MA ZIP Code Ruling: Implications for Online Retailers, Gas Stations and Others

Since 2011, California has been the primary venue for suits alleging the illegality of collecting ZIP codes in connection with a credit card transaction. Based on a recent decision by the Supreme Judicial Court of Massachusetts, the State's highest court, more such lawsuits will likely be filed in Massachusetts and elsewhere. Indeed, two similar lawsuits have already been filed in Massachusetts. With similar statutes in place in nine other jurisdictions, other challenges to the collection of ZIP codes may soon follow.

The first decision addressing ZIP Codes was issued by the California Supreme Court in 2011. That court held in Pineda v. Williams-Sonoma Stores, Inc., that a ZIP code constitutes "personal identification information" for purposes of the Song-Beverly Credit Card Act ("Song-Beverly Act").[1] The Song-Beverly Act "prohibits businesses from requesting that cardholders provide ‘personal identification information' during credit card transactions, and then recording that information."[2]

On March 11, 2013, the Massachusetts Supreme Judicial Court issued a similar opinion in Tyler v. Michaels Stores, Inc., finding that under the Massachusetts statute ZIP codes alone constitute personal identification information when used in connection with a credit card transaction.[3] Because the Massachusetts statute is similar to laws in nine other jurisdictions, we anticipate that litigation against retailers that collect ZIP codes could expand significantly, and quickly. While no retail business is immune, businesses that may be at particular risk, and which have not previously been subject to these types of lawsuits, include retail motor fuel dispensers (gas stations) and e-commerce websites. A legislative strategy to clarify the scope of the ruling, as occurred in California after the Pineda decision, may be a component of a litigation-avoidance strategy.

I. Tyler v. Michaels Stores

A. Facts

In Tyler v. Michaels Stores, Inc., the plaintiff alleged that on several occasions, she used her credit card to make a purchase at a Michaels store and was asked to provide her ZIP code. Each time, she gave her ZIP code based on her mistaken belief that it was necessary to complete the credit card transaction. In fact, the credit card issuer had no such requirement. Rather, Michaels maintained an internal policy of writing consumers' names, credit card numbers, and ZIP codes on an electronic credit card transaction form. Michaels used this information to locate the consumer's address and telephone number in a commercially available database in order to send marketing materials to the consumer.

The plaintiff claimed that Michaels' electronic recording of customers' ZIP codes amounted to writing personal identification information on a credit card transaction form in violation of G.L. c. 93, § 105(a) ("Section 105(a)"),[4] and, therefore, constitutes an unfair or deceptive practice in Massachusetts. In connection with these claims, the Supreme Judicial Court sought to answer three questions: (1) whether a ZIP code constitutes personal identification information under Section 105(a); (2) whether a plaintiff can bring an action for a privacy right violation absent identity fraud under Section 105(a); and (3) whether "credit card transaction form" refers equally to an electronic and paper transaction form. The Court ruled on all three questions in favor of the plaintiff.

B. ZIP Codes as "Personal Identification Information"

Personal information has customarily been thought to include a full address or some other type of identifying information that would allow a consumer to be contacted directly. In fact, the FTC recently declined to include ZIP codes in the definition of personal information, finding instead that it "does not believe [this] information, alone, permits the physical or online contacting of a specific individual."[5]

The Massachusetts law defines personal identification information as including, but not limited to, a "credit card holder's address or telephone number." Because this definition is not exhaustive, the Court found that the legislature left open the possibility that other information may also qualify. Although the Court disagreed with the plaintiff's deductive reasoning that ZIP codes automatically qualify as personal identification information, the Court found that "a consumer's zip code, when combined with the consumer's name, provides the merchant with enough information to identify through publicly available databases the consumer's address or telephone number, [which is] the very information . . . [the law] expressly identifies as personal identification information."[6]

C. Alleging Damages Absent Identity Fraud

The second question the Court sought to address was whether a plaintiff may bring an action for violations of the Massachusetts law absent identify theft. Generally, to have standing to bring a lawsuit, a plaintiff must demonstrate that he or she has "suffered an ‘injury in fact' – an invasion of a legally protected interest which is (a) concrete and particularized and (b) actual or imminent, not ‘conjectural' or ‘hypothetical.'"[7] In the data breach context, allegations of identity theft or an actual loss of economic value of the plaintiff's personal information have been found to demonstrate sufficient personal "injury in fact" to establish standing. Absent such allegations, courts have been generally unreceptive to plaintiffs' claims that they suffered an injury in fact in a privacy-based suit.

In Tyler, the trial court followed this generally accepted view.[8] The Supreme Judicial Court, however, took a much broader position:

When a merchant acquires personal identification information in violation of § 105 (a ) and uses the information for its own business purposes, whether by sending the customer unwanted marketing materials or by selling the information for a profit, the merchant has caused the consumer an injury that is distinct from the statutory violation itself and cognizable under G.L. c. 93A, § 9.[9]

The Supreme Judicial Court found that, based on a review of the legislative history, "the purpose [of the law] was to safeguard consumer privacy and more particularly to protect consumers using credit cards from becoming the recipients of unwanted commercial solicitations from merchants with access to their identifying information."[10] In fact, the Tyler Court stated that it sees "no reason to read into the statute a requirement that one be the victim of identity fraud in order to assert a claim under that statute. [The statute] does not contain an express limitation to that effect… [and] we interpret § 105(a) itself as being intended primarily to address invasion of consumer privacy by merchants, not identity fraud."[11]

D. Meaning of "Credit Card Transaction Form"

Finally, the Tyler Court addressed whether the term "credit card transaction form" refers equally to an electronic as to a paper transaction form. In finding equal application, the Court relied on the broad statutory language, which did not limit "credit card transaction forms" to paper transactions. The Court noted that failing to construe Section 105(a) as applying to electronic transactions might render the statute obsolete in a world where paper transactions are a "rapidly vanishing event," and might fail to carry out the statutory purpose of protecting consumer privacy because it would allow merchants to avoid the statute's prohibition against collecting personal identification information simply by using electronic means.[12]

II. Implications Beyond Massachusetts

Nine other jurisdictions have statutes, similar to the Massachusetts law, which broadly prohibit the collection of an address in connection with a credit card transaction. These jurisdictions are Delaware,[13] the District of Columbia,[14] Kansas,[15] Maryland,[16] Minnesota,[17] New Jersey,[18] New York,[19] Rhode Island,[20] and Wisconsin.[21] The laws do not include an express exemption allowing collection of information for any fraud prevention purposes, but the legislative intent appears to be related to protecting consumers from unwanted marketing. Regardless, it is anticipated that the Tyler decision may spur additional litigation in each of these other jurisdictions, asserting that the collection of ZIP codes in association with credit card transactions violates the state's law at a time when privacy lawsuits continue to increase.

III. Implications for Online Retailers

While the Tyler decision has an obvious impact on brick-and-mortar stores conducting business in Massachusetts, implications for online retailers are less clear. The California Supreme Court has subsequently limited the scope of the Pineda decision to the brick and mortar world, concluding that the Beverly-Song Act did not apply to online transactions for electronically-downloaded products.[22] Since the "safeguards against fraud that are provided in [the Beverly-Song Act] are not available to the online retailer selling an electronically downloaded product," the Court concluded that "the Legislature could not have intended [the Beverly-Song Act] to apply to this type of transaction."[23]

While this decision was welcome news for some Internet retailers, the Court was careful to limit its opinion. It specifically stated that it was not addressing whether its decision applies to other online transactions or "any other transactions that do not involve in-person, face-to-face interaction between the customer and retailer."[24] Thus, the scope of an exception for online and catalogue stores remains unclear.

Unlike traditional brick-and-mortar stores, online and catalogue merchants cannot visually inspect the credit card or review the customer's identification. In addition, such retailers selling physical goods must collect the address of the consumer (including the ZIP code) to ship these goods to the consumer. Collecting addresses in connection with this type of transaction would be permitted in Massachusetts and eight of the nine jurisdictions with similar laws.[25] Specifically, these jurisdictions allow the collection of an address in connection with a credit card transaction, if the information is necessary for the shipping, delivery, servicing, or installation of consumer goods. This exemption would allow online retailers to collect an address (including a ZIP code) when the consumer provides his or her credit card, but only if the retailer is delivering or shipping the goods to the consumer. However, even if the collection is for a valid purpose, such as delivery, the use of that information for marketing purposes without notice or permission may be viewed to go beyond the protections provided by the exemption. Thus, online retailers should review how they use personal information collected from customers in the relevant states.

The same may not be said for online retailers selling downloadable products, such as songs and videos in the iTunes store, where physical delivery is not an issue. Moreover, the Tyler ruling also raises a question about the extent to which online and other retailers may collect ZIP codes in connection with a credit card transaction to prevent fraud and identify theft. While the California Supreme Court has provided an exemption for these types of transactions, legislative exemptions in Massachusetts and the other nine states with similar laws may be needed to clarify that collection of ZIP code information does not violate these laws where the purpose is for fraud detection and the data is not used for marketing purposes.

Nothing in these decisions, however, should prevent any retailer from collecting ZIP codes for purposes of conducting sweepstakes, loyalty programs, and other similar promotions at the time of a transaction, so long as the ZIP code is collected in a manner where the consumer understands that this information is not required for the credit card transaction. For example, a simple "Would you like to register for our ‘win a shopping spree' sweepstakes," or "Would you like to register to receive discount coupons" would be permitted because the request for the address and ZIP code is clearly separate from the transaction. This is equally true in the online space.

All retailers and online merchants should review their data collection practices in light of these decisions. Selling the consumer's information to a third party or using the information for future marketing, may subject online retailers to Pineda- and Tyler-like lawsuits in states with these laws, absent legislative clarifications.

IV. Implications for Owners of Gas Stations

The Tyler decision also has implications for a specific class of retailers in Massachusetts and other states with similar laws: gas station owners and operators. Following Pineda, suits challenging the collection of ZIP codes at the pump were precluded in California after the industry succeeded in obtaining an exemption to the Song-Beverly Act. This exemption permits the collection of ZIP codes for credit card sales transactions at a "retail motor fuel dispenser" or "retail motor fuel payment island automated cashier" when the ZIP code information is used "solely for prevention of fraud, theft, or identity theft."[26] California, however, is the only state with this exemption to date.

The Tyler ruling demonstrates that owners of gas stations that currently collect ZIP codes in the course of a credit card transaction should be aware of their practices in Massachusetts and these nine other states. ZIP codes are requested generally during credit card transactions at the pump for the sole purpose of fraud prevention.[27] This information is sent directly to the issuing bank and is never provided to the gas station owner or operator so cannot be used for marketing purposes. Given the number of credit card transactions processed by gas stations, the risk of being on the wrong side of this issue should a legal challenge be filed is potentially significant. In Massachusetts, for example, each plaintiff proving injury or harm (apart from the invasion of consumer privacy) may receive actual damages or $25 (whichever is greater), and up to triple that amount for willful or knowing violations.[28] More ominously is the prospect that plaintiff's lawyers would file lawsuits not only against the individual gas station owner, but also against the affiliated fuel supplier whose brand or logo is on the gas station.

While gas station owners or other retailers that collect ZIP codes solely for fraud prevention and neither sell the information, nor use it for marketing, can argue that these actions do not give rise to a privacy injury that meets legal standing requirements, this argument has not been offered in Massachusetts or elsewhere for the simple reason that the challenged collection of ZIP codes has involved instances where the data was allegedly used for marketing purposes. It is clear that the purpose of collecting ZIP codes at gas stations and sending such information to the issuing bank at the time the transaction is to safeguard consumer data and protect consumers from fraud. While it is likely that a court would find such practices meet the letter and spirit of the law, rather than facing potential litigation costs and awaiting judicial determinations that an exemption exists for fraud prevention when such information is never used for marketing purposes, the expectation is that the fuel industry will seek legislative relief similar to the exemption in the Song-Beverly Act in all states with similar prohibitions against collecting ZIP codes.

V. Conclusion

Privacy is a fast growing area of class action litigation. As already evidence by the two putative class action lawsuits filed in Massachusetts following Tyler,[29] the decision is likely to stimulate further litigation in Massachusetts and possibly the nine other jurisdictions with comparable laws.

It is important for companies to carefully review their data collection practices to determine whether they involve the recording of customers' ZIP codes or other identifying information, and if so, whether the company sells or uses such information in a way that could cause consumer "harm" or "injury." If so, these practices may need to be revised in order to avoid a potential consumer class action suit like Tyler. Industry organizations may also wish to seek clarifying legislative language so that important fraud protection activities can continue, and companies collecting information for such purposes can avoid litigation.

For more information on privacy and data security issues, please contact:
Sheila A. Millar (+1 202.434.4143, millar@khlaw.com)
Douglas J. Behr (+1 202.434.4213, behr@khlaw.com)