The California Supreme Court recently ruled that ZIP codes are “personal identification information” under the state’s credit card consumer protection statute. Accordingly, the Court ruled retailers may not collect and record ZIP codes from consumers as a condition to completing a credit card transaction.
Just a few days later, several law firms in San Francisco and Los Angeles filed class action lawsuits against major retailers, seeking damages for alleged violations of the California law.
First enacted in 1971, the Song-Beverly Credit Card Act prohibits California retailers from requiring a consumer to provide personal identification information, and recording that information, as a condition to accepting payment by credit card. The Act defines “personal identification information” as “information concerning the cardholder, other than information set forth on the credit card, including, but not limited to, the cardholder’s address and telephone number.” The Act does, however, permit a retailer to require positive identification so long as the retailer does not record that information.
In the new decision, Pineda v. Williams-Sonoma, the plaintiff sued Williams-Sonoma after the retailer collected her ZIP code during a credit card transaction and recorded the ZIP code along with her name and credit card number. According to the opinion, the retailer used that information to perform a computerized search to match her name with an address at the ZIP code. The retailer kept that information in a database that it used to market products to its customers.
The Supreme Court’s decision reversed an appellate court decision that, along with other prior decisions, held that a ZIP code is not personal identification information because it is not unique to the individual. In the new decision, the Supreme Court reasoned that the ZIP code is part of the cardholder’s address, and the Act expressly prohibits retailers from collecting and recording address information.
The Pineda case was filed as a class action. According to recent reports, at least 16 additional class actions were filed within four days of the decision. The class actions seek damages under the Act’s penalty clause, which provides for a penalties of up to $1,000 per violation.
Because of the new decision, retailers who operate in California should use caution when collecting information from consumers in connection with a credit card transaction. Retailers should ensure that their activities do not run into the Act’s restriction on the collection and recording of personal data.