February 17, 2011
In an important decision affecting the retail industry and its marketing efforts, the California Supreme Court held for the first time that a consumer's zip code constitutes "personal identification information," as that phrase is used in Section 1747.08 of the Song-Beverly Credit Card Act of 1971. Requesting and recording a cardholder's zip code as a condition to transact a sale with a credit card violates this Act. The case is Pineda v. Williams-Sonoma Stores, Inc., and its impact is already being felt by the recent flurry of class action complaints filed in San Francisco and Los Angeles alleging that various retailers are requesting and recording zip code information with credit card transactions to compile marketing databases.
The Song-Beverly Credit Card Act is designed to promote consumer protection and specifically prohibits businesses from requesting that cardholders provide "personal identification information" during credit card transactions, and then recording that information. It was enacted with the overriding purpose of protecting the personal privacy of consumers who pay for transactions with credit cards.The Legislature has also tried to address the misuse of personal identification information for, among other things, marketing purposes, and has found that there is no legitimate need to obtain such personal information from credit card customers if it is not necessary to complete the credit card transaction. At the time of its enactment most credit card transactions were made with "sliders" and carbon paper. Today most transactions are electronic. The privacy and security concerns that arise when personal indentifying information is combined with credit card numbers, however, remain the same. On the security side of the equation is the legitimate concern of credit card issuers and merchants to protect against fraudulent use of credit cards by verifying the user with such information as driver's licenses or residence zip codes. It appears that the tipping point is whether the information is recorded. Importantly, the language of the statute includes the term "request' so that obtaining such information from a person that provides the information voluntarily upon request is also prohibited if it is recorded.
The Pineda case shows how perilous it can be for merchants to even apparently request zip code information during credit card transactions. In June 2008, Jessica Pineda filed a complaint against Williams-Sonoma Stores, Inc. stemming from her credit card purchase. When she went to pay for an item with her credit card, the cashier asked her for her zip code. Believing her zip code was required in order to complete the transaction, she provided the requested information. Pineda alleged the cashier entered her zip code into the electronic cash register, and when the transaction was completed, Williams-Sonoma had her credit card number, name, and zip code recorded in its database.
Pineda alleged that Williams-Sonoma was able to subsequently use this information in research databases to match her name and zip code with her previously undisclosed address. She further alleged that Williams-Sonoma maintained this information in a database, used it to market products to her, and to sell this information to other businesses. Williams-Sonoma argued that a person's zip code is not "personal identification information" relying on a previous appellate court decision which found that zip codes were not personal identification information since they applied to groups of people rather than any specific individual. The trial and appellate court agreed respectively granting and affirming summary judgment in favor of Williams-Sonoma. The California Supreme Court reversed, however, holding that a cardholder's zip code was "personal identification information," as the term is used in the broadly worded Credit Card Act. Perhaps more significantly, the Court noted that the zip code was information that was unnecessary to the sales transaction. Together with other data, such as the cardholder's name and/or credit card number, the zip code could be used for the retailer's business purposes such as marketing which is prohibited.
Although Section 1747.08(d) permits a business to require a credit cardholder to provide "reasonable forms of positive identification," such as a driver's license, the statute specifically mandates that none of this information may be "written or recorded." Thus, while a business may require a cardholder to provide a driver's license, it may not record any of the information from the license, including the cardholder's zip code.
- Immediately stop recording a customer's zip code or other personal indentifying information in a database associated with credit card transactions.
- Do not require any personal information above and beyond what is needed for the credit card transaction to positively identify the cardholder.
- If zip code information is desired from the customer for the store's marketing purposes, the customer should be made explicitly aware that the information is neither required nor related to the credit card transaction and is given on a voluntary basis by the customer. This information should also be stored separate and apart from any credit card transaction, such that the zip code voluntarily given by the customer cannot be traced to any credit card information or other personal identification.
Charles Alfonzo is a complex tort and business litigation partner at Burnham Brown. He is a co-leader of the Retail and Hospitality Practice Group and has handled a variety of cases at both the state and federal level and in jurisdictions throughout the United States. Mr. Alfonzo can be reached at 510-835-6825 or email@example.com. David Wilgus is a litigation associate with Burnham Brown. Mr. Wilgus is a member of the Litigation Practice Group and has extensive experience in multiple areas of civil litigation and trial work, including premises liability, product liability, complex tort, landlord/tenant, wrongful death, trucking/transportation and contract cases throughout California. Mr.Wilgus can be reached at 510-835-6803 and firstname.lastname@example.org.