The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

ZIP Codes are Personal Information Under California’s Song-Beverly Credit Card Act.

Leave a comment

In a unanimous decision released February 10, 2011 in Pineda v. Williams-Sonoma (S178241),  the California Supreme Court held that a ZIP code is “personal information” under California’s Song-Beverly Credit Card Act of 1971 (the “Song-Beverly Credit Card Act”).  Therefore, businesses may not request or require that a cardholder provide a ZIP code during a credit card transaction and then record the ZIP code, unless the transaction falls under an exception in the Act.
The plaintiff in Pineda sued Williams-Sonoma alleging that when she made a purchase at one of its stores using her credit card, the cashier requested her ZIP code and recorded it. The complaint also alleged that Williams-Sonoma subsequently used the plaintiff’s name and ZIP code to find her full address and add her to its marketing database. 
The Pineda case involved interpreting the section of the Song-Beverly Credit Card Act which restricts collection of information from consumers during a credit card transaction and the section defining personal identification information. The relevant portion of Sections 1747.08(a)(2) and 1747.08(b) provide as follows:
(a)(2)   “[N]o person, firm, partnership, association, or corporation that accepts credit cards for the transaction of business shall . . . (2) Request, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the person, firm, partnership, association, or corporation accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise." [emphasis added]
(b)               "Personal identification information" is defined as "information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.”
The California Supreme Court decided to hear the Pineda case after the lower courts had ruled that collection of a ZIP code alone was not personal identification information and, therefore, was not covered by this prohibition in the Song-Beverly Credit Card Act. The lower courts based their decisions on reasoning similar to that in Party City Corp. v. Superior Court, 169 Cal.App.4th 497 (2008), which also held a ZIP code, without more, does not constitute personal identifying information in large part because a ZIP code pertains to a group of individuals, in contrast to a complete address or a phone number which are specific to an individual. 
The California Supreme Court rejected the lower courts’ reasoning and held that personal identification information includes a cardholder’s ZIP code “in light of the statutory language, as well as the legislative history and evident purpose of the statute.” In its statutory analysis, the Court concluded that “address” should be broadly construed “as encompassing not only a complete address, but also its components.”   The Court noted that this broad interpretation is consistent with the “expansive language” used in the Act and with the rule that remedial statutes should be liberally construed in favor of their protective purpose. After its review of the legislative history of the Song-Beverly Credit Card Act, the Court concluded that the Act is “intended to provide robust consumer protections by prohibiting retailers from soliciting and recording information about the cardholder that is unnecessary to the credit card transaction.”
Questions Raised By the Decision
The Song-Beverly Credit Card Act has been significant over the last several years because it provides a private right of action and statutory damages of up to $250 for the first violation and $1000 for each subsequent violation. After the decision in Florez v. Linen N Things, 108 Cal.App.4th 447 (2003), there have been numerous class actions filed against retailers under the Song-Beverly Credit Card Act that have resulted in settlements.
The Court’s decision in Pineda, particularly the interpretation of the purpose of the Song-Beverly Credit Card Act, raises several important questions and considerations, including the following:
·         The ability of businesses to solicit and record information during credit card transactions that is not necessary to the transaction. For example, consideration should be given to other types of data beyond ZIP code that will be covered as personal identification information. 
·         How to interpret the exception in section 1747.08(c)(4) which allows collection of personal identification information for a special purpose incidental but related to the credit card transaction, such as shipping, delivery, servicing or installation or special orders. The questions after Pineda will be what would be other “special purposes” and if the collection is not for a special purpose, is it “necessary” for the credit card transaction. 
·         Whether the Act applies to return transactions, as has been considered in several state and federal court rulings in California. See, e.g., Romeo v. Home Depot USA, Inc., No. 06-CV-1505, 2007 WL 3047105, 2007 U.S. Dist. LEXIS 77144 (S.D. Cal. Oct. 16, 2007); Korn v. Polo Ralph Lauren Corp., 644 F. Supp. 2d 1212 (E.D. Cal. 2008); TJX Cos., Inc. v. Super. Ct., 163 Cal. App. 4th 80 (2008); Absher v. AutoZone, Inc., 164 Cal.App.4th 332 (2008).  These prior ruling reviewed section 1747.08(a)(3) and determined that the Song-Beverly Credit Card Act did not apply to return transactions.  The Court was not considering this particular issue in Pineda or the same subsection, so those decisions should stand and an argument can be created that the additional information is necessary for fraud protection purposes.   It will, however, be important that consideration is given before the information collected for special purposes or returns, is also used for marketing purposes.
·         Whether the Act applies to online transactions, as was considered in Saulic v. Symantec Corp., 596 F.Supp.2d 1323 (C.D.Cal. 2009).  The court in Saulic held that the Act does not apply to online transactions based upon a narrow reading of 1747.08, and its reasoning may be called into question after Pineda

Author: Eric Whisler

Associate at Vorys, Sater, Seymour and Pease LLP.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s