Retail stores across California routinely ask customers to provide a ZIP code when making a purchase. This practice may now be prohibited following the California Supreme Court decision in Pineda vs. William Sonoma, __ Cal. 4th__ (February 10, 2011), holding that ZIP codes are “personal identification information” for the purposes of the Song-Beverly Credit Card Act.
In 2008, Jessica Pineda visited a Williams-Sonoma Store in California. While making her purchase, the cashier asked for her zip code, but did not tell her what the information would be used for. Thinking the information was necessary to complete the transaction, Pineda provided the information. Later, using specialized computer software, Williams-Sonoma conducted a “reverse lookup” and was able to determine Pineda’s previously unknown mailing address by matching her name and zip code in a third-party database. This information was then stored in Williams-Sonoma’s own database for use in direct-mail marketing campaigns. Pineda learned of this and filed a class-action lawsuit, alleging that the store’s conduct violated the Song-Beverly Credit Card Act (“Credit Card Act “) and Business and Professions Code section 17200 et seq.
California’s Credit Card Act prohibits retailers from asking customers for their personal identification information and recording it during credit card transactions. Specifically, section 1747.08(a) provides that no firm shall “[r]equest, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the . . . firm . . . accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise.”
Personal identification information is defined in subsection (b) as “information concerning the cardholder . . . including, but not limited to, the cardholder’s address and telephone number.” However, prior to the court’s recent decision, an individuals’ zip code was not considered to be personal identification information. In fact, the opposite was true. As recently as 2008, California 4th District Court of Appeals addressed this specific issue in Party City Corp. v. Superior Court, 169 Cal.App.4th 497 (2008) where it held that ZIP codes were too general to be covered by the Credit Card Act because they pertain to a group of individuals, not a specific individual.
In Pineda, the Supreme Court construed the definition of “personal identification information” broadly to include any information concerning the cardholder. The Court reasoned that since a cardholder’s ZIP code refers to the area where a cardholder lives or works, it would qualify as information that pertains to the card holder. In addition, since a ZIP code is part of the address, the statute “should be construed as encompassing not only a complete address, but also its components.” Further, in reversing Party City, the Court rejected the argument that a ZIP code should not be protected because it does not pertain to a specific individual. An address or phone number, both of which are explicitly defined as personal identification information by section 1747.08, might also pertain to individuals other than the cardholder. Therefore, the fact that a ZIP code could pertain to multiple individuals did not render it exempt from the Credit Card Act.
The Court found further support in “the legislative history of the Credit Card Act in general, and section 1747.08 in particular, [which] demonstrates the Legislature intended to provide robust consumer protections by prohibiting retailers from soliciting and recording information about the cardholder that is unnecessary to the credit card transaction.” Here, the ZIP codes at issue were not collected for identification purposes nor were they necessary in order to complete the credit card transaction. Instead, Williams-Sonoma collected the ZIP codes specifically for marketing purposes. The difference is key. Had Williams-Sonoma collected ZIP codes for identification purposes, it would have been governed by Civil Code section 1747.08(d). This statute allows a business to require reasonable forms of identification from cardholder, such as a driver’s license, but it may not record any of the information on that license, including the cardholder’s ZIP code. It would be inconsistent with the intent of the Legislature to allow in subdivision (a) what would be explicitly forbidden in subdivision (d) – namely the requesting and recording of a ZIP code. The logical conclusion, the court held, is that the term “personal identification information” as used in section 1747.08, includes a cardholder’s ZIP code.
Within California, the effect of this ruling is significant. Retail stores routinely ask customers for their ZIP code for both marketing and regional sales forecasting. The potential effect is compounded by the fact that in 2008, this practice was considered exempt from the Credit Card Act by the court’s holding in Party City. Seemingly overnight, actions that were previously authorized could now subject retail stores to statutory penalties up to $250 for the first violation and $1,000 for each subsequent violation. Further, as privacy expert and CIPP Tanya Forsheit pointed out, “it is not clear how collection of zip codes, while perhaps unnecessary to credit card transactions, is of any potential harm to the consumer. And that, as the Court notes, is the point of the statute – consumer protection.” Outside of California, it is unclear what impact this case will have. The Credit Card Act was modeled after a similar New York statute passed in 1990 and several other states have similar laws but none of those prohibit the collection of ZIP codes. At a minimum, California retailers should take a close look at their information collection practices and consider updating those policies in light of this decision.
The Supreme Court opinion is available here: Pineda v. Williams-Sonoma, __ Cal. 4th__ (February 10, 2011).
M. Scott Koller is an attorney with McKennon Schindler LLP in its Newport Beach office in California. His practice specializes in civil litigation involving privacy, data security, and intellectual property.