Privacy Liability Arising From Credit Card Checkout
Under recent developments in state data privacy law, seemingly innocuous business practices can result in major liability for retailers.
Consider the following everyday scenario: A cashier in one of your retail stores swipes a customer’s credit card and asks the customer for her ZIP code. Without a second thought, the customer recites her ZIP code, and your cashier enters it into your electronic system. The customer leaves your store, and the cashier moves on to the next customer. Has your customer just become the newest class member in a potential class action? Is your company now a potential defendant in a class action seeking triple damages and attorneys’ fees for unfair and deceptive practices?
Unless your company has put appropriate policies and procedures in place, the answer to these questions is likely a resounding “Yes.”
Old Law, New Risks
Consistent with a California trend, Massachusetts’ highest court recently held that ZIP codes are “personal identification information,” and their collection during a credit card transaction can give rise to a legal claim against the retailer for unfair and deceptive practices. The decision, Tyler v. Michaels Stores, arose under a Massachusetts statute enacted in 1991. Back then, retailers would often request a customer’s bank account number or other “personal identification information” and then write it on the carbon paper form as part of the credit card transaction. To protect against identity fraud, the legislature prohibited merchants from writing personal identification information on credit card transaction forms.
Now, however, a law originally enacted to avoid abuses of the carbon copy form will be applied to the modern equivalent of the same, the electronic credit card transactions. The Tyler case effectively gives the green light to hundreds of potential class action suits—all seeking treble damages and attorneys’ fees—based on events similar to those described above. The outcome of those suits will depend on what information the merchant collected, how it was collected processed and stored, and the use to which the information was put.
What Collection Practices Are Allowed?
The Massachusetts law applies only to the collection of information that is not required by the card issuer. Thus, if the retailer collects only what is required by the issuer, and nothing more, the retailer should avoid liability, although maybe not a lawsuit. Second, the actions the law technically prohibits are the “writing” of the personal identification on the “credit card transaction form.” Though the court held that it would apply the law to electronic as well as paper credit card transactions, it provided little guidance on what constitutes an electronic “credit card transaction form.” While still an open question, a retailer might avoid liability by storing the customer’s ZIP code or other personal identification information separately from the credit card data.
Retailers are also now providing notice to customers as to the purpose of the ZIP code request. Specifically, retailers are using signage at the check out counter to make clear that any request for a ZIP code is expressly for marketing purposes and not for purposes of the credit card transaction. Accordingly, the consumer is on notice that the request is not part of the “credit card transaction.”
Limiting Liability By Limiting Use
A retailer may also reduce liability risk by limiting its use of any personal identification information it gathers. The Tyler court held that, at least in this instance, private lawsuits under the unfair and deceptive trade practices law follow the principle of “no harm, no foul.” That is, unless the customer can show that she suffered “injury” as a result of the retailer’s collection and subsequent use of the personal identification information, the customer should have no claim.
What, then, constitutes injury for purposes of this inquiry? The court identified “at least” two uses of the consumer’s personal identification information that would qualify. The first is direct marketing. Where the customer shares personal identification information and then receives unwanted marketing materials as a result, she has suffered an injury under the law. Second, the retailer’s sale to others of either the collected personal identification information or data obtained by using that information also qualifies as injury. The court left open the possibility that other uses of the collected information could violate the statute.
The law from other states suggests that some uses may be allowed. In California, online transactions for the purchase of music or video Internet downloads are currently protected due to the retailer’s legitimate need to obtain personal identification information to protect against fraud. California courts have expressly noted that online retailers cannot avail themselves of the built-in protections against fraud available to the traditional “brick-and-mortar” retailers, such as examining the physical card (including signature). The same rationale has been applied to self-serve gas-pump transactions.
A review of these decisions makes clear that “use” by the retailer is the key. For example, another California court held that a retailer did not violate the law by collecting information to confirm membership in a customer rewards program. So, uses of the information for incidental purposes may be permissible.
An Imminent Wave Of Litigation
Since the first California decision in 2011, over 150 class actions have been filed there against retailers. Since the Tyler decision, at least five more class actions have been filed in Massachusetts. Accordingly, retailers that have traditionally asked consumers for personal additional information during credit card transactions should expect demand letters from plaintiffs’ attorneys hoping to represent massive classes of card users. If that describes your business practice, such a demand may be on the way.
As in-house counsel, it is thus imperative to know what information your company’s employees collect, how that information is stored and processed, and the reason you collect it. Further, preemptive measures, such as signage, should be strongly considered. While technology has rendered the carbon paper credit card transaction obsolete, the statute designed to prevent abuses in carbon paper transactions has just been reinvigorated.
Anthony A. Bongiorno and Matthew R. Turnell are partners at McDermott Will & Emery in Boston. Bongiorno is the head of the trial group in the firm’s Boston office. He has extensive trial experience in a variety of commercial matters, including product liability cases. Turnell focuses his practice in the areas of complex commercial litigation and arbitration, government investigations, and privacy and data security.