From A to ZIP Codes, and Beyond

Pineda

One of the first cases to challenge the practice of collecting ZIP code information was heard in 2008 when plaintiff Jessica Pineda filed a putative class action against retailer Williams-Sonoma, alleging that the retailer's request for her ZIP code during a sales transaction ' which she alleged the company used to send her marketing materials ' violated a California statute that prohibits businesses from requiring or requesting “personal identification information” as a condition for accepting a credit card payment during a business transaction. The statute defines “personal identification information” as any information about the cardholder other than the information set forth on the credit card itself, such as a consumer's address or telephone number.

Ms. Pineda alleged that because her ZIP code constituted “personal identification information,” its collection by Williams-Sonoma violated the statute. In 2011, the highest court in California agreed, reasoning that the term “address” encompasses not only a complete address, but also its components. See Pineda v. Williams-Sonoma Stores, Inc., 246 P.3d 612 (Cal. 2011). According to the court, interpreting the statute to prohibit the collection of ZIP codes was “most consistent with [the] legislative purpose” of providing “robust consumer protections by prohibiting retailers from soliciting and recording information about the cardholder that is unnecessary to the credit card transaction.” Id. at 620.

In the wake of Pineda, California has become something of a hotbed of activity in this area, with dozens of similar cases filed against a multitude of retailers in that state alone. Given that a violation of the California statute can subject a company to civil penalties of up to $250 per violation, the stakes for retailers doing business in California are especially high. Worse still, because the Pineda decision applies retrospectively, companies can still face liability even over past practices.

Tyler

A similar case was also filed against Michaels Stores in federal court in Massachusetts in 2011. In that case, plaintiff Melissa Tyler alleged that the defendant retailer illegally collected and used her ZIP code information to send her unsolicited marketing materials. Similar to California, Massachusetts has a statute prohibiting companies that accept credit cards from requiring a consumer to write any “personal identification information” that is not required by the credit card issuer on the credit card transaction form.

Massachusetts' highest state court noted that because the principal purpose of the state statute is to protect consumers' privacy ' not to protect against identity fraud ' a consumer need not allege that she has been the victim of identity fraud to be able to bring a claim under the statute. Tyler v. Michaels Stores, Inc., 464 Mass. 492 (2013). Fortunately, even Tyler concludes that plaintiffs must make some showing of injury to have a viable claim.

According to Tyler, two types of injury that might entitle a plaintiff to seek damages under the statute include: 1) if the consumer actually receives unwanted marketing materials as a result of the collection of the consumer's personal information; or 2) if the merchant sells the consumer's personal information to a third party. The lesson to be learned from Tyler is that even if the consumer suffers not one penny of loss from the collection of her ZIP code information, she may still be entitled to recover statutory damages if the company acquires her personal information and uses that information “for its own business purposes.”

Wide Implications

Taken together, the Pineda and Tyler decisions have broad exposure implications for retailers and other companies, not only those doing business in California and Massachusetts, but in other jurisdictions as well. That is because in addition to California and Massachusetts, similar statutes prohibiting companies from requiring or requesting certain personal identification information in connection with credit card transactions now also exist in Delaware, Kansas, Maryland, Minnesota, New Jersey, New York, Pennsylvania, Rhode Island, Wisconsin, and the District of Columbia, and more may be enacted in the coming years.

While the state statutes vary in their precise language, they generally prohibit entities from requesting or requiring customers to provide or write down personal identification information as a condition of processing credit card transactions. Many statutes provide for statutory damages ranging anywhere from $25 to a maximum of $10,000 for each violation. Moreover, many of the statutes permit individuals to pursue damages through class actions. Thus, even with statutory damages as seemingly insignificant as $25 per violation, it does not take long for those damages to add up, particularly when individual plaintiffs often seek to represent expansive classes defined as all consumers from whom ZIP code information was requested or collected in connection with a credit card transaction during a given time period. As one example, a putative class action was recently filed in federal court in the District of Columbia challenging a popular clothing retailer's collection of ZIP code information and seeking $500 in statutory damages for each member of the class ' defined as all customers from whom ZIP code information was collected over a three-year period.

Exceptions

The collection of ZIP codes is not prohibited in all circumstances, however. Many of the state statutes also provide exceptions where the collection of customers' personal identification information is permissible ' such as where the information is required for the shipping, installation, or delivery of the purchased product; fulfilling warranty obligations; or for some other purpose that is incidental, but related to the credit-card transaction, such as fraud prevention. In deciding whether a given practice is permissible, recent cases illustrate that the focus is on the customers' perception of the transaction, rather than on what the retailer subjectively intends to do with the requested information.

In Pineda, Tyler and many other recent cases, the plaintiffs alleged that they provided their ZIP code information under the mistaken belief that the information was necessary to process their credit-card payment. However, where a retailer “falls over itself” to inform customers that the requested information is optional and is not required to complete the credit-card transaction, courts have held that in those instances, the relevant statute has not been violated. See Gass v. Best Buy Co., Inc., 279 F.R.D. 561 (C.D. Cal. 2012).

Based on this reasoning, retailers who wish to continue collecting ZIP code information for their own business purposes may start posting signs or otherwise explicitly notifying customers that provision of their personal information is optional, is in no way required to complete their credit-card transaction, and explain how the retailer intends to use that information. The bottom line: When it comes to customers' data, transparency is paramount.

Are Relevant Statutes Necessary for Litigation?

Even in states where no such laws are on the books or where the relevant statutes do not permit private rights of action, the possibility for litigation still remains. This has already been seen in New Jersey. There, because the state law prohibiting the collection of personal information in connection with credit-card transactions is limited to enforcement by the state Attorney General, plaintiffs are forced to find a work-around. Thus, plaintiffs sought to challenge the practice of ZIP code collection under the state's more general consumer protection law, the Truth-in-Consumer Contract, Warranty and Notice Act. That statute prohibits sellers from entering into any written consumer contract that violates a “clearly established right of a consumer.” Plaintiffs argued that the relevant “established right” was provided for in the state statute governing the collection of personal information during credit card transactions.

These attempts have so far been largely unsuccessful. In the two cases filed in federal court, the court dismissed the complaints, holding that plaintiffs were unable to allege any “written consumer contract,” and thus could not state a claim under the statute. See Feder v. Williams-Sonoma Stores, Inc., 2011 WL 4499300 (D.N.J. Sept. 26, 2012); Darocha v. Wal-Mart Stores, Inc., No. 11-7583 (D.N.J. May 9, 2012) (unpublished). Despite these two decisions, the state of personal identification information law ' and therefore the likelihood of additional class action lawsuits ' remains unsettled in New Jersey. That is because in a recent state court case, the trial judge refused to dismiss a class action arising out of ZIP code collection practices, even though the plaintiff had alleged a violation of the same New Jersey statute.

Potential exposure is not limited to private class action litigation. The FTC, the nation's top privacy watchdog, has been increasingly focused on the data collection practices of companies, admonishing in an August 2013 speech that firms that acquire and maintain large sets of consumer data must be “responsible stewards of that information” and that data security and privacy will continue to be a top enforcement priority. See http://1.usa.gov/1csYiga.

Indeed, on Aug. 29, 2013, the FTC filed an administrative complaint against a medical testing laboratory for the company's alleged failure to protect the security of consumers' personal data, resulting in the personal information being found in the hands of identity thieves. As a word of caution, the FTC was quick to point out that this latest action was “part of an ongoing effort by the Commission to ensure that companies take reasonable and appropriate measures to protect consumers' personal data.” See http://1.usa.gov/1hWe2ss.

Conclusion

Although data privacy exposure is a rapidly evolving field, what should be clear is enterprising plaintiffs' attorneys are likely to challenge the practice of ZIP code collection through alternative avenues ' whether under the state's broader consumer protection statute or through some other yet-to-be-seen theory. Given the latest trend in consumer privacy litigation along with the possibility for heightened government scrutiny, corporate counsel should be mindful of
statutory and decision law developments in each state where they
conduct business to ensure that they have taken the necessary steps to demonstrate compliance when collecting ZIP code information.

Beyond just ZIP codes, these developments should encourage corporate counsel to conduct internal reviews and assess the various kinds of data they collect, how they collect such data, and what they ultimately do with it. Given the potential exposure flowing the seemingly innocuous collection of a customer's ZIP code, you never know where the next point of exposure may lie.

Kenneth L. Chernof is a partner and Allyson Himelfarb is an associate at Arnold & Porter LLP. The authors wish to thank summer associate Neil Sawhney for his contribution to this article.

An ever-increasing number of companies find themselves facing potential liability for practices concerning the use, collection, or release of consumer data. The courts are rife with class-action litigation by individuals seeking compensation in the wake of stolen or lost laptops, hacked computer networks, or data stolen through phishing scams, even in cases where the plaintiffs have not suffered any actual misuse of their own data. Recent legal developments have helped to limit the viability of these cases. Perhaps the most prominent development is the U.S. Supreme Court's recent decision in Clapper v. Amnesty Int'l USA , 133 S. Ct. 1138 (2013), in which the Court made clear that plaintiffs cannot establish standing to sue based on a mere risk of future injury, and plaintiffs may not manufacture standing by taking steps to prevent the risk of future injury.

Collecting ZIP Codes

Despite ' and perhaps because of ' this and other positive developments, new and increasingly creative fronts in data privacy litigation and enforcement are constantly being opened. One such evolving area of potential liability impacts companies that collect ZIP code information from consumers during routine retail transactions. Many companies request and collect a customer's ZIP code at the time of a retail transaction, and they do so for various purposes: some may need the information for delivery of the purchased product; some may wish to enroll the customer in some type of rewards or other store benefits program; some may use the information to send marketing materials to the customer; and some may sell the information to third parties. Although there are many legitimate purposes for collecting ZIP code information, this practice has now borne significant scrutiny.

Pineda

One of the first cases to challenge the practice of collecting ZIP code information was heard in 2008 when plaintiff Jessica Pineda filed a putative class action against retailer Williams-Sonoma, alleging that the retailer's request for her ZIP code during a sales transaction ' which she alleged the company used to send her marketing materials ' violated a California statute that prohibits businesses from requiring or requesting “personal identification information” as a condition for accepting a credit card payment during a business transaction. The statute defines “personal identification information” as any information about the cardholder other than the information set forth on the credit card itself, such as a consumer's address or telephone number.

Ms. Pineda alleged that because her ZIP code constituted “personal identification information,” its collection by Williams-Sonoma violated the statute. In 2011, the highest court in California agreed, reasoning that the term “address” encompasses not only a complete address, but also its components. See Pineda v. Williams-Sonoma Stores, Inc. , 246 P.3d 612 (Cal. 2011). According to the court, interpreting the statute to prohibit the collection of ZIP codes was “most consistent with [the] legislative purpose” of providing “robust consumer protections by prohibiting retailers from soliciting and recording information about the cardholder that is unnecessary to the credit card transaction.” Id. at 620.

In the wake of Pineda, California has become something of a hotbed of activity in this area, with dozens of similar cases filed against a multitude of retailers in that state alone. Given that a violation of the California statute can subject a company to civil penalties of up to $250 per violation, the stakes for retailers doing business in California are especially high. Worse still, because the Pineda decision applies retrospectively, companies can still face liability even over past practices.

Tyler

A similar case was also filed against Michaels Stores in federal court in Massachusetts in 2011. In that case, plaintiff Melissa Tyler alleged that the defendant retailer illegally collected and used her ZIP code information to send her unsolicited marketing materials. Similar to California, Massachusetts has a statute prohibiting companies that accept credit cards from requiring a consumer to write any “personal identification information” that is not required by the credit card issuer on the credit card transaction form.

Massachusetts' highest state court noted that because the principal purpose of the state statute is to protect consumers' privacy ' not to protect against identity fraud ' a consumer need not allege that she has been the victim of identity fraud to be able to bring a claim under the statute. Tyler v. Michaels Stores, Inc. , 464 Mass. 492 (2013). Fortunately, even Tyler concludes that plaintiffs must make some showing of injury to have a viable claim.

According to Tyler, two types of injury that might entitle a plaintiff to seek damages under the statute include: 1) if the consumer actually receives unwanted marketing materials as a result of the collection of the consumer's personal information; or 2) if the merchant sells the consumer's personal information to a third party. The lesson to be learned from Tyler is that even if the consumer suffers not one penny of loss from the collection of her ZIP code information, she may still be entitled to recover statutory damages if the company acquires her personal information and uses that information “for its own business purposes.”

Wide Implications

Taken together, the Pineda and Tyler decisions have broad exposure implications for retailers and other companies, not only those doing business in California and Massachusetts, but in other jurisdictions as well. That is because in addition to California and Massachusetts, similar statutes prohibiting companies from requiring or requesting certain personal identification information in connection with credit card transactions now also exist in Delaware, Kansas, Maryland, Minnesota, New Jersey, New York, Pennsylvania, Rhode Island, Wisconsin, and the District of Columbia, and more may be enacted in the coming years.

While the state statutes vary in their precise language, they generally prohibit entities from requesting or requiring customers to provide or write down personal identification information as a condition of processing credit card transactions. Many statutes provide for statutory damages ranging anywhere from $25 to a maximum of $10,000 for each violation. Moreover, many of the statutes permit individuals to pursue damages through class actions. Thus, even with statutory damages as seemingly insignificant as $25 per violation, it does not take long for those damages to add up, particularly when individual plaintiffs often seek to represent expansive classes defined as all consumers from whom ZIP code information was requested or collected in connection with a credit card transaction during a given time period. As one example, a putative class action was recently filed in federal court in the District of Columbia challenging a popular clothing retailer's collection of ZIP code information and seeking $500 in statutory damages for each member of the class ' defined as all customers from whom ZIP code information was collected over a three-year period.

Exceptions

The collection of ZIP codes is not prohibited in all circumstances, however. Many of the state statutes also provide exceptions where the collection of customers' personal identification information is permissible ' such as where the information is required for the shipping, installation, or delivery of the purchased product; fulfilling warranty obligations; or for some other purpose that is incidental, but related to the credit-card transaction, such as fraud prevention. In deciding whether a given practice is permissible, recent cases illustrate that the focus is on the customers' perception of the transaction, rather than on what the retailer subjectively intends to do with the requested information.

In Pineda, Tyler and many other recent cases, the plaintiffs alleged that they provided their ZIP code information under the mistaken belief that the information was necessary to process their credit-card payment. However, where a retailer “falls over itself” to inform customers that the requested information is optional and is not required to complete the credit-card transaction, courts have held that in those instances, the relevant statute has not been violated. See Gass v. Best Buy Co., Inc. , 279 F.R.D. 561 (C.D. Cal. 2012).

Based on this reasoning, retailers who wish to continue collecting ZIP code information for their own business purposes may start posting signs or otherwise explicitly notifying customers that provision of their personal information is optional, is in no way required to complete their credit-card transaction, and explain how the retailer intends to use that information. The bottom line: When it comes to customers' data, transparency is paramount.

Are Relevant Statutes Necessary for Litigation?

Even in states where no such laws are on the books or where the relevant statutes do not permit private rights of action, the possibility for litigation still remains. This has already been seen in New Jersey. There, because the state law prohibiting the collection of personal information in connection with credit-card transactions is limited to enforcement by the state Attorney General, plaintiffs are forced to find a work-around. Thus, plaintiffs sought to challenge the practice of ZIP code collection under the state's more general consumer protection law, the Truth-in-Consumer Contract, Warranty and Notice Act. That statute prohibits sellers from entering into any written consumer contract that violates a “clearly established right of a consumer.” Plaintiffs argued that the relevant “established right” was provided for in the state statute governing the collection of personal information during credit card transactions.

These attempts have so far been largely unsuccessful. In the two cases filed in federal court, the court dismissed the complaints, holding that plaintiffs were unable to allege any “written consumer contract,” and thus could not state a claim under the statute. See Feder v. Williams-Sonoma Stores, Inc., 2011 WL 4499300 (D.N.J. Sept. 26, 2012); Darocha v. Wal-Mart Stores, Inc., No. 11-7583 (D.N.J. May 9, 2012) (unpublished). Despite these two decisions, the state of personal identification information law ' and therefore the likelihood of additional class action lawsuits ' remains unsettled in New Jersey. That is because in a recent state court case, the trial judge refused to dismiss a class action arising out of ZIP code collection practices, even though the plaintiff had alleged a violation of the same New Jersey statute.

Potential exposure is not limited to private class action litigation. The FTC, the nation's top privacy watchdog, has been increasingly focused on the data collection practices of companies, admonishing in an August 2013 speech that firms that acquire and maintain large sets of consumer data must be “responsible stewards of that information” and that data security and privacy will continue to be a top enforcement priority. See http://1.usa.gov/1csYiga.

Indeed, on Aug. 29, 2013, the FTC filed an administrative complaint against a medical testing laboratory for the company's alleged failure to protect the security of consumers' personal data, resulting in the personal information being found in the hands of identity thieves. As a word of caution, the FTC was quick to point out that this latest action was “part of an ongoing effort by the Commission to ensure that companies take reasonable and appropriate measures to protect consumers' personal data.” See http://1.usa.gov/1hWe2ss.

Conclusion

Although data privacy exposure is a rapidly evolving field, what should be clear is enterprising plaintiffs' attorneys are likely to challenge the practice of ZIP code collection through alternative avenues ' whether under the state's broader consumer protection statute or through some other yet-to-be-seen theory. Given the latest trend in consumer privacy litigation along with the possibility for heightened government scrutiny, corporate counsel should be mindful of
statutory and decision law developments in each state where they
conduct business to ensure that they have taken the necessary steps to demonstrate compliance when collecting ZIP code information.

Beyond just ZIP codes, these developments should encourage corporate counsel to conduct internal reviews and assess the various kinds of data they collect, how they collect such data, and what they ultimately do with it. Given the potential exposure flowing the seemingly innocuous collection of a customer's ZIP code, you never know where the next point of exposure may lie.

Kenneth L. Chernof is a partner and Allyson Himelfarb is an associate at Arnold & Porter LLP. The authors wish to thank summer associate Neil Sawhney for his contribution to this article.