In a case with major implications for retailers and marketers, on February 10, 2011, the Supreme Court of California ruled in Pineda v. Williams-Sonoma Stores that Williams-Sonoma violated the Song-Beverly Credit Card Act of 1971 when it requested and recorded customer ZIP codes during credit card transactions and allegedly used that information for marketing purposes. In reaching this conclusion, the Court broadly interpreted the definition of personal identification information. The Act provides that businesses may not request and record personal identification information during credit card transactions. Personal identification information is defined as any information concerning the cardholder, other than information set forth on the credit card, including, but not limited to, the cardholder’s address and telephone number. The Court held that a ZIP code constitutes personal identification information.
The trial court and court of appeals in Pineda, on the other hand, found that a ZIP code, without more, is not personal identification information. The Supreme Court of California unanimously disagreed, reasoning that the consumer protection purpose of the statute necessitated a finding that ZIP codes are covered under the Act because ZIP code information could easily be used to locate the cardholder’s complete address. As a result of recording customer ZIP code information, Williams-Sonoma will face a maximum penalty of $250 for the first violation and $1,000 for each subsequent violation. Although the California Supreme Court noted that the amount of the violation is in the complete discretion of the trial court and could be as little as pennies (or even a proverbial “peppercorn”) per violation, this provides cold comfort to companies who have been engaged in this practice for a significant period of time because the Court’s decision is not limited to future practices. The Court held that its interpretation of the Act applies retroactively.
The California Supreme Court’s decision did not, however, address situations where personal identification information is collected for authorization purposes or for payments made online. Retailers may be able to argue that collecting data for authorization purposes or for online ordering is incidental but related to the individual credit card transaction, and thus an exception under the terms of the Act. Regardless, retailers should evaluate and amend, if necessary, their credit card processing procedures to avoid potential liability under the Act.
This opinion has triggered a wave of consumer class actions and exposes retailers that record consumer personal identification information during credit card transactions to significant statutory penalties. While this decision affects California retailers that accept credit card payments, the statutory language may be broad enough to argue that it applies to merchants in other states that transact business with California residents. Furthermore, as California has been a front-runner in data privacy and protection issues, California’s broad definition of personal identification information likely forecasts the direction of other states.