• Retailers Must Be Careful to Avoid Violating Consumer Privacy Laws When Collecting Personal Information From Their Customers
  • March 9, 2011 | Authors: J. Todd Kennard; Colin Leary; Kevin D. Lyles
  • Law Firms: Jones Day - Columbus Office ; Jones Day - San Francisco Office ; Jones Day - Columbus Office
  • What can one of your customers do the next time that a retail sales associate asks for the customer's ZIP code when she checks out? Sue—at least, that is what the California Supreme Court recently announced in a case overturning lower court rulings that had come out with the opposite conclusion. The Supreme Court's decision in Pineda v. Williams-Sonoma Stores, Inc., S178241 (Cal. Feb. 10, 2011) may also have major implications on even the prior practices of retailers doing business in California, making them potentially liable for not more than $250 for the first violation and not more than $1,000 for each subsequent violation. For companies that may have gathered seemingly innocuous ZIP code information in credit card transactions to try to help focus marketing efforts or to try to prevent fraud, the Pineda decision may not only require a change in future efforts to collect information, but also allow for potential liability related to past practices, depending on the facts and circumstances at issue.

    The California statute at issue, the Song-Beverly Credit Card Act of 1971, states that no corporation (or other specified entity) "that accepts credit cards for the transaction of business shall ... [r]equest, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the person, firm, partnership, association, or corporation accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise." (Civ. Code § 1747.08 (emphasis added).) The statute defines "personal identification information" as "information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder's address and telephone number."

    The plaintiff in the Pineda case claimed that while she was paying for a purchase at a Williams-Sonoma store with a credit card, the cashier asked her for her ZIP code. The plaintiff claimed that the cashier recorded the information and that Williams-Sonoma later used her name and ZIP code to figure out her home address using "reverse searches from databases that contain millions of names, e-mail addresses, telephone numbers, and street addresses, and that are indexed in a manner resembling a reverse telephone book." The plaintiff claimed that software matched her name and ZIP code with a previously undisclosed address, which gave Williams-Sonoma information that it maintains in its own database used to market products to customers and which information may also be sold to other businesses.

    The California Supreme Court explained that the issue in the Pineda case was "whether [Civil Code] section 1747.08 is violated when a business requests and records a customer's ZIP code during a credit card transaction." The Court said that the answer to that question was yes: "[i]n light of the statute's plain language, protective purpose, and legislative history, we conclude a ZIP code constitutes 'personal identification information' as that phrase is used" in the statute. "Thus, requesting and recording a cardholder's ZIP code, without more, violates the [statute]." The Court indicated a cardholder's address and telephone number, which are expressly referenced in the statute, constitute information that is "unnecessary to the transaction" and that could be used with other information to locate the customer's full address—either for its own purposes or to sell the information to other businesses.

    The Court applied its interpretation of the statute to the defendant's prior activities despite the fact that Pineda overruled a prior appellate court, Party City Corp. v. Superior Court, 169 Cal. App. 4th 497 (2008), that had reached the opposite conclusion and held that a ZIP code by itself was not personal identification information under the statute, although in a different factual and procedural context. The Court in Pineda explained its decision to apply its interpretation retrospectively despite Party City by noting that, because the alleged conduct and the filing of the complaint predated Party City, the defendant could not have been relying on it when engaging in the conduct. Although the Court also stated that "it is difficult to see how a single decision by an inferior court could provide a basis to depart from the assumption of retrospective operation," retailers accused of violating the statute should consider the timing of the alleged conduct and the filing of the complaint, as well as the specific allegations regarding the information collected because the Court's language does not necessarily preclude an argument that a defendant relied on the appellate court's decision during the period between its issuance and the promulgation of Pineda.

    Although the Pineda decision has led to a flurry of news stories and blogging efforts, there are some potential defenses or exceptions to the statute that retailers should consider even after Pineda. For example, Section 1747.08 itself contains some exceptions for permissible uses for collecting information, including when a credit card is being used as a deposit or for cash advances, when the company accepting the card is contractually required to provide the information to complete the transaction or is obliged to record the information under federal law or regulation, or when the information is required for a purpose incidental to but related to the transaction, such as for shipping, delivery, servicing, installation, or for special orders.[1] (Civ. Code 1747.08(c).) In addition, a business is not prohibited from "requiring the cardholder as a condition to accepting the credit card..., to provide reasonable forms of positive identification, which may include a driver's license or a California state identification card, or where one of these is not available, another form of photo identification, provided that none of the information contained thereon is written or recorded...."

    It is also important to keep in mind the context in which the Pineda case arose. Because of the procedural posture of the case, the Court accepted as true all of the plaintiff's allegations regarding the collection and use of the ZIP code information. The ultimate determination of whether Williams-Sonoma actually violated the statute will depend on the actual factual record presented to the trial court on that court's further consideration of the matter. In addition, for those companies facing potential liability with respect to past practices in light of Pineda, it is important to keep in mind that the California Supreme Court indicated that while the statute states maximum penalties, the amount of penalties awarded rests with the trial court's discretion.

    The decision also does not directly address a number of interesting follow-on issues, including whether an email address will be treated as "personal identification information" under the statute in online transactions. One federal district court, applying California law, previously held that the same statute does not apply to online transactions, although California state courts and plaintiffs' lawyers may try to revisit that issue in light of Pineda. See Saulic v. Symatec Corp., 596 F. Supp. 2d 1323 (C.D. Cal. 2009). Additionally, it is unclear whether California's Pineda decision will be a bellwether for decisions in other states with laws that prohibit retailers from documenting certain consumer information in connection with credit card transactions, including Kansas, Massachusetts, New Jersey, New York, Minnesota, Oregon, Rhode Island, and Wisconsin. Many of these states' statutes use the term "personal identification information," or a close analogue, and similarly define it as information concerning a consumer that includes, without limitation, the consumer's address and telephone number. Plaintiffs in such states may attempt to look to parallels in the statutes and encourage courts in their own jurisdictions to adopt the reasoning behind the Pineda decision. Accordingly, it remains to be seen whether Pineda is the first in a wave of new credit card information cases or simply a narrow, California-specific decision on ZIP code information. We can be sure, however, that plaintiffs' lawyers will prompt answers to this question. Indeed, one report indicates that more than a dozen new lawsuits were filed in the first few days following the decision.

    Retailers that collect information from consumers in connection with credit card transactions should monitor the future developments in the Pineda case, which will continue to command significant attention. Retailers that have a practice of collecting information from consumers in connection with credit card transactions should ensure that there is a business need for the information and that the collection efforts meet an enumerated exception to the statute's prohibitions. Business that inquire whether consumers wish to join mailing lists should also carefully review applicable regulations to ensure that they are not inadvertently running afoul of prohibitions on collecting information. In addition, retailers should provide an appropriate privacy notice to inform consumers of what information is being collected about them and how the retailer will use the information. Retailers should also consider performing internal audits and implement new policies and procedures for ensuring compliance with Pineda. As a best practice, we recommend that businesses follow the Generally Accepted Privacy Principles adopted by The American Institute of Certified Public Accountants or the Federal Trade Commission's Fair Information Practice Principles.