Retail Tenants Need to ZIP Up Their Class-Action Defenses in CA

A significant legal development has occurred, which directly impacts any retail tenant with business operations in California. Retailers who ask customers for their ZIP Codes at the time of a credit card purchase may now find themselves the subject of class-action claims alleging violations of California's Song-Beverly Credit Card Act (the Credit Card Act). There has been a recent flood of plaintiffs' cases filed in California state and federal courts. These class-action lawsuits request a penalty of up to $1,000 for each customer whose ZIP Code was requested by a retailer in the last 12 months. Thus, the penalties requested for alleged violations of the Credit Card Act are astronomical.

The Credit Card Act, codified at California Civil Code ' 1747.08, prohibits vendors from requesting and recording “personal information” in connection with credit card transactions. The statute defines “personal information” as “information concerning the cardholder, other than information set forth on the credit card and including, but not limited to, the cardholder's address and telephone number.” Civil Code ' 1747.08(b).

California courts once held that ZIP Codes did not constitute “personal information” under the Credit Card Act; however, on Feb. 10, 2011, the California Supreme Court drastically changed that landscape.

The Credit Card Act: An Overview

Section 1747.08(a)(2) of the Credit Card Act states that a company that accepts credit cards for a transaction may not request, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the person, firm, partnership, association, or corporation accepting the credit card writes, causes to be written, or otherwise records upon the credit transaction form or otherwise. Civil Code ' 1747.08(a)(2).

Courts interpreting this section have found violations, even where the request for personal identification information is not a “condition to accepting the credit card as payment.” In sum, certain California courts have held that it is sufficient that the information be requested. See, e.g., Florez v. Linens N Things, Inc., 108 Cal.App.4th 447 (2003).

The Florez court looked to the legislative intent underlying the statutes, which, it stated, was to protect the personal privacy of consumers and to prevent retailers from requesting personal identification information and then matching it with the consumer's credit card. (Id.) The Florez court reasoned that a 1991 amendment to the statute inserting the term “request” was designed to prevent retailers from making “an end-run” around the law, claiming that the data was provided voluntarily before the method of payment was known. (Id. at 453.)

Thus plaintiffs do not need to establish that the personal identification information was required to complete the transaction in order to succeed. Simply requesting the information and recording it anywhere is sufficient. In addition, California courts have held that it is the subjective understanding of the consumer that is important ' not the subjective understanding of the seller. Florez, 108 Cal.App.4th at 451.

Section 1747.08(a)(3) of the Act contains additional prohibitions, but they have not spurred litigation. California courts have held that there is a one-year statute of limitations that applies to the Credit Card Act. Shabaz v. Polo Ralph Lauren Corp., 586 F.Supp.2d 1205 (C.D. Cal 2008). TJX Companies, Inc. v. Superior Court, 163 Cal.App.4th 80 (App. Dist. 2008) (modified on denial of rehearing, review denied). Thus, the recently filed class actions generally date back 12 months from the date they were filed.

'Personal Information' and ZIP Codes

On Feb. 10, 2011, the California Supreme Court held that requesting and recording a cardholder's ZIP Code may violate the Credit Card Act. In Pineda v. Williams-Sonoma Stores, Inc., 51 Cal. 4th524, 246 P.3d 612 (2011), the California Supreme Court expressly disapproved a prior court of appeal decision: Party City Corp. v. Superior Court, 169 Cal. App.4th 497 (2008), which had previously held that ZIP Codes did not constitute “personal identification information” under the Credit Card Act.

In Pineda, the plaintiff alleged that while she was paying for a purchase with her credit card in a Williams-Sonoma store, the cashier asked her for her ZIP Code. (Id. at 528.) The cashier entered the plaintiff's ZIP Code into the electronic cash register and then completed the transaction. The plaintiff alleged that she believed it was necessary to complete the transaction and, therefore, gave her ZIP Code to the cashier. The plaintiff also alleged that the defendant retailer subsequently used her name and ZIP Code to locate her home address. (Id. at 528.)

The court noted that the defendant used customized computer software to perform reverse searches from the database, which contained millions of names, e-mail addresses, telephone numbers and street addresses that were apparently indexed as a reverse telephone book. (Id. at 529.)

The plaintiff filed a putative class action, alleging the defendant had violated the Credit Card Act. Williams-Sonoma moved to dismiss the plaintiff's claims, in part, because ZIP Codes were not “personal identification information.” The trial court agreed. A court of appeal affirmed the trial court's dismissal of the Credit Card Act claims, relying on Party City Corp. v. Superior Court, 169 Cal.App. 4th 497 (2008).

Thus, the sole issue before the California Supreme Court in Pineda was whether ' 1747.08 is violated when a business requests and records a customer's ZIP Code during a credit card transaction. The California Supreme Court concluded that in light of the language of the statute and its legislative history, a ZIP Code constitutes “personal identification information” as used in ' 1747.08. (Id. at 530.) The court concluded that “requesting and recording a cardholder's ZIP code, without more, violates the Credit Card Act.” In so ruling, the Pineda court explicitly disapproved the holding of Party City. (Id. at 531.)

The Pineda court explained that the Legislature's intention that a ZIP Code does constitute personal information is derived from the fact that a ZIP Code is well understood to be part of an address. (Id. at 531.) The court construed the word “address” in the Act to encompass not only a complete address, but also any of its components. (Id.)

The California Supreme Court rejected the reasoning that because a cardholder's ZIP Code pertains to other individuals in addition to the cardholder, it is dissimilar to an address or telephone number. (Id. at 531-32.) The court stated that it believed that its newly adopted interpretation of the Credit Card Act would be more consistent with the rule that courts should liberally construe remedial statutes in favor of their protective purpose, which, in the case of ' 1747.08, includes addressing “the misuse of personal identification information for, inter alia, marketing purposes (citing Absher v. AutoZone, Inc. (2008), 164 Cal.App. 4th 332, 345, 78Cal.Rpt.3s 817).” (Id. at 532.) The court expressed its concern that any other interpretation would allow retailers to make an “end-run” around the statute's purpose by allowing retailers “to obtain indirectly what they are clearly prohibited from obtaining directly.” (Id. at 4.)

The Implications of Pineda

There has been a recent flood of plaintiff class actions alleging violations of the Credit Card Act. Dozens of major retail tenants with operations in California have been named as defendants.

With respect to potential damage exposure to retailers, ' 1747.08(e) provides potentially substantial penalties for violations of the Act:

Any person who violates this section shall be subject to a civil penalty not to exceed two-hundred fifty dollars ($250) for the first violation and one thousand dollars ($1,000) for each subsequent violation, to be assessed and collected in a civil action brought by the person paying with a credit card, by the Attorney General, or by the District Attorney or City Attorney of the county or city in which the violation occurred. However, no civil penalty shall be assessed for violation of this section if the defendant shows by a preponderance of the evidence that the violation was not intentional and resulted from a bona fide error made notwithstanding the defendant's maintenance of procedures reasonably adopted to avoid that error. When collected, the civil penalties shall be payable, as appropriate, to the person paying with the credit card who brought the action, or to the general fund of whichever governmental entity brought the action to assess this penalty. Civil Code ' 1747.08(e).

There have been relatively few cases interpreting the civil penalty under this statute. At least one case has held that civil penalties are mandatory, although the amount of the penalty is within the court's discretion. TJX Companies v. Superior Court, 163 Cal.App.4th 80 (2008). The Pineda court rejected a due process argument that the penalty provision was unconstitutionally oppressive because it could result in penalties “approaching confiscation of the entire business.” (Id. at 7.)

The plaintiff's counsel will argue that the civil penalty does not require a finding that the defendant willfully acted with knowledge of and/or intent to violate Civil Code
' 1747.08. While ' 1747.08(e) provides a safe haven for “bona fide” errors, the defendant must have procedures adopted to avoid the error. However, if a company was simply ignorant of the statute, but collected personal information, the plaintiffs have and will continue to argue that such a company could still be subject to the civil penalty. The plaintiffs will assert the same argument they would if a company acted negligently.

In sum, the defendants named in a putative class involving the Credit Card Act will face allegations that they are liable for a civil penalty under the Act, even if there is no intentional, willful violation of ' 1747.08. Given the fact that these putative actions can date back 12 months from the date they were filed, retail tenants who are sued as defendants are faced with the prospect of allegations that thousands of customers' rights were violated, and that courts should enact penalties up to $1,000 for each separate violation.

How courts will treat newly filed cases remains to be seen. However, there appears to be an argument that the Pineda decision should not be used to support a putative class action at this time. The reason, in part, involves the one-year statute of limitations. The newly filed cases generally assert that class members are “all persons in California from whom the defendant requested and recorded personal identification information (i.e., ZIP Codes) with a credit card transaction within one (1) year of the filing of this case.” That would necessarily include a vast majority of customers whose ZIP Codes were requested and recorded before the Pineda decision disapproved the Party City court's ruling that ZIP Codes did not constitute personal identification information under the Act.

While the Pineda court stated that under the facts of the case before it, its decision should be applied retroactively, there is a colorable argument that those facts are distinguishable. The Pineda court noted that both Williams-Sonoma's conduct and the filing of the plaintiff's complaint pre-dated the Party City decision. (Id. at 7.) Thus, the Pineda court stated “it therefore cannot be convincingly argued that the practice for asking customers for their ZIP codes was adopted in reliance on Party City.” (Id.) The court concluded that “Williams-Sonoma identified no reason that would justify a departure from the usual rule of retrospective application.” (Id.)

However, retail tenants who have recently been or will be sued should not be precluded from arguing against retrospective application of Pineda because Party City was, in fact, the applicable law during the majority of the last 12 months. Allowing putative class actions to proceed against defendants whose conduct was arguably legal at the time is a very different fact scenario from that addressed by Pineda.

Other Jurisdictions

California's statute may be considered the most far-reaching state consumer protection law, but other state laws follow similar paths and savvy consumers certainly may challenge retailers' practices under those state consumer protection laws. New Jersey, Wisconsin, Kansas and Maryland consumer protection laws are less restrictive, but similar to California. Other states such as Delaware, Georgia, Louisiana, Massachusetts, Minnesota, Nevada, New York, Ohio, Oregon, Pennsylvania and Rhode Island all have laws with limited provisions that may also possibly be used by consumers aware of the success in California.

Conclusion

Retail tenants with operations in California ' and perhaps those in other states as well ' need to be aware of the new Pineda decision and its implications. Retailers that continue to collect ZIP Codes may very well find themselves the subject of putative class actions, the penalties for which could be substantial.

John J. Powers is a Partner in the Products Liability and Mass Tort Practice Group at Drinker Biddle in San Francisco.

A significant legal development has occurred, which directly impacts any retail tenant with business operations in California. Retailers who ask customers for their ZIP Codes at the time of a credit card purchase may now find themselves the subject of class-action claims alleging violations of California's Song-Beverly Credit Card Act (the Credit Card Act). There has been a recent flood of plaintiffs' cases filed in California state and federal courts. These class-action lawsuits request a penalty of up to $1,000 for each customer whose ZIP Code was requested by a retailer in the last 12 months. Thus, the penalties requested for alleged violations of the Credit Card Act are astronomical.

The Credit Card Act, codified at California Civil Code ' 1747.08, prohibits vendors from requesting and recording “personal information” in connection with credit card transactions. The statute defines “personal information” as “information concerning the cardholder, other than information set forth on the credit card and including, but not limited to, the cardholder's address and telephone number.” Civil Code ' 1747.08(b).

California courts once held that ZIP Codes did not constitute “personal information” under the Credit Card Act; however, on Feb. 10, 2011, the California Supreme Court drastically changed that landscape.

The Credit Card Act: An Overview

Section 1747.08(a)(2) of the Credit Card Act states that a company that accepts credit cards for a transaction may not request, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the person, firm, partnership, association, or corporation accepting the credit card writes, causes to be written, or otherwise records upon the credit transaction form or otherwise. Civil Code ' 1747.08(a)(2).

Courts interpreting this section have found violations, even where the request for personal identification information is not a “condition to accepting the credit card as payment.” In sum, certain California courts have held that it is sufficient that the information be requested. See, e.g., Florez v. Linens N Things, Inc. , 108 Cal.App.4th 447 (2003).

The Florez court looked to the legislative intent underlying the statutes, which, it stated, was to protect the personal privacy of consumers and to prevent retailers from requesting personal identification information and then matching it with the consumer's credit card. (Id.) The Florez court reasoned that a 1991 amendment to the statute inserting the term “request” was designed to prevent retailers from making “an end-run” around the law, claiming that the data was provided voluntarily before the method of payment was known. (Id. at 453.)

Thus plaintiffs do not need to establish that the personal identification information was required to complete the transaction in order to succeed. Simply requesting the information and recording it anywhere is sufficient. In addition, California courts have held that it is the subjective understanding of the consumer that is important ' not the subjective understanding of the seller. Florez, 108 Cal.App.4th at 451.

Section 1747.08(a)(3) of the Act contains additional prohibitions, but they have not spurred litigation. California courts have held that there is a one-year statute of limitations that applies to the Credit Card Act. Shabaz v. Polo Ralph Lauren Corp. , 586 F.Supp.2d 1205 (C.D. Cal 2008). TJX Companies, Inc. v. Superior Court , 163 Cal.App.4th 80 (App. Dist. 2008) (modified on denial of rehearing, review denied). Thus, the recently filed class actions generally date back 12 months from the date they were filed.

'Personal Information' and ZIP Codes

On Feb. 10, 2011, the California Supreme Court held that requesting and recording a cardholder's ZIP Code may violate the Credit Card Act. In Pineda v. Williams-Sonoma Stores, Inc. , 51 Cal. 4th524, 246 P.3d 612 (2011), the California Supreme Court expressly disapproved a prior court of appeal decision: Party City Corp. v. Superior Court , 169 Cal. App.4th 497 (2008), which had previously held that ZIP Codes did not constitute “personal identification information” under the Credit Card Act.

In Pineda, the plaintiff alleged that while she was paying for a purchase with her credit card in a Williams-Sonoma store, the cashier asked her for her ZIP Code. (Id. at 528.) The cashier entered the plaintiff's ZIP Code into the electronic cash register and then completed the transaction. The plaintiff alleged that she believed it was necessary to complete the transaction and, therefore, gave her ZIP Code to the cashier. The plaintiff also alleged that the defendant retailer subsequently used her name and ZIP Code to locate her home address. (Id. at 528.)

The court noted that the defendant used customized computer software to perform reverse searches from the database, which contained millions of names, e-mail addresses, telephone numbers and street addresses that were apparently indexed as a reverse telephone book. (Id. at 529.)

The plaintiff filed a putative class action, alleging the defendant had violated the Credit Card Act. Williams-Sonoma moved to dismiss the plaintiff's claims, in part, because ZIP Codes were not “personal identification information.” The trial court agreed. A court of appeal affirmed the trial court's dismissal of the Credit Card Act claims, relying on Party City Corp. v. Superior Court , 169 Cal.App. 4th 497 (2008).

Thus, the sole issue before the California Supreme Court in Pineda was whether ' 1747.08 is violated when a business requests and records a customer's ZIP Code during a credit card transaction. The California Supreme Court concluded that in light of the language of the statute and its legislative history, a ZIP Code constitutes “personal identification information” as used in ' 1747.08. (Id. at 530.) The court concluded that “requesting and recording a cardholder's ZIP code, without more, violates the Credit Card Act.” In so ruling, the Pineda court explicitly disapproved the holding of Party City. (Id. at 531.)

The Pineda court explained that the Legislature's intention that a ZIP Code does constitute personal information is derived from the fact that a ZIP Code is well understood to be part of an address. (Id. at 531.) The court construed the word “address” in the Act to encompass not only a complete address, but also any of its components. (Id.)

The California Supreme Court rejected the reasoning that because a cardholder's ZIP Code pertains to other individuals in addition to the cardholder, it is dissimilar to an address or telephone number. (Id. at 531-32.) The court stated that it believed that its newly adopted interpretation of the Credit Card Act would be more consistent with the rule that courts should liberally construe remedial statutes in favor of their protective purpose, which, in the case of ' 1747.08, includes addressing “the misuse of personal identification information for, inter alia, marketing purposes (citing Absher v. AutoZone, Inc . (2008), 164 Cal.App. 4th 332, 345, 78Cal.Rpt.3s 817).” ( Id . at 532.) The court expressed its concern that any other interpretation would allow retailers to make an “end-run” around the statute's purpose by allowing retailers “to obtain indirectly what they are clearly prohibited from obtaining directly.” (Id. at 4.)

The Implications of Pineda

There has been a recent flood of plaintiff class actions alleging violations of the Credit Card Act. Dozens of major retail tenants with operations in California have been named as defendants.

With respect to potential damage exposure to retailers, ' 1747.08(e) provides potentially substantial penalties for violations of the Act:

Any person who violates this section shall be subject to a civil penalty not to exceed two-hundred fifty dollars ($250) for the first violation and one thousand dollars ($1,000) for each subsequent violation, to be assessed and collected in a civil action brought by the person paying with a credit card, by the Attorney General, or by the District Attorney or City Attorney of the county or city in which the violation occurred. However, no civil penalty shall be assessed for violation of this section if the defendant shows by a preponderance of the evidence that the violation was not intentional and resulted from a bona fide error made notwithstanding the defendant's maintenance of procedures reasonably adopted to avoid that error. When collected, the civil penalties shall be payable, as appropriate, to the person paying with the credit card who brought the action, or to the general fund of whichever governmental entity brought the action to assess this penalty. Civil Code ' 1747.08(e).

There have been relatively few cases interpreting the civil penalty under this statute. At least one case has held that civil penalties are mandatory, although the amount of the penalty is within the court's discretion. TJX Companies v. Superior Court , 163 Cal.App.4th 80 (2008). The Pineda court rejected a due process argument that the penalty provision was unconstitutionally oppressive because it could result in penalties “approaching confiscation of the entire business.” (Id. at 7.)

The plaintiff's counsel will argue that the civil penalty does not require a finding that the defendant willfully acted with knowledge of and/or intent to violate Civil Code
' 1747.08. While ' 1747.08(e) provides a safe haven for “bona fide” errors, the defendant must have procedures adopted to avoid the error. However, if a company was simply ignorant of the statute, but collected personal information, the plaintiffs have and will continue to argue that such a company could still be subject to the civil penalty. The plaintiffs will assert the same argument they would if a company acted negligently.

In sum, the defendants named in a putative class involving the Credit Card Act will face allegations that they are liable for a civil penalty under the Act, even if there is no intentional, willful violation of ' 1747.08. Given the fact that these putative actions can date back 12 months from the date they were filed, retail tenants who are sued as defendants are faced with the prospect of allegations that thousands of customers' rights were violated, and that courts should enact penalties up to $1,000 for each separate violation.

How courts will treat newly filed cases remains to be seen. However, there appears to be an argument that the Pineda decision should not be used to support a putative class action at this time. The reason, in part, involves the one-year statute of limitations. The newly filed cases generally assert that class members are “all persons in California from whom the defendant requested and recorded personal identification information (i.e., ZIP Codes) with a credit card transaction within one (1) year of the filing of this case.” That would necessarily include a vast majority of customers whose ZIP Codes were requested and recorded before the Pineda decision disapproved the Party City court's ruling that ZIP Codes did not constitute personal identification information under the Act.

While the Pineda court stated that under the facts of the case before it, its decision should be applied retroactively, there is a colorable argument that those facts are distinguishable. The Pineda court noted that both Williams-Sonoma's conduct and the filing of the plaintiff's complaint pre-dated the Party City decision. (Id. at 7.) Thus, the Pineda court stated “it therefore cannot be convincingly argued that the practice for asking customers for their ZIP codes was adopted in reliance on Party City.” (Id.) The court concluded that “Williams-Sonoma identified no reason that would justify a departure from the usual rule of retrospective application.” (Id.)

However, retail tenants who have recently been or will be sued should not be precluded from arguing against retrospective application of Pineda because Party City was, in fact, the applicable law during the majority of the last 12 months. Allowing putative class actions to proceed against defendants whose conduct was arguably legal at the time is a very different fact scenario from that addressed by Pineda.

Other Jurisdictions

California's statute may be considered the most far-reaching state consumer protection law, but other state laws follow similar paths and savvy consumers certainly may challenge retailers' practices under those state consumer protection laws. New Jersey, Wisconsin, Kansas and Maryland consumer protection laws are less restrictive, but similar to California. Other states such as Delaware, Georgia, Louisiana, Massachusetts, Minnesota, Nevada, New York, Ohio, Oregon, Pennsylvania and Rhode Island all have laws with limited provisions that may also possibly be used by consumers aware of the success in California.

Conclusion

Retail tenants with operations in California ' and perhaps those in other states as well ' need to be aware of the new Pineda decision and its implications. Retailers that continue to collect ZIP Codes may very well find themselves the subject of putative class actions, the penalties for which could be substantial.

John J. Powers is a Partner in the Products Liability and Mass Tort Practice Group at Drinker Biddle in San Francisco.