The California Supreme Court has unanimously held that retailers can’t record customers’ ZIP codes during credit card transactions because ZIP codes constitute personal identification information and recording them violates the Song-Beverly Credit Card Act of 1971 (CC §§1747-1748.95). Pineda v Williams-Sonoma Stores, Inc. (S178241).
The significance of the supreme court’s ruling lies in the potential penalties, which are not to exceed $250 for the first violation and $1,000 for each subsequent violation. In it’s Client Alert, Morrison & Foerster predict (.pdf) predict that “retailers who have been collecting zip codes from their credit card customers can expect an avalanche of litigation as plaintiffs’ lawyers try to cash in on this newly approved claim.” This is already bearing out: The Recorder reports that a San Francisco plaintiff firm filed six proposed class actions seeking to penalize retailers for requesting ZIP codes from customers paying with a credit card just a week after the supreme court’s decision.
This may not be a financial disaster for retailers, however. Law.com notes that there is “no guarantee of an automatic payday for plaintiffs.” The supreme court makes it clear that, although the statute sets out maximum penalties, “the amount of the penalties awarded rests within the sound discretion of the trial court.”
Wondering about whether you’ll still have to input your ZIP code on gas station pumps? Well, as Morrison & Foerster explains, statutory exceptions in the Act permit the collection of “personal identification information” when the entity accepting the card is contractually required to provide the information to complete the transaction, such as some gas stations are required to do at the pumps.
This ZIP code decision makes me wonder what else might constitute “personal identification information” for purposes of the Act. That term is broadly defined to include any information on the cardholder, other than information set out on the credit card, and including the cardholder’s address and telephone number. CC §1747.08(b). The supreme court followed this broad reading when it held that
The legislature intended to provide robust consumer protections by prohibiting retailers from soliciting and recording information about the cardholder that is unnecessary to the credit card transaction….
Do e-mail addresses constitute personal identification information under the Act? This remains an open question. In Powers v Pottery Barn, Inc. (2009) 177 CA4th 1039, 99 CR3d 693, the court of appeal avoided reaching issue of whether collecting e-mail addresses violated the Act. Given the broad reading the supreme court gave to the statute as it applies to ZIP codes, it is possible that e-mail addresses will be similarly treated.
What do you think? Do you agree with Bill Dombrowski, president of the California Retailers Association, who commented about the ZIP code case to CNN.com, saying that it is “ironic” that a practice aimed partly at protecting consumers from fraud is being taken away and that it is a “terrible” decision because it “dramatically expands what personal information is.” Or, is this exactly the protection consumers need to protect their privacy?
On the Song-Beverly Act and consumer privacy issues generally, go to CEB’s Privacy Compliance and Litigation in California, chap 5.
© The Regents of the University of California, 2011. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited.