The collection of ZIP codes by retailers may now be prohibited following the recent California Supreme Court decision in Pineda vs. William Sonoma, __ Cal. 4th__ (February 10, 2011). Writing for a unanimous court, Justice Morena found that ZIP codes are “personal identification information” for the purposes of the Song-Beverly Credit Card Act (“Credit Card Act “). Under the Credit Card Act, personal identification information may not be recorded nor required of a customer in order to make an in-store purchase using a credit card.
Initially passed in 1990, the Credit Card Act was enacted “to address the misuse of personal identification information for, inter alia, marketing purposes.” It prohibits retailers from asking customers for their personal identification information and recording it during credit card transactions. Specifically, section 1747.08(a) provides that no firm shall “[r]equest, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the . . . firm . . . accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise.” Since its initial passage, there have been multiple class action lawsuits against retailers violating this statute. As recently as 2008, California 4th District Court of Appeals addressed this specific issue in Party City Corp. v. Superior Court, 169 Cal.App.4th 497 (2008) where it held that ZIP codes were too general to be covered by the Credit Card Act because they pertain to a group of individuals, not a specific individual.
Not to be deterred, Jessica Pineda brought a class action against Williams-Sonoma for violations of the Credit Card Act “and Business and Professions Code section 17200 et seq. Her lawsuit was based on a 2008 visit to a Williams-Sonoma Store in California. While making her purchase, the cashier asked for her zip code, but did not tell her what the information would be used for. Thinking the information was necessary to complete the transaction, Pineda provided the information. Later, using specialized computer software, Williams-Sonoma conducted a “reverse lookup” and was able to determine Pineda’s previously unknown mailing address by matching her name and zip code in a third-party database. This information was then stored in Williams-Sonoma’s own database for use in direct-mail marketing campaigns. Aware of the court’s prior holding in Party City, Pineda pursued her class action on the grounds that an essential element was missing from the prior cases. Namely, allegations that Williams=Sonoma actually use of the acquired ZIP code. Rather than rule that harm was a required element, the court instead overruled Party City altogether.
In Pineda, the Supreme Court construed the definition of “personal identification information” broadly to include any information concerning the cardholder. Personal identification information is defined in subsection (b) of the Credit Card Act as “information concerning the cardholder . . . including, but not limited to, the cardholder’s address and telephone number.” The Court reasoned that since a cardholder’s ZIP code refers to the area where a cardholder lives or works, it would qualify as information that pertains to the card holder. In addition, since a ZIP code is part of the address, the statute “should be construed as encompassing not only a complete address, but also its components.” Further, in reversing Party City, the Court rejected the argument that a ZIP code should not be protected because it does not pertain to a specific individual. An address or phone number, both of which are explicitly defined as personal identification information by section 1747.08, might also pertain to individuals other than the cardholder. Therefore, the fact that a ZIP code could pertain to multiple individuals did not render it exempt from the Credit Card Act.
The Court found further support in “the legislative history of the Credit Card Act in general, and section 1747.08 in particular, [which] demonstrates the Legislature intended to provide robust consumer protections by prohibiting retailers from soliciting and recording information about the cardholder that is unnecessary to the credit card transaction.” Here, the ZIP codes at issue were not collected for identification purposes nor were they necessary in order to complete the credit card transaction. Instead, Williams-Sonoma collected the ZIP codes specifically for marketing purposes. The difference is key. Had Williams-Sonoma collected ZIP codes for identification purposes, it would have been governed by Civil Code section 1747.08(d). This statute allows a business to require reasonable forms of identification from cardholder, such as a driver’s license, but it may not record any of the information on that license, including the cardholder’s ZIP code. It would be inconsistent with the intent of the Legislature to allow in subdivision (a) what would be explicitly forbidden in subdivision (d) – namely the requesting and recording of a ZIP code. The logical conclusion, the court held, is that the term “personal identification information” as used in section 1747.08, includes a cardholder’s ZIP code.
Within California, the effect of this ruling is significant. Retail stores routinely ask customers for their ZIP code for both marketing and regional sales forecasting. The potential effect is compounded by the fact that in 2008, this practice was considered exempt from the Credit Card Act by the court’s holding in Party City. Seemingly overnight, actions that were previously authorized could now subject retail stores to statutory penalties up to $250 for the first violation and $1,000 for each subsequent violation. At a minimum, California retailers should take a close look at their information collection practices and consider updating those policies in light of this decision.