Header graphic for print
Privacy Law Blog

Massachusetts Supreme Court Rules ZIP Codes Are Definitely “Personal Identification Information”

Posted in Data Privacy Laws

In a recent ruling arising from certain certified questions in Tyler v. Michaels Stores, Inc., Civ. No. 11-10920-WGY (D. Mass. Jan. 6, 2012, the Massachusetts Supreme Court interpreted “personal identification information” under Mass. Gen. Laws, ch. 93, § 105(a) Section 105(a) to include a consumer’s ZIP code and determined that collecting such personal information is a violation of state privacy law for which the consumer can sue (see slip opinion).

By way of background, the plaintiff, Tyler, alleged she was making a credit card purchase at Michaels (an arts and crafts retailer) when a cashier asked her for her ZIP code.  Tyler provided her ZIP code.  Tyler alleged her ZIP code was later used by Michaels to find Tyler’s mailing address and telephone numbers and send her unwanted and unsolicited marketing materials.  Tyler filed a class action complaint against Michaels claiming unjust enrichment and seeking a declaratory judgment that collecting ZIP codes is a violation of Section 105(a).  The Massachusetts District Court found that Tyler’s complaint sufficiently alleged a violation of Section 105(a); however, the District Court found the complaint did not allege a cognizable injury under the statute (see our blog post here).  Further, the district court judge opined that the statute was meant to protect identity fraud and was not, as Tyler argued, for the protection of consumer rights.  At the judge’s invitation Tyler filed a motion to certify the following three questions to the Massachusetts Supreme Court, each regarding the proper interpretation of Section 105(a):

1) Under Section 105(a), is a ZIP code “personal identification information” because such a ZIP code may be required by the credit card issuer to complete the transaction? Yes, the Supreme Court answered, because regardless of whether the ZIP code was explicitly defined in the statute as personal identification information, it could be used to obtain such information.

2) Under Section 105(a), can a consumer bring an action for a privacy right violation even without identity fraud? Yes, the Supreme Court answered, disagreeing with the District Court judge, because they found no reason to limit the statute’s application to only identity fraud, especially when the title of the statute is “Consumer Privacy in Commercial Transactions.”

3) Under Section 105(a), does the term “credit card transaction form” apply to both paper and electronic credit card transactions? Yes, the Supreme Court answered, because limiting the statute to only paper transactions would render the statute obsolete in the age of electronic transactions.

The Supreme Court also found that possible injuries resulting from a violation of Section 105(a), such as where the merchant uses the information for its own business purposes by sending the customer unwanted marketing materials or by selling the information for profit, are injuries distinct from violation of the statute itself and are recognizable under the law.

So what’s next?  This case will now be sent back to the District Court for further proceedings.

Given the Massachusetts Supreme Court ruling, more law suits in Massachusetts and other states with similar consumer privacy statutes are likely to follow.  Therefore, other retailers and businesses may want to review their policies regarding credit card transactions and how their employees request consumer information.  In particular, retailers and other businesses may want to reconsider whether their employees should request a ZIP code, even if provided by consumers voluntarily, when such information is not required by the credit card issuer.