02.15.2011

|

Updates

On February 10, 2011, the California Supreme Court held that a customer's ZIP code is "personal identification information" ("PII") under the California Song-Beverly Credit Card Act of 1971 and that businesses cannot request and record a customer's ZIP code during a credit card transaction.  In Pineda v. Williams-Sonoma Stores, Inc., the court held that "[i]n light of the statute's plain language, protective purpose, and legislative history, we conclude a ZIP code constitutes ‘personal identification information.’ . . . Thus, requesting and recording a cardholder's ZIP code, without more, violates the Credit Card Act."

In her complaint, Jessica Pineda alleged that she visited a Williams-Sonoma store in California and used her credit card to pay.  The cashier asked Pineda for her ZIP code, Pineda provided it and the cashier entered the ZIP code into her cash register.  Williams-Sonoma then had Pineda's name, credit card number and ZIP code recorded in its database.  Later, Williams-Sonoma conducted reverse searches and matched Pineda's name and ZIP code with her previously undisclosed address, which it then stored in its database for marketing purposes.  Pineda alleged that the collection of the ZIP code violated the Credit Card Act.  The trial court and court of appeals disagreed with her.  The California Supreme Court then granted review of Pineda's Credit Card Act claim.

In its decision, the court first looked to the statute's plain language, which states that "[n]o person, firm, partnership, association, or corporation that accepts credit cards for the transaction of business shall . . . (2) Request, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information ("PII"), which [it then] causes to be written, or otherwise records upon the credit card transaction form or otherwise."  The court noted that the case turned on whether a cardholder's ZIP code, without more, constituted PII.

The Credit Card Act defines PII as "information concerning the cardholder . . . including, but not limited to, the cardholder's address and telephone number."  The Court noted that the word "concerning" is broad and that a cardholder's ZIP code, which refers to an area where a cardholder works or lives, is "certainly information that pertains to or regards the cardholder."  The California Supreme Court also noted:

    • "[A] ZIP code is readily understood to be part of an address" and that the California Legislature intended the "components of [an] address" to be PII.
    • "[T]hat a cardholder's ZIP code pertains to individuals in addition to the cardholder" does not mean it's not PII.  It's similar to an address where multiple people live or a telephone number that more than one individual uses and can be PII even if it pertains to "tens, hundreds, or even thousands of individuals."
    • "[A] ZIP code is both unnecessary to the transaction and can be used, together with the cardholder's name, to locate his or her full address" for use in other ways by the retailer.

The court finished by explaining why it adopted this "broader interpretation" of PII, including because it (1) would prohibit retailers from "end-running" around the statute's clear purposes; (2) gave meaning to the term "concerning," which was meant to broadly protect any PII; (3) was consistent with prohibitions on retailers recording information included on a driver's license or ID card; and (4) was consistent with the statute's legislative history, which indicated that the legislature meant to protect privacy and to "provide robust consumer protections by prohibiting retailers from soliciting and recording information about the cardholder that is unnecessary to the credit card transaction."

Also as part of its decision, the California Supreme Court disagreed with a 2008 decision from a California Court of Appeals in Party City Corp. v. Superior Court of San Diego County, where the California Court of Appeals held that ZIP codes do not qualify as "personal identification information" under the Song-Beverly Credit Card Act of 1971, found at Cal. Civ. Code § 1747 et seq.  Party City Corp. v. Superior Court of San Diego Cnty., D053530, Cal. Ct. App., Dec. 19, 2008.

Retailers who collect this data could be potentially subject to claims, including to class action litigation, for violations of the Credit Card Act. The Credit Card Act provides remedies of restitution and statutory penalties of up to $250 for the first violation and $1,000 for the second violation for each class member, so the risk associated with such litigation is not insubstantial. Retailers doing business in California should promptly review their information collection and use practices in light of this decision.

 

Perkins Coie has a pre-eminent Retail & Consumer Products group.  Its lawyers regularly advise retail clients on compliance with e-commerce and privacy related issues.  In addition, Perkins Coie's California Consumer Class Action defense group regularly defends retailers and others who sell products or services in California in a variety of consumer class actions.  Perkins Coie's Privacy & Security group provides clients with practical legal advice and effective tools to comply with U.S. and international data protection laws.

© 2011 Perkins Coie LLP

 

Sign up for the latest legal news and insights  >