Over the past two years, a big growth area for plaintiffs’ lawyers has been cases challenging the use of zip codes or other identifying information by merchants that process credit-card transactions.
In 2011, the California Supreme Court held in Pineda v. Williams-Sonoma Stores that a zip code constitutes “personal identification information” under California’s Song-Beverly Credit Card Act, thus potentially exposing retailers to civil penalties of up to $1,000 per violation if they request and record the zip codes of customers paying by credit card. (My colleagues John Nadolenco and Archis Parasharami did a teleconference about Pineda that you can listen to here.) Sensing blood in the water, the plaintiffs’ bar filed a wave of class actions against brick-and-mortar and online retailers.
Earlier this year, the California Supreme Court narrowed the scope of its ruling to exclude online retailers selling downloadable products. See Apple, Inc. v. Super. Ct., No. S199384 (Cal. 2013). Because the court left undecided whether other online or non-face-to-face transactions are actionable, numerous California class actions against online retailers and catalog merchants remain pending. (In my view, these cases also should be dismissed; these vendors have no opportunity to inspect customers’ credit cards or identification physically, and need the customer’s address to ship the goods.)
Similar cases are being filed in other states. In March, the Massachusetts Supreme Judicial Court held that zip codes are “personal identification information” for purposes of Massachusetts’ equivalent to the Song-Beverly Credit Card Act, G.L. c. 93, § 105(a). See Tyler v. Michaels Stores Inc., No. SJC-11145 (Mass. Mar. 11, 2013). As in California, a number of new class actions under the Massachusetts law have been filed in the wake of Tyler.
But where will these lawsuits show up next? Nine other jurisdictions have privacy laws similar to California’s Song-Beverly Credit Card Act and the Massachusetts law: Delaware (Del. Code tit. 11, § 914), the District of Columbia (D.C. Code § 47-3153), Kansas (Kan. Stat. § 50-669a), Maryland (Md. Code Com. Law § 13-317), Minnesota (Minn. Stat. § 325F.982), New Jersey (N.J. Stat. § 56:11-17), New York (N.Y. Gen. Bus. Law § 520-A(3)), Rhode Island (R.I. Gen. Laws § 6-13-16), and Wisconsin (Wis. Stat. § 423.401).
Hopefully, courts in those jurisdictions will reject the broad interpretation of “personal identification information” that the California and Massachusetts high courts adopted; retailers have strong arguments that legislatures did not intend to subject businesses to liability for obtaining ZIP code information—especially because such information often is publicly available and does not raise the same kinds of privacy concerns as, say, social security numbers might.
That said, retailers should watch these jurisdictions carefully, review what data they collect from credit-card customers, and assess what is being done with that data. The wave of zip-code class actions may still be building..