone number. Id. at 7-8. And failing to protect ZIP codes, the Court also found, would undermine the statute's clear intent, because with the ZIP code, a merchant could readily obtain the information that all parties agreed was supposed to be protected, such as home addresses and telephone numbers, through marketing software. Id. at 8.
The Court also rejected Williams-Sonoma's argument that the Act would violate due process because the potential for a $1,000 statutory penalty for each violation would be oppressive. Id. at 14. In response to that concern, the California Supreme Court noted that $1,000 is the maximum potential penalty, and that the trial court had discretion to award any lower amount. Id. Presumably, this leaves open a due process challenge to specific awards made under the statute. The court also rejected Williams-Sonoma's argument that the case should not have retroactive application, opening the door to similar lawsuits against other retailers.
Implications for California Retailers
Many large retailers are already defendants in one or more class action lawsuits filed in the wake of Pineda, and others face the risk of a lawsuit in the coming days. Although Pineda is concerning for retailers, it does not wholly foreclose retailers from requesting personal identification information. The Song-Beverly Act does not apply to cash transactions. Nor does it prevent retailers from collecting personal identification information for delivery or other special purposes incidental but related to credit card transactions. In addition, as noted above, a federal court in Los Angeles held that the Act does not prohibit retailers from collecting personal identification information in connection with online transactions. Saulic, 596 F. Supp. 2d at 1336. Defendant retailers may also find shelter with successful arguments opposing class certification or that significantly limit potential damages.
Given the rash of recent lawsuits, retailers doing business in California should carefully review their practices and policies regarding collecting personal identification information. If a retailer is concerned about potential litigation, it should consult with knowledgeable counsel as quickly as possible.