In a decision that may herald heightened litigation risks for certain businesses that collect consumer information, the U.S. District Court for the District of Massachusetts just joined the California State Supreme Court in taking a broad view of what constitutes “personal identification information” (PII) and an arguably dim view of the common marketing practice of “reverse data mining.” See Tyler v. Michaels Stores, Inc.
Under the statutes of certain states, most notably the Song-Beverly Credit Card Act in California, businesses are generally prohibited, subject to certain exceptions, from requesting or requiring that a customer provide PII that is then recorded by the business. Last year, in a decision that spawned literally hundreds of class actions against national retailers doing business in California, the California Supreme Court in Pineda v. Williams-Sonoma held that under the Song-Beverly Act, ZIP codes constituted PII.
In adopting such a broad view of PII, the Pineda court reasoned that a ZIP code is “information unnecessary to the sales transaction” and is “similar to [the cardholder’s] address or telephone number” because “it can be used, together with the cardholder’s name, to locate his or her full address” through the practice of reverse data mining. As a result of Pineda, businesses that collect consumer ZIP codes during the course of a credit card transaction could be subject to mandatory statutory penalties of up to $1000 per credit card transaction in the state of California.
Expressly relying on Pineda, Melissa Tyler, the plaintiff in Michaels, sued Michaels Stores for allegedly violating a Massachusetts statute (Section 105) that forbids the collection of PII from consumers during a credit card transaction, as well as for unjust enrichment.
Similar to the Song-Beverly Act, Section 105 states in relevant part that “no person, firm, partnership, corporation or other business entity that accepts a credit card for a business transaction shall write, cause to be written or require that a credit card holder write personal identification information, not required by the credit card issuer, on the credit card transaction form. Personal identification information shall include, but shall not be limited to, a credit card holder’s address or telephone number.” However, unlike the Song-Beverly Act, Section 105 does not provide for mandatory statutory damages.
Tyler alleged that during several credit card transactions, Michaels had requested her ZIP code, and she had provided it under the mistaken impression that it was required in order to complete the transaction. Michaels allegedly did not use the ZIP code as a fraud-prevention technique, nor did the credit card companies require that the ZIP code be provided. Instead, Michaels allegedly “used Tyler’s name and ZIP code in conjunction with other commercially available databases to find her address and phone number. Tyler then allegedly received unwanted marketing materials.” Michaels moved to dismiss. In granting the motion, the court employed different reasoning than the Pineda court, but reached the same conclusion that ZIP codes constitute PII. According to the Michaels court, “[b]ecause in some circumstances the credit card issuer may require the ZIP code to authorize a transfer of funds, as a debit card issuer requires a PIN number, both a ZIP code and a PIN number may be used fraudulently to assume the identity of the card holder. Just as a merchant who records a PIN number in the transaction form puts the customer at risk of identity fraud, so too does a merchant who records a ZIP code in the transaction form.” The court held that the plaintiff had alleged a per se violation of the statute.
The court nonetheless granted the motion, holding that the plaintiff had failed to claim actual damages, because she had alleged only receiving unwanted mail, not that the information collected was sold or otherwise exposed her to an increased risk of fraud.
Notably, however, in a section of the opinion captioned “Conclusion and Reflections,” the Michaels court warned that “[s]ince retailers so routinely request a customer’s ZIP code at the point-of-sale in a credit card transaction, they ought note here that this Court holds Michaels potentially to have violated Section 105(a) if such request was made during a transaction in which the credit card issuer did not require such disclosure,” but that relief has been denied here only because the statute was intended to prevent fraud, not the alleged “receipt of unwanted commercial mail,” which while “irritating” is “inconsequential.”
Although companies doing business in Massachusetts may have dodged a proverbial bullet in Michaels, the opinion echoes some of the same themes found in the opinion of the California Supreme Court in Pineda. For example, both courts appeared uncomfortable with the practice of businesses collecting information at the point of sale without disclosing to the customer either that the information was not required to complete the transaction or would be used to obtain additional information about the customer for marketing purposes.
Thus consumer lawsuits arising from this practice, for example, where the information collected and mined is subsequently stolen or misused, may find a sympathetic judicial audience. Moreover, the dicta in Michaels, combined with the Pineda opinion, may very well embolden plaintiffs to file lawsuits in states with statutes similar to those in California and Massachusetts seeking statutory and other damages.