A unanimous California Supreme Court held Feb. 10 that retailers who ask their customers to provide ZIP codes when making purchases with a credit card are violating California law. The court ruled in Pineda v. Williams-Sonoma Stores, Inc. that ZIP codes are a type of “personal identification information” (PII) that California’s Song-Beverly Credit Card Act prohibits retailers from collecting. 

In the wake of the Pineda decision, the plaintiffs bar has filed more than 125 putative class action suits in California courts, according to Morrison & Foerster Partner David McDowell. Defendants include Wal-Mart, Best Buy, Coach, Nordstrom, Target and Macy’s, among other retailers.

“Plaintiffs lawyers seem to be in a feeding frenzy. Even some retailers who have never collected ZIP codes have been named in multiple suits,” says McDowell. “It appears that many people are rushing to file cases without any investigation. In 20-plus years of practicing in the consumer class action arena, I have never seen anything like it.”

Seyfarth Shaw Partner Michael Burns, who represents several national retailers who are defendants in some of the cases, says it is difficult to assess how much the lawsuits could cost companies in the “post-Pineda craze.” Potential fines range from token sums to maximum penalties of $250 for a first violation and $1,000 for each subsequent violation. The court said that the statute clearly noted what conduct was proscribed and declined to make its ruling prospective only, meaning retailers could be exposed to billions of dollars of potential liability for past credit card transactions.

McDowell says the Act also allows potentially large penalties to be collected in a civil action brought by the state’s attorney general or local prosecutor.

Plaintiff’s Position

Jessica Pineda alleged that, through the use of customized software, Williams-Sonoma performed “reverse searches” of databases that contain millions of names, e-mail addresses, telephone numbers and street addresses. Pineda claimed the retailer thereby generated her complete contact information, including her previously undisclosed address, in violation of the Credit Card Act, which prohibits collection of a customer’s address or telephone number. According to Pineda, Williams-Sonoma then recorded the contact information in its own database used to market products and sold the compiled information to other businesses. 

In their appeal argument, lawyers for Williams-Sonoma denied that the company used the information for such purposes. Because the litigation was at an initial demurrer stage of proceedings and no proof had yet been taken on the merits, however, the state Supreme Court presumed the allegations to be true. It remanded the case to the California Court of Appeal to rule on a motion for class action status and other proceedings. 

Retailers may collect personal information for reasons other than marketing, and the outcome of the pending class actions could depend on how the defendants used the ZIP code information. 

“If the business collected the information to undertake fraud detection, thereby offering better pricing to consumers, and did nothing to exploit the information for financial gain, I would certainly expect that information to be important to a judge,” says McDowell.

Privacy at the Pump

McDowell says the Act provides several statutory exceptions, including credit card use for deposits or cash advances or when the entity accepting the card is obligated to record the information under federal law, as in sales of certain over-the-counter drugs. The Act also provides an exemption for companies contractually required to provide information—for example, gas stations are required by credit card companies to collect ZIP codes when consumers pay at the pump.  

Nevertheless, plaintiffs attorneys also have filed a flurry of lawsuits accusing California’s largest gas station chains of violating the Credit Card Act by requiring customers who pay with credit cards to type their ZIP codes into a keypad and then electronically recording and transferring that information. Plaintiffs say the statute applies because the companies “sent said personal identification information in an electronic record which was capable of being retained by the receiving party.” The defendant oil companies could be liable for as much as a billion dollars a day.

An exemption also exists in the Act for information required for shipping, delivery, servicing or installation, says Burns, so online transactions and brick-and-mortar store purchases that include home deliveries may be exempted. 

A 2009 case decided by the Federal District Court for the California Central District, Saulic v. Symantec, in fact, held that the Credit Card Act does not apply to online transactions, says Michael Egger, senior counsel at Fenwick & West. However, “There is no published California state court opinion holding that the Act does not apply to online transactions, nor has there been a ruling under the California Online Privacy Protection Act,” he adds.

A bill pending in the California legislature may amend the Act to effectively make the Pineda ruling prospective only. Some proponents also wish to provide a consumer right to voluntarily release personal information to retailers that ask for such information. “Many consumers would like to receive more information from their favorite companies,” Burns asserts. 

But in the absence of mitigating legislation, Burns advises retailers to be cautious. “If retailers want to eliminate any possibility of litigation, the only way to do so is to stop requesting possible PII at the point of sale,” he says.