Legal Matters: Collecting Customer ZIP Codes? Beware the Legal Risks
The Supreme Court of California recently ruled that collecting ZIP codes from customers who paid by credit card may subject merchants to class-action lawsuits. Dozens of such actions have already been filed, including against retailers "yet to be named." Reported settlements paid by some companies have exceeded $25 million. The lesson is clear: All retailers should review their customer information collection practices in light of California law (and other states) to avoid becoming the target of class-action lawyers.
The California Supreme Court Decision
Pineda v. Williams-Sonoma was decided by the California Supreme Court on Feb. 10. The facts considered in the case are quite typical of the way many retailers process their in-store transactions. Jessica Pineda alleged that she visited a Williams-Sonoma store in California and selected an item for purchase. She proceeded to the cashier to pay by credit card, where she was asked for her ZIP code. Pineda believed it was required to supply the requested information to complete the transaction. The cashier entered her ZIP code into the point-of-sale system and completed the transaction. At the end of the transaction, Williams-Sonoma had captured Pineda's credit card number, name and ZIP code.
According to the court decision: "Defendant subsequently used customized computer software to perform reverse searches from databases that contain millions of names, e-mail addresses, telephone numbers, and street addresses, and that are indexed in a manner resembling a reverse telephone book. … Defendant uses its database to market products to customers and may also sell the information it has compiled to other businesses."
Legal Basis for the Court's Decision
The decision of the California Supreme Court that ZIP codes constitute personal identification information is based on the Song-Beverly Act. This law prohibits retailers accepting credit cards from requesting or requiring the cardholder to provide personal identification information, which the retailer records.
A trial court dismissed Pineda's claim that capturing her ZIP code violated the Act, and the Court of Appeal affirmed the dismissal on the grounds that while telephone numbers and mailing addresses constitute personal identification information, a ZIP code doesn't because it's not specific to the individual. When the case reached the California Supreme Court, however, the justices reversed the dismissal. They ruled that the Act is violated when a business requests and records a customer's ZIP code during a credit card transaction.
Impact of the Court's Decision
As a result of this decision, retailers are now prohibited from collecting ZIP codes from California credit card customers unless one of a limited number of exceptions applies. In fact, the restriction goes beyond ZIP codes to any "information concerning the cardholder" that doesn't appear on the credit card itself. Under the reasoning adopted, collection of a California customer's email address, state of residence or even marketing preferences could constitute violation of the statute.
The consequences for violating the statute can be staggering: each violation can result in a penalty of up to $1,000, and a class-action lawsuit can seek such a penalty for each and every instance in which a ZIP code was requested. If a company is found to have violated the law, the only possibility of avoiding penalties is to make a showing "by a preponderance of the evidence that the violation was not intentional and resulted from a bona fide error made not withstanding the defendant's maintenance of procedures reasonably adopted to avoid that error."
An Important Exception
Companies that sell exclusively online or mail order, as well as some brick-and-mortar retailers, should be able to benefit from an exception in the law. The collection of personal identification information that's required for, but not limited to, information relating to shipping, delivery, servicing or installation of the purchased merchandise or for special orders is allowed.
The burden is on the retailer to demonstrate that it qualifies for the exemption. It should be quite easy for remote sellers to demonstrate that a ZIP code is necessary for delivery purposes. However, if a California resident makes a purchase but directs that delivery to another address as a gift, this exception may not apply. Likewise, if products are delivered electronically it may be difficult to demonstrate that collecting ZIP codes is necessary.
Lowering Your Company's Risk
Since the Pineda decision comes from the highest court in California, there's likely no recourse for retailers. Even if the California legislature changes the law, it will probably not have a retroactive effect. Moreover, the Court made clear in the Pineda case that its ruling that ZIP codes constitute personally identifiable information will apply retroactively.
Despite these ominous features of the California law, there are steps that retailers can take to strengthen their defensive position. A clearly written policy detailing that the information is collected for special purposes, such as product warranty or product safety recall notifications, would create a colorable defense.
Nevertheless, retailers should determine whether they're in compliance with numerous state laws that prohibit the collection of full addresses or telephone numbers in connection with credit card purchases. States with such restrictions include the District of Columbia, Delaware, Georgia, Kansas, Massachusetts, Maryland, New Jersey and Wisconsin. A major class-action lawsuit was recently filed in Massachusetts, and others are sure to follow.
State regulation over the collection of customer information and its subsequent use is a rapidly evolving area of law that warrants close monitoring by all retailers. The threat of class-action lawsuits should elevate this issue to high-priority status on every company's compliance agenda.
George S. Isaacson is a senior partner at Brann & Isaacson, a direct marketing law firm. Reach George at gisaacson@brannlaw.com.
