Requesting at Point of Sale Subject to Statutory Penalties
By Daniel T. Rockey, Of Counsel, Bullivant Houser Bailey PC
On February 10, 2011, the California Supreme Court unanimously held that retailers who ask for a customer's zip code in connection with credit card transactions violate the Song-Beverly Credit Card Act of 1971 ("Credit Card Act") and may be subject to statutory penalties of up to $1,000 per violation.
If your business is requesting zip code information at the point of sale, this practice should cease immediately. That much is clear. Retailers should also take note, however, that the Court's reasoning would potentially apply to any information that can be reverse-matched to the consumer's name and address, including, for example, e-mail addresses. In light of this decision, all retailers are well-advised to review their data collection practices at the point of sale to ensure that only information necessary to complete the credit card transaction, or an incidental purpose unrelated to marketing, is collected.
In Pineda v. Williams-Sonoma Stores, Inc., --- Cal. Rptr. 3d ---- (Cal. 2011), the plaintiff alleged that while making a credit card purchase at a Williams-Sonoma store, the clerk asked for her zip code. Plaintiff further alleges that the clerk entered her zip code into an electronic cash register and that, subsequently, Williams-Sonoma used a computer program to reverse match her name and zip code to "databases that contain millions of names, e-mail addresses, telephone numbers, and street addresses" in order to learn her previously undisclosed address for marketing purposes.
Upset at the perceived invasion of her privacy, plaintiff filed a class action lawsuit against Williams-Sonoma asserting, among other things, a cause of action under the Credit Card Act. The Credit Card Act provides that no one shall "[r]equest, or require as a condition to accepting the credit card as payment...the cardholder to provide personal identification information" which is then recorded. The statute defines "personal identification information" ("PII") as "information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder's address and telephone number." Violators are subject to maximum statutory penalties of up to $250 for a first violation and $1,000 for "each" subsequent violation.
The trial court dismissed her claims, finding that zip codes were not PII because they relate to many people, rather than a single individual, and the Court of Appeal affirmed the dismissal. The Supreme Court reversed. The Court first noted that zip codes are "readily understood" to be part of a person's address, and therefore fall squarely within the information identified by the statute. More significantly, the Court explained, in light of the statute's legislative purpose of addressing "the misuse of personal identification information for, inter alia, marketing purposes," zip codes should constitute PII because they are "both unnecessary to the transaction and can be used, together with the cardholder's name, to locate his or her full address." The Court noted that a contrary interpretation would "permit retailers to obtain indirectly what they are clearly prohibited from obtaining directly, 'end-running' the statute's clear purpose" and "vitiat[ing] the statute's effectiveness."
Thus, the Court held that because zip codes can be reverse-matched to a consumer's name and address, they constitute PII and requesting them in connection with credit card transactions is prohibited. It should be noted that although the Court's opinion deals only with requests for zip codes at the point of sale, the Court's reasoning effectively calls into question the practice of collecting other kinds of information, including asking for a customer's e-mail address, since many types of information, including e-mail addresses, can now routinely be reverse-matched to names, physical addresses, and telephone numbers.
Notably, the statute includes an exception "when the information is required for a purpose incidental to but related to the transaction, such as for shipping, delivery, servicing, or installation." Thus, if the retailer can establish a need for information "incidental" to a card transaction, such as fraud prevention, it may collect PII without running afoul of the Act. However, given the potential for enormous penalties for violations of the Act, all retailers should take this opportunity to revisit their data collection practices to ensure that they are compliant and that they have adequately documented the purposes of their data collection practices.
Daniel Rockey practices IP law from the San Francisco office of Bullivant Houser Bailey PC. For more information about this eAlert, or for assistance in complying with this new ruling, please contact the author, firstname.lastname@example.org, or the IP Group of Bullivant Houser Bailey PC, www.bulllivant.com.
 Cal. Civil Code §1747.08(a).
 Cal. Civil Code §1747.08(b).
 Cal. Civil Code §1747.08(f).
 Saulic v. Symantec, 596 F.Supp.2d 1323 (C.D.Cal. 2009) (finding that online transactions were not covered by the Credit Card Act where information is collected for purposes of fraud prevention).
Bullivant Houser Bailey PC is an Oregon Professional Corporation. The materials found on this site prepared by Bullivant attorneys are for general informational purposes only and are not for the purpose of providing legal advice or legal opinions on specific facts or circumstances. Internet subscribers and online readers should not act upon this information without seeking professional advice.
All copyrightable text and graphics, the selection, arrangement, and presentation of all materials are copyright © 1996-2010, Bullivant Houser Bailey PC. All rights reserved.
For more information about LexisNexis products and solutions connect with us through our corporate site.