Businesses Cannot Request and Record Consumers’ ZIP Codes

Insights February 23, 2011

In Pineda v. Williams Sonoma, the California Supreme Court California ruled that retailers may no longer ask customers for their zip code in a credit card transaction.

California retailers may no longer ask customers for their zip code in a credit card transaction.  On February 10, 2011, the California Supreme court unanimously ruled that businesses subject to California law cannot ask credit card users to provide their zip code and record the zip code during the course of any credit card transaction after finding that a zip code constitutes ‘personal identification information under section 1747.08 the Song-Beverly Credit Card Act of 1971 (the Song Act.)

Pineda v. Williams Sonoma Stores began when a customer filed a complaint against Williams-Sonoma alleging that its practice of collecting zip code information at the time of credit card payments violated her privacy.  After collecting customers’ zip codes, Williams-Sonoma used software to match customers’ names and zip codes to obtain mailing addresses which it maintained on its database.  The Court accepted the customer’s allegations that Williams Sonoma used the database for marketing purposes and could have sold the information to other businesses.

California’s Song Act provides privacy protections for credit card users.  Section 1747.08 of the Song Act prohibits, with certain exceptions, businesses from requesting or requiring customers who use credit cards as tender to provide personal identification information and then recording such information.  The statute defines “personal identification information” as “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.”  The statute also provides a civil penalty not to exceed $250 for the first violation and $1,000 for each subsequent violation.

In its unanimous opinion, the California Supreme Court held that under the plain language of Section 1747.08, zip codes constitute personal identification information.  The Court also stated that Section 1747.08 should be liberally construed in favor of its protective purpose.  This protective purpose includes addressing the misuse of personal identification information for marketing purposes.  The Court also considered its finding consistent with the Song Act’s legislative history which the Court found demonstrated the Legislature’s intent to provide robust consumer protections by prohibiting retailers from “soliciting and recording information about the cardholder that is unnecessary to the credit card transaction.”

The impact of this decision is still unclear, though several states, including New York and Massachusetts, have also recently adopted similar statutes.  Many issues regarding the scope of Section 1747.08 remain unaddressed.  For example the Court did not address whether Section 1747.08 precludes the collection of personal identification information in which a business has disclosed to the customer that providing such information is voluntary, that the information is not required to complete the purchase transaction, and that the information may be used for marketing or other purposes.

It is clear, however, that the Court’s decision has retroactive effect and allows class actions with statutory damages of up to $250 for a first violation and $1,000 for each subsequent violation per class member under the Song Act.  Also clear is that the Song Act does not apply to online transactions nor does it apply to refund or merchandise return transactions.