The Supreme Judicial Court of Massachusetts recently held that collecting a consumer's ZIP code at the point of sale may violate Massachusetts General Laws Chapter 93, Section 105(a) (Section 105(a)), which restricts the ability of retailers to collect personal identification information (PII) from consumers in connection with a credit card transaction.  The ruling follows a wave of class action lawsuits in California regarding the collection of ZIP code information and signals a need for retailers to carefully review their information collection practices in connection with credit card transactions.

In 2011, Melissa Tyler, a customer of Michaels Stores, Inc. (Michaels), filed an action on behalf of herself and a putative class of Michaels' customers.  The complaint alleged that Michaels repeatedly violated Section 105(a) by requesting customer ZIP code information when processing credit card transactions.  Michaels filed a motion to dismiss the complaint and the U.S. District Court for the District of Massachusetts certified the following questions to the Supreme Judicial Court of Massachusetts:

• Does a ZIP code constitute PII under Section 105(a)?
  
  
• Can a plaintiff bring an action under Section 105(a) absent any indication of identity fraud?
  
  
• Does the statute's reference to a "credit card transaction form" include electronic forms in addition to paper forms?

On March 11, 2013, the Supreme Judicial Court issued its opinion (__ N.E.2d.__, No. SJC-11145, 2013 WL 854097 (Mass. Mar. 11, 2013)), sending a strong warning to retailers doing business in Massachusetts.

ZIP Codes are Personal Identification Information

In response to the first certified question, the Supreme Judicial Court concluded that ZIP codes are in fact PII, a holding that parallels the California Supreme Court decision in Pineda v. Williams-Sonoma Stores, Inc. (51 Cal. 4th 524 (2011)).  Under the Massachusetts law, "personal identification information" is defined as including, but not limited to, a "credit card holder's address or telephone number." (G.L. c. 93, § 105(a))  The definition is explicitly nonexhaustive and leaves open the possibility that information other than an address or telephone number may qualify as PII.  In analyzing this question, the court emphasized that a consumer's ZIP code, when combined with the consumer's name, generally provides retailers with enough information to identify the consumer's address or telephone number through publicly available databases.  To conclude that ZIP codes are not PII "would render hollow the statute's explicit prohibition on the collection of customer addresses and telephone numbers, and undermine the statutory purpose of consumer protection." (Tyler, 2013 WL 854097, at *4)

Plaintiffs Can Bring Claims Absent Identity Fraud

In response to the second question, the court reached a different conclusion than the district court with respect to whether Michaels' collection of ZIP codes, absent identity fraud, caused Tyler a cognizable injury.  The district court concluded that where there are no instances of actual data loss or misappropriation, there is no cognizable injury. (Tyler v. Michaels Stores, Inc., 2012 WL 397916 (D. Mass. Jan. 6, 2012))  The Supreme Judicial Court, however, focused on the legislative history of Section 105(a) and highlighted that the statute was primarily intended to address the invasion of consumer privacy by merchants, not identity fraud.  As a result, there is no reason to read into the statute a requirement that the plaintiff suffer from identity fraud in order to assert a claim.  However, a consumer seeking to bring an action must allege that he or she has been injured by the act or practice claimed to be unfair or deceptive.  In this instance, the court held that there are at least two types of injury that may theoretically arise from a retailer's violation of Section 105(a):  (1) the actual receipt by a consumer of unwanted marketing materials as a result of the merchant's unlawful collection of PII and (2) the merchant's subsequent sale of consumer PII.  Ultimately, the court concluded that when a merchant acquires PII in violation of Section 105(a) and uses the information for its own business purposes (such as for marketing or the subsequent sale of information to a third party), it has caused a cognizable injury to the consumer.

Section 105(a) Applies to Paper and Electronic Credit Card Forms

Finally, the Court concluded that Section 105(a)'s reference to a "credit card transaction form" is intended to apply to both electronic and paper credit forms.  Again, the court turned to the language of the statute, which provides that "[n]o person … or … business entity that accepts a credit card for a business transaction shall write, cause to be written or require that a credit card holder write personal identification information … on the credit card transaction form." (G.L. c. 93, § 105(a))  The statute does not expressly limit the term "credit card transaction form" to paper forms and it appears to contemplate all credit card transactions, whether processed manually or electronically.  The court held that a narrow interpretation of the statutory language would render Section 105(a) "essentially obsolete in a world where paper credit card transactions are a rapidly vanishing event," (Tyler, 2013 WL 854097, at *7) and concluded that credit card transaction forms refer equally to electronic and paper forms.

What Does This Mean for Your Business?

The Tyler decision sends a strong warning to retailers doing business in Massachusetts.  To mitigate the risk of a potential class action, retailers should carefully review their information collection practices at the point of sale (both in store and online) to determine whether such practices comply with applicable law.  Note that in addition to Massachusetts and California, at least 13 other states have enacted statutes that restrict the collection of information in connection with a credit card transaction.

Perkins Coie's Privacy & Security group provides clients with practical legal advice and effective tools to comply with U.S. and international data protection laws.  Perkins Coie has a pre-eminent Retail & Consumer Products group.  Its lawyers regularly advise retail clients on compliance with e-commerce and privacy related issues.  In addition, Perkins Coie's Consumer Class Action Defense group regularly defends retailers in a variety of consumer class actions.

© 2013 Perkins Coie LLP