Guest Blog by Thomas Cohn
Last year, the California Supreme Court held that collecting a customer’s ZIP code during a credit card transaction violates the state’s Song-Beverly Credit Card Act (“Song-Beverly”). Thanks to this case (Pineda v. Williams-Sonoma Stores Inc.), California retailers have effectively been prohibited from requesting and recording customers’ ZIP codes during credit card transactions. Meanwhile, more than 100 consumer class-action lawsuits have been filed against California retailers.
In Pineda, the plaintiff alleged that Williams-Sonoma requested her ZIP code as part of a store credit card purchase and recorded it for marketing purposes. According to the act, a business cannot ask for personal identification information (PII) as a condition for a credit card transaction. The appellate court ruled for Williams-Sonoma, determining that ZIP codes are group identifiers rather than PII.
The California Supreme Court reversed, contending that a consumer’s ZIP code is protected under the act because it is definitively concerning the cardholder. Furthermore, the act was passed to prevent misuse of consumer information and later amended to “prevent retailers from ‘requesting’ personal identification information and then matching it with the consumer’s credit card number.”
Some of the recent class actions have considered questions left unanswered by Pineda, such as whether the act is violated by requesting a ZIP code if a business credit card is used (no), or when a personal credit card is used for a business transaction (yes). Most recently, a California federal court in May granted plaintiffs’ motion for class certification in an action against IKEA. This class action suit (Yeoman and Medellin v. Ikea U.S. West Inc.) alleges that IKEA violated Song-Beverly by requesting that cardholders provide their ZIP codes during credit card transactions, and then recording that information in an electronic database. The court found that the class definition was not overbroad and that IKEA’s practice of requesting ZIP codes showed common questions of law best resolved through a class action.
Song-Beverly is different from laws in other states because it forbids requesting, not just requiring, PII. One such law in New Jersey was tested last year in two cases. In Imbert v. Harmon Stores Inc., a Superior Court judge denied Harmon Stores’ motion to dismiss a ZIP code-collection class action. In addition to citing a statute that prohibits retailers from requiring PII, Imbert asserted that Harmon had violated a second statute that prohibits sellers from violating any “clearly established right” of a consumer.
At the same time, a federal judge dismissed a similar class action, Feder v. Williams-Sonoma Stores Inc., brought under the same two New Jersey laws. The court held that the plaintiff did not identify any provision of a “written consumer contract” violating state or federal law that would establish a claim under the second statute above. A ZIP code, the court argued, is not a contract provision violating a person’s rights.
In construing a similar state statute, a Massachusetts federal court recently came to much the same conclusion as California did in Pineda, but then dismissed the suit for lack of alleged injury. The court viewed the Massachusetts statute, which prohibits anyone from recording or requiring a credit card holder to write PII on the transaction form, as being primarily concerned with fraud-prevention and security, not privacy. But it still found that the retailer’s entry of the customer’s ZIP code (with name and credit card number) into an electronic terminal technically violated the Massachusetts statute, reasoning that a ZIP code was PII because it could be combined with other data to identify a particular person. The court dismissed the case (Tyler v. Michaels Stores Inc.) because the plaintiff failed to allege a cognizable injury like identity theft and, at most, complained of a deluge of unwanted mail.
Retailers trying to make sense of the ZIP code issue should note each case’s practical aspects. In California, merely requesting a ZIP code will violate the law, while in New Jersey and some other states, the law is only violated when the code is required to complete the transaction. In the Massachusetts case, the violation existed because the credit card information, name and ZIP code were combined in a single electronic file.
Retailers should separate such information and finish the transaction before asking for any personal information. Given regulators’ heightened interest in protecting consumers’ PII, merchants need to be fully aware of all relevant state laws and the legislative intent behind them.
Thomas Cohn is a partner in the New York City office of national law firm LeClairRyan and a former Federal Trade Commission regional director. He is a member of the firm’s retail industry team and can be contacted at Thomas.Cohn@leclairryan.com.
Retail Merchandiser magazine is pleased to present the points of view of many different industry stakeholders. If you would like to contribute your own guest blog to our site, please contact the editor at firstname.lastname@example.org.