On January 6, 2012, a Massachusetts District Court, in Tyler v. Michael Stores, Inc., held that zip code information is personal identifiable information (“PII”) under a state consumer protection statute. In Tyler, the plaintiff provided her zip code to a cashier at Michaels’ arts and crafts store while making a purchase with her credit card. According to the plaintiff, Michaels then combined her zip code with other information to obtain her home mailing address, and began sending unwanted marketing materials. The plaintiff argued that the collection and recording of zip codes during a credit card transaction violates Mass. Gen. Laws ch. 93 § 105, under which a business cannot “write, cause to be written or require that a credit card holder write [PII], not required by the credit card issuer, on the credit card transaction form.”
In its order, the Court dismissed the case because the plaintiff was unable to show cognizable injury. Nevertheless, the Court held that zip codes are PII because such information is consistent with language in a Massachusetts criminal identity theft statute that defines PII as any “number” used “alone or in conjunction with any other information” to assume the identify of an individual. Moreover, despite Michaels’ argument that the state statute applies only to credit card information recorded on paper, the Court stated that the statute applies to all credit card transactions, including those processed manually, electronically, or by other methods.
Businesses that collect customer information at the sales register should continue to closely follow this issue as this case, as well as the recent California Supreme Court decision in Pineda v. Williams-Sonoma Stores, Inc., may foretell lawsuits in other states with consumer protection statutes that are similar to those in Massachusetts and California.