New Privacy Obligations For California Retailers

Privacy & Information Security Update

Date: February 18, 2011

Overview

California law long has prohibited retailers from requesting certain personal information in connection with credit card transactions. On February 10, 2011, the California Supreme Court applied an even broader interpretation, holding that a customer's ZIP Code constitutes personal identification information under the state's Song-Beverly Credit Card Act ("Act") and that it is a violation of the Act for a business operating in California to request and record a cardholder's ZIP Code during a credit card transaction.

In Pineda v. Williams-Sonoma Stores, Inc., the plaintiff sued Williams-Sonoma and alleged that while paying for a purchase with her credit card in one of the defendant's California stores, she was asked to provide her ZIP Code, which she did. Ms. Pineda also alleged that the cashier recorded and later used the ZIP Code to locate her home address and add her to Williams-Sonoma's marketing database. Ms. Pineda claimed that Williams-Sonoma violated the Act by requesting and recording her ZIP Code during the credit card transaction.

The Act prohibits, with some stated exceptions, a business from requesting or requiring, "as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the person, firm, partnership, association, or corporation accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise." (? 1747.08(a)(2)) The Act defines "personal identification information" as including "information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder's address and telephone number." (? 1747.08(b)) Williams-Sonoma argued, and the trial and appellate courts agreed, that a ZIP Code does not constitute personal identification information as defined in the Act.

The California Supreme Courtdisagreed and reversed the lower court decisions, holding that under proper construction of the Act, a ZIP Code should be considered personal identification information. It reasoned that a ZIP Code was similar to the enumerated examples of such information in the Act because, like an address or telephone number, a ZIP Code is both unnecessary to the transaction and can be used, together with the cardholder's name, to locate his or her address or telephone number. With a ZIP Code the retailer can, as Williams-Sonoma allegedly did here, use the customer's information for targeted marketing or sell the information to other businesses. Accordingly, the Court held that "in light of the statutory language, as well as the legislative history and evident purpose of the statute," personal identification information, as used in ? 1747.08, includes a cardholder's ZIP Code. The Court remanded the case for further proceedings.

Following the Pineda decision, all businesses that complete credit card transactions in California should consider refraining from requesting and recording ZIP Codes or other personal identification information as a prerequisite to completing the transaction, unless one of the exceptions set out in the Act applies.