Massachusetts' highest state court has ruled that ZIP codes constitute personal identification information, and that retailers that request and record consumers' ZIP codes during electronic credit card transactions may violate the state's consumer privacy law and may be subject to suit under the Massachusetts Unfair Trade Practices Act. The Massachusetts Supreme Judicial Court's opinion in Tyler v. Michaels Stores Inc. allows the putative class action filed in Massachusetts federal court to go forward.
The class action alleges that Michaels' electronic recording of customer ZIP codes constituted the writing of personal identification information on a credit card transaction form, in violation of § 105 (a) of Massachusetts' consumer privacy law (G.L. c. 93, Section 105(a)) and was an unfair or deceptive act or practice under the Massachusetts' Unfair Trade Practices Act (G.L. c. 93A, § 2). The district court initially dismissed the complaint against the national crafts retailer, finding that while ZIP codes constitute personal identification information under the Massachusetts statute, plaintiff Melissa Tyler failed to allege that the retailer's collection of ZIP codes caused her an injury for which she could recover. At Tyler's request, the court certified questions concerning the interpretation of the Massachusetts law to the Massachusetts Supreme Judicial Court, including whether ZIP codes constitute personal identification information and whether a plaintiff can sue under the statute absent identity fraud.
In a unanimous ruling, the Massachusetts Supreme Judicial Court held that ZIP codes do constitute personal identifiable information, because "a customer's ZIP code, when combined with the consumer's name, provides the merchant with enough information to identify through publicly available databases the consumer's address or telephone number, the very information § 105 (a) expressly identifies as personal identification information."
Disagreeing with both the district court and Michaels, the Massachusetts Supreme Judicial Court concluded that the principal purpose of § 105 (a) is "to guard consumer privacy in credit card transactions, not to protect against credit card identity fraud." While the supreme court concluded that the law does not require that the plaintiff have suffered identity fraud in order to assert a claim, it did find that in order to state a claim for an unfair or deceptive trade practice under the Massachusetts Unfair Trade Practices Act, the plaintiff must allege some injury or loss as a result of the retailer's unauthorized collection of personal identification information. The retailer's collection of the information alone does not constitute an actionable injury. A retailer must use the information for its own business purposes, and the court identified at least two ways that a retailer's unauthorized collection and use of personal identification could injure a consumer - by sending the customer unwanted marketing materials or by selling the customer's information to a third party for a profit. Plaintiff Melissa Tyler asserted that Michaels had done both. The supreme court left open the question of whether a plaintiff that alleges a different form of injury or loss could maintain a claim under the Massachusetts Unfair Trade Practices Act.
The state high court also suggested that while a merchant's use of a consumer's personal identification information in either of those two ways likely would not cause a quantifiable monetary loss or measurable emotional distress, plaintiffs would still be entitled to damages. The receipt of unwanted marketing material represents an invasion of the consumer's personal privacy that would entitle the consumer to the minimum statutory damage award of $25 under the Massachusetts Unfair Trade Practices Act. And in cases in which the merchant sells consumer personal identification information to a third party, the court suggested that disgorgement of the merchant's profits may be appropriate damages.
The Massachusetts ruling is similar to the California Supreme Court's decision in Pineda v. Williams-Sonoma Stores Inc., in which that court held that ZIP codes were personal identification information, and that California's Song-Beverly Credit Card Act of 1971 prohibits merchants from requesting and storing consumers' ZIP codes as a condition of completing card transactions. One significant difference, however, is that the California statute operates as a strict liability statute: a retailer who violates Song-Beverly may be subject to statutory damages of up to $250 for the first violation, and up to $1000 per violation for subsequent violations, regardless of whether the merchant ever uses the information or the consumer can allege any injury.
As was the case after Pineda v. Williams-Sonoma Stores, the Tyler case is likely to be the first of many consumer class actions for violations of Massachusetts' consumer privacy and unfair trade practices laws related to the collection of ZIP code and other information in the course of credit card transactions.