: New Jersey : Privacy Law Blog

Home > New Jersey >

ZIP-lined Out of Court: Williams-Sonoma Obtains Dismissal of New Jersey ZIP Code Collection Suit

Posted on October 4, 2011 by Brendon Tavelli

On September 26, Judge William Walls of the U.S. District Court for the District of New Jersey ruled that a putative class action lawsuit against home goods retailer Williams-Sonoma failed to state a claim under New Jersey law. In Feder v. Williams-Sonoma Stores, Inc., the plaintiff sought damages for purported violations of New Jersey’s Truth-in-Consumer Contract, Warranty and Notice Act (“TCCWNA”) after a Williams-Sonoma employee allegedly required the plaintiff to provide her zip code as part of a credit card transaction. The TCCWNA prohibits, among other things, the offering, entering into, giving or displaying a written consumer contract or notice “which includes any provision that violates any clearly established legal right of a consumer” under New Jersey or Federal law. In somewhat confusing fashion, the plaintiff’s complaint alleged that the electronic credit card transaction forms into which Williams-Sonoma enters consumers’ zip codes constituted consumer contracts that were subject to TCCWNA and that the collection of consumer zip codes on such forms violated the TCCWNA.

New Jersey law, like California law, does restrict the collection of personal information in connection with credit card purchases in some ways. However, New Jersey’s law does not provide for a private right of action. Therefore, the plaintiff in this case attempted to invoke the New Jersey law though the TCCWNA, which does provide for a private right of action. But unfortunately for the plaintiff, her complaint failed to allege the existence of a written contract containing a provision that explicitly violated the applicable New Jersey law on the subject so as to trigger the TCCWNA. Rather, Judge Walls rightly concluded that even assuming that the credit card transaction form constituted a written consumer contract, as plaintiff alleged it did, the “existence of the recorded zip code itself, which consists solely of numbers, does not constitute a contract provision that violates the plaintiff’s rights.” As such, the complaint failed to state a claim under the TCCWNA and required dismissal. The court also denied the plaintiff’s request to file an amended complaint because, in his opinion, the proposed amended complaint failed to either set forth any additional factual support for plaintiff’s allegation that the credit card transaction form constituted a written contract or allege any written provision of such “contract” violated her rights. Thus, according to Judge Walls, the amended complaint would fail for the same reasons as the original complaint.

The district court’s decision in this case supports what many people hope will continue to be the case, i.e., that it will be a challenge for plaintiffs’ lawyers to successfully transplant the California Supreme Court’s recent decision in Pineda v. Williams-Sonoma, Inc. (see this blog post) into other jurisdictions.

Tags: Data Privacy Laws, New Jersey, dismiss, litigation, personal information, zip code

"Houston's, We Have A Privacy Problem . . . ."

Posted on July 14, 2009 by Proskauer Rose LLP

On June 16, 2009, in Pietrylo v. Hillstone Restaurant Group, USDC D.N.J. Case No. 2:06-cv-5754-FSH-PS, a New Jersey federal jury found that the Houston’s restaurant chain violated the Stored Communications Act (SCA) and the New Jersey Wiretapping and Electronic Surveillance Control Act (NJWESCA) by allegedly requiring an employee to surrender to Houston’s managers login information that would allow access to an employee MySpace gripe group called “Spec-Tator.” Spec-Tator’s creators, Brian Pietrylo and Doreen Marino, were fired for violating Houston’s policies regarding professionalism and positivity. They sued for alleged violations of their common law right to privacy, freedom of speech, the SCA and the NJWESCA, and for wronful termination.

Liability hinged on whether access to Spec-Tator was unauthorized. When Pietrylo and Marino created the group, they invited a select group of Houston’s employees, but no managers. The SCA and the NJWESCA extend liability to parties that exceed authorization to access electronic communications. Thus, the jury form asked: “Did Houston’s knowingly or intentionally or purposefully access the Spectator without authorization from Karen St. Jean?” The jury answered in the affirmative and awarded to plaintiffs $17,000 in compensatory and punitive damages.

While employers with appropriately-worded policies may monitor employee communications using company equipment, the Hillstone verdict, as well as the court’s refusal to dismiss the SCA and NJWESCA claims on summary judgment, indicate that employers may be liable if they exceed their authorization by accessing protected sites not intended for them to see. However, there is extensive grey area yet to be explored. For example, the outcome of the case might have been different had a Spec-Tator user logged in using a work computer and failed to log herself out, or if Spec-Tator had dropped a cookie onto her computer permitting persistent login.

Summer Associate Todd Mobley contributed to this report.

Tags: MySpace, New Jersey, Stored Communications Act, Workplace Privacy, social networking, workplace

Iowa Enacts 43rd State Breach Notification Law

Posted on May 12, 2008 by Proskauer Rose LLP

On May 9, 2008, Iowa Governor Chester Culver signed legislation (SF 2308) requiring any person who owns or licenses computerized data that includes a consumer's personal information to give notice of a breach of security. The law does not require notification if, after an appropriate investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determined that no reasonable likelihood of financial harm to the consumers whose personal information has been acquired has resulted or will result from the breach. Following is an updated list of the 43 state security breach notification laws (plus District of Columbia and Puerto Rico).

Arizona (ARIZ. REV. STAT. ANN. § 44-7501(h))

Arkansas (ARK. CODE ANN. § 4-110-101 et seq.)

California (CAL. CIV. CODE § 1798.82)

Colorado (COLO. REV. STAT. § 6-1-716)

Connecticut (CONN. GEN. STAT. § 36a-701b)

Delaware (DEL. CODE ANN. tit. 6, § 12B-101)

District of Columbia (District of Columbia B16-810, D.C. Code § 28-3851)

Florida (FLA. STAT. § 817.5681)

Georgia (GA. CODE ANN. § 10-1-911)

Hawaii (Hawaii Revised Stat. §§ 487N-1 et seq.)

Idaho (IDAHO CODE ANN. § 28-51-104 et seq.)

Illinois (815 ILL. COMP. STAT. ANN. 530/5, /10)

Indiana (IND. CODE § 24-4.9)

Iowa (SF 2308)

Kansas (KAN. STAT. ANN. §§ 50-7a01-02)

Louisiana (LA. REV. STAT. ANN. § 51:3071 et seq.)

Maine (ME. REV. STAT. ANN. tit. 10, §1346 et seq.)

Maryland (H.B. 208 and S.B. 194)

Massachusetts (Massachusetts General Laws Ann. 93H §§ 1 et seq.)

Michigan (Michigan Compiled Laws Ann. 445.72)

Minnesota (MINN. STAT. § 325E.61)

Montana (MONT. CODE ANN. § 30-14-1704)

Nebraska (NEB. REV. STAT. § 87-801 et seq.)

Nevada (NEV. REV. STAT. 603A.010 et seq.)

New Hampshire (N.H. REV. STAT. ANN. § 359-C:19 et seq.)

New Jersey (N.J. STAT. ANN. § 56:8-163)

New York (N.Y. GEN. BUS. LAW § 899-aa)

North Carolina (N.C. GEN. STAT.§ 75-60 et seq.)

North Dakota (N.D. CENT. CODE § 51-30-01 et seq.)

Ohio (OHIO REV. CODE ANN. § 1349.19)

Oklahoma (Okla. Stat. § 74-3113.1)

Oregon (S.B. 583)

Pennsylvania (73 PA. CONS. STAT. ANN. § 2303)

Puerto Rico (Law 111 and Regulation 7207)

Rhode Island (R.I. GEN. LAWS § 11-49.2-3))

South Carolina S.B. 453

Tennessee (TENN. CODE ANN. § 47-18-21)

Texas (TEX. BUS. & COMM. CODE ANN. § 48.001 et seq.)

Utah (UTAH CODE ANN. § 13-44-101 et seq.)

Vermont (VT. STAT. ANN. tit. 9, § 2430 et seq.)

Virginia S.B. 307

Washington (WASH. REV. CODE § 19.255.010)

West Virginia S.B. 340

Wisconsin (WIS. STAT. § 895.507)

Wyoming (W.S. 40-12-501 through 40-12-509)

More Breach Notification Laws -- 42 States and Counting

Posted on April 7, 2008 by Proskauer Rose LLP

Virginia, West Virginia, and South Carolina are the latest states to pass data breach notification laws, bringing to 42 the total number of states with such laws on the books (including the one state with a law that applies only to public entities, Oklahoma). Listed below are the 41 states with laws that apply to private entities (plus the District of Columbia and Puerto Rico).