No you may not have my ZIP code
In a decision that is sending waves across the national retail industry, the California Supreme Court recently held that ZIP codes constitute “personal identification information” under the Song-Beverly Credit Card Act. The decision, Pineda v. Williams-Sonoma Stores Inc., generally will expose retailers who request such information from customers paying with a credit card to penalties of up to $1,000 per request. It already has triggered literally more than one hundred putative class action lawsuits in a matter of weeks against retailers doing business in California, including those who have relied on earlier lower court opinions blessing such information requests. And it likely will chill retailers’ marketing and anti-fraud efforts, while impeding customer efforts to obtain the full benefits of the retailers’ services and products.
With some exceptions, the Act prohibits merchants from “requesting, or requiring as a condition of” the credit card transaction “personal identification information” and then recording that information. The Act defines this as “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.”
The plaintiff in Pineda alleged that a Williams-Sonoma store cashier requested her ZIP code as part of her credit card transaction. The plaintiff provided it, believing it necessary to make the purchase. The plaintiff further alleged that Williams-Sonoma “subsequently used customized computer software to perform reverse searches from databases that contain millions of names, e-mail addresses, telephone numbers, and street addresses.” The store was then able to obtain the plaintiff’s previously undisclosed address and maintained that information in its database.
Although lower courts held that the ZIP code alone did not constitute personal identification information under the Act, the California Supreme Court disagreed. It held that in light of the legislative history, the purpose of the act and its broad statutory language, the word “address” should be read broadly as “encompassing not only a complete address, but also its components.” According to the Court, “the legislature intended to provide robust consumer protections by prohibiting retailers from soliciting and recording information about the cardholder that is unnecessary to the credit card transaction.”
The Court’s analysis appeared deeply colored by the defendant retailer’s specific use of “reverse appending.” The Court reasoned that, “a cardholder’s ZIP code is similar to his or her address or telephone number, in that a ZIP code is both unnecessary to the transaction and can be used, together with the cardholder’s name, to locate his or her full address. The retailer can then use the accumulated information for its own purposes or sell the information to other businesses.” The Court noted, within the context of reverse appending, that to hold otherwise would be to permit retailers to obtain information indirectly that they could not obtain directly.
At a minimum, retailers now face a new wave of litigation -- with no need for the plaintiffs to prove actual damages. Indeed, one such action -- against gas station retailers that request zip codes as an anti-fraud measure -- has been described by the plaintiff’s counsel as possibly one of the largest consumer class actions on record. Common to all such litigation is the potential for substantial penalties, particularly if measured on a class-wide basis. Note that the court explicitly refused to limit the ruling to prospective instances of information gathering.
What may be most striking about the opinion is its implied meaning and lack of practical guidance for retailers. Although the Court focuses on reverse appending, future plaintiffs likely will argue that the holding is not expressly limited to such a practice. According to the Court, “[i]n light of the statute’s plain language, protective purpose, and legislative history, we conclude that a ZIP code constitutes ‘personal identification information’ as that phrase is used in [the act].”
Plaintiffs may seek to broaden this opinion, even where it would hurt consumers’ interests. For example, plaintiffs may rely on ambiguous language in the opinion to argue that the Act prohibits any request for information from customers paying by credit card, regardless of whether the request is made as a “condition to accepting the credit card as payment.” Plaintiffs also may argue that the Act and its penalties apply even when the customer voluntarily provides it -- for example, in order to obtain other services and benefits from the retailer.
In the wake of Pineda, retailers are placed in a potentially intractable position. Marketing and maintaining contact with existing customers is the key to growing a retail business. However, retailers attempting to market to their own customers while seeking to comply with the law may still risk class actions and potentially substantial mandatory penalties. For retailers and other businesses that accept credit cards, it is essential to minimize litigation risk as best as possible, including reviewing current practices for collecting customer contact information and ensuring that they have adequate insurance to cover such risk.
Donna L. Wilson leads the West Coast litigation practice of BuckleySandler LLP, where she focuses on class action defense and complex litigation in a variety of areas impacting the retail industry, including privacy and consumer financial services.