California Supreme Court Holds that Businesses May Not
Request and Record Consumers' ZIP Codes for Credit Card Transactions
February 16, 2011
On February 10, 2011, the California Supreme Court unanimously ruled that businesses subject to California law may not ask credit card users to provide their ZIP code and record such ZIP code in the course of credit card transactions.1 The court's decision has a retroactive effect, allowing for class actions with statutory damages of up to $250 for a first violation and $1,000 for each subsequent violation per class member, under the Song-Beverly Credit Card Act of 1971, Civ. Code Section 1747 et seq. (Song Act).
California's Song Act provides privacy protections for credit card users, including a prohibition on businesses gathering "personal identification information" in connection with credit card transactions.2,3 The Song Act defines "personal identification information" as "information concerning the cardholder, other than set forth on the credit card, and including, but not limited to, the cardholder's address and telephone number."4
Class action plaintiff Jessica Pineda alleged that Williams-Sonoma's practice of asking customers for their ZIP codes at the time of in-store credit card transactions and recording them violated her privacy rights under California law. The court noted Pineda's belief that the ZIP codes were necessary to complete the transaction and that Williams-Sonoma used customized software programs to search a "reverse telephone book" to match a credit card holder's name and ZIP code with a street address that had not been provided by the customer. Due to the procedural status of its review, the court assumed as true the plaintiff's allegations in her complaint that Williams-Sonoma used the data for the marketing of Williams-Sonoma products and could have sold the information to other businesses.
The court found that the Song Act was intended to provide broad privacy protections to credit card users. In overruling the court of appeals in Party City Corp. v. Superior Court, 169 Cal. App. 4th 497 (Cal. Ct. App. 2008), which had held that ZIP codes "without more" were not personal identification information within the protections of the Song Act, the court found that the Song Act's protections regarding personal identification information included a credit card user's ZIP code. The court reasoned that to find otherwise would allow a business to collect names and ZIP codes and end-run the protections of the Song Act to obtain the address of the cardholder.
The impact of this decision is unclear as of the date of this WSGR Alert. Other states such as New York and Massachusetts have adopted similar statutes and it is not clear whether this decision will prove to be influential in these other states. Additionally, in Saulic v. Symantec Corp., 596 F. Supp. 2d 1323 (C.D. Cal. 2009), the U.S. District Court for the Central District of California held that the Song Act's protections did not apply to online transactions.
Wilson Sonsini Goodrich & Rosati attorneys routinely counsel their clients with respect to evolving privacy and data security issues. If you have any questions regarding this WSGR Alert or any related privacy and data security matters, please contact Sara Harrington at firstname.lastname@example.org or (650) 320-4915; Tonia Klausner at email@example.com or (212) 497-7706; Lydia Parnes at firstname.lastname@example.org or (202) 973-8801; or Edward Holman at email@example.com or (202) 973-8804.
1 Pineda v. Williams-Sonoma Stores, Inc., No. S178241 (Cal. Feb. 10, 2011).
2 The Song Act provides for certain exceptions to this general rule, including in the context of cash advances, when the credit card processor requires this information (e.g., at a gas pump), or when incidental to the transaction, as for shipping, delivery, servicing, and installation. Cal. Civ. Code. Section 1747.08(c).
3 Cal. Civ. Code. Section 1747.08(a)(2).
4 Cal. Civ. Code. Section 1747.08(a)(3).