Other than perhaps the last time you watched “90210” (if ever!), when did you last think your zip code said anything personal about you?
However long it’s been, zip codes have been on the minds of California’s highest judges. In a unanimous decision, the California Supreme Court recently ruled they are “personally identifiable information” (“PII”) within the meaning of California’s Credit Card Act (Cal. Civil Code Sec.1747.08) that cannot be collected in credit card sales, except in limited cases. Pineda v. Williams Sonoma Stores, Inc., 2011 LEXIS 1355 (Feb. 10, 2011). The statute defines PII as “information concerning the cardholder…including, but not limited to, the cardholder’s address and telephone number,” and bars its collection to protect consumers from unsolicited marketing.
Liberally construing the consumer protection purpose of the statute, the Court rejected Williams Sonoma’s defense that a zip code is not PII because it is only a “part” of an address and alone cannot identify a person. Noting the company had used software to match the plaintiff’s name and zip code to locate her previously undisclosed address, the Court held its interpretation would permit retailers to “obtain indirectly what they are clearly prohibited from obtaining directly, ‘end-running’ the statute’s clear purpose.” California retailers may still gather zip codes for an “incidental” purpose, such as shipping.
What does this decision mean for DR marketers? First, the law appears to cover only credit cards, not debit cards or other forms of payment. Second, if you’re delivering a physical product, you can still collect the information. Third, application of the law to the Internet is unclear. To date it has been applied only to retail stores and makes no reference to online transactions. The only court to address it in that context held it did not apply, citing distinctions from the brick and mortar world, including fraud concerns that require online merchants to be able to collect PII for “verification.” Saulic v. Symantec Corp., 596 F. Supp. 2d 1323 (C.D. Cal. 2009).
This lone decision may not be enough to deter class action lawyers from seeking to extend Williams-Sonoma to bar collection of PII in online commerce (maybe even IP or email addresses, though their required use for customer communication should qualify as an “incidental purpose”). Dozens of suits already have been brought under the Credit Card Act. Now, with this judicial green light, and lure of large recoveries (up to $1000 per violation), there could be many more.
If you’re selling goods online that need to be shipped, or by some quirk you don’t accept credit cards, then Williams Sonoma shouldn’t affect you. If you’re selling digital goods to credit card customers, though, you may want to reconsider just how important each type of PII you’ve been collecting (including phone and postal address) is to your business. The rationale of fraud protection could prove to be a winning defense against class action assault. But if not, then the legal risk (and cost) of PII collection could go up, at least in California.