The Perils of Zip Code Collection Reach Massachusetts

On March 11, 2013, the Supreme Court of Massachusetts joined California in prohibiting the collection and retention of customer zip codes by retailers in connection with credit card transactions. In Tyler v. Michaels Stores, Inc., the Court based its decision on Massachusetts General Law ch. 93, § 105(a), which provides that retailers cannot “write, cause to be written, or require that a credit card holder write personal identification information not required by the credit card issuer, on the credit card transaction form.” Like California, the Massachusetts court interpreted “personal identification information” so broadly as to include mere zip codes.

Background. In 2011, the Supreme Court of California sent shock waves through the retail industry when it ruled in Pineda v. Williams Sonoma Stores, Inc. that zip codes constituted “personal identification information” under California Civil Code § 1747.08 that could not be collected and retained in connection with credit card transactions except in very limited instances. The prohibition against collection of personal identification information applied even if zip codes were requested, but not required, to complete a purchase. As a result of the decision, retailers selling to California consumers have faced costly class action lawsuits (with claims for as much as $1,000 per violation) even if no actual damages or injury could be shown. And while the Supreme Court of California recently held in Apple, Inc. v. Superior Court, that this prohibition did not apply to online transactions involving digitally downloaded products, the Court was careful to state that it was reserving judgment as to whether it applied to “any other transactions that do not involve in-person, face-to-face interaction between the customer and retailer”—explaining that “we express no view on whether the statute governs mail order or telephone order transactions…”

It should be noted that the California prohibition does not apply where address information (including zip codes) is required for “a special purpose incidental but related to the individual credit card transaction, including, but not limited to, information relating to shipping, delivery, servicing, or installation of the purchased merchandise, or for special orders.” Cal. Civ. § 1747.08(c)(4). Thus, in most instances, direct marketers may be outside the scope of California’s prohibition when the address information is required, for example, for shipping. This exclusion, however, may not apply in gift transactions where a product is shipped to a third-party, or where the customer makes arrangements to pick up a product at an in-state location other than his or her home address. Like California’s law, the statute in Massachusetts defines “personal identification information” broadly, and includes a narrower exception where the information is “necessary for shipping, delivery or installation of purchased merchandise or services or for a warranty when such information is provided voluntarily by a credit card holder.”

The Massachusetts Case. In reaching its holding, the Supreme Court of Massachusetts concluded that zip codes were “personal identification information” because, when combined with a consumer’s name, they provide “the merchant with enough information to identify through publicly available databases the consumer’s address or telephone number…” And while the Court found that a consumer had to show injury in order to sue based upon a violation of § 105(a), such an injury was not limited to a “loss of money or property.” The court ruled that “actual receipt by a consumer of unwanted marketing materials” constituted an actionable injury, as did “the merchant’s sale of a customer’s personal identification information to a third party.” While the court was not presented with the question of whether the law applied to online or mail order transactions, its expansive interpretation could well reach direct marketers who fall outside § 105(a)’s limited safe harbor. One question the Massachusetts court did not address: whether the law prohibits the entry of a zip code (or other personal information) into a company database, as opposed to its entry on an electronic credit card transaction form. That nuance may provide a ray of hope for retailers caught up in the class action frenzy this decision is likely to trigger.

Nationwide Risks. Retailers face risks in other jurisdictions that have statutes similar to those in California and Massachusetts, including Delaware, the District of Columbia, Maryland, Minnesota, Nevada, New Jersey, New York, Ohio, Oregon, Pennsylvania, Rhode Island, and Wisconsin. It would be wise to carefully review your information collection rules in these and other states as a first line of defense against class action lawsuits and state enforcement actions. In combination, the California and Massachusetts decisions are so wide-sweeping as to provide tremendous encouragement to class action lawyers eager to test the reach of laws in other states.

Posted by David Bertoni