Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

ZIP Code is Personal Information
The court started its analysis with the language of § 105(a), which states that “[PII] shall include, but shall not be limited to, a credit card holder’s address or telephone number.” The plaintiff argued, as the California Supreme Court held in Pineda v Williams Sonoma, that “address” meant each and every component of an address. The Massachusetts court disagreed. Rather, the court found that § 105(a) was intended “to have a much narrower scope than the California statute.” Id. at 8-9. According to the court, when it passed § 105(a), the Massachusetts legislature focused its attention solely on the prevention of identity fraud. (By contrast, the Pineda court found that the California legislature also expressed concern about consumer privacy more generally, including merchants using PII for marketing purposes.) With this perceived legislative focus in mind, the court then considered whether a ZIP code amounted to PII under Massachusetts’ statute criminalizing identity theft. Relying on the definition of PII under Mass. Gen. Laws ch. 266, § 37E, the court concluded that a ZIP code constitutes PII because it “may be used (in conjunction with other data) to identify a specific individual.” Id. at 13. As the court further stated, “the input of a ZIP code during a credit card transaction is the equivalent to the input of a [PIN] in a debit card transaction . . . both a ZIP code and a PIN number may be used fraudulently to assume the identity of the card holder.” Id. at 13-15.

This reasoning, the court said, “is more consistent with the Massachusetts legislative intent to prevent fraud” than the Pineda court’s reasoning. Id. at 15. On the bright side, the court’s devotion to legislative history in Massachusetts may limit the opinion’s persuasiveness outside the Commonwealth. But its persuasiveness is probably limited anyway since the reasoning seemingly ignores obvious distinctions between ZIP codes and PINs, including that ZIP codes are assigned by the U.S. Postal Service to help deliver mail to potentially hundreds of people whereas PINs are typically self-selected by individuals so that they can access a specific financial account. Really, unless you’re at a gas station that requires you to enter a ZIP code to use a credit card, the ZIP code and PIN analogy doesn’t work . . . and it’s not even a close call!

Electronic Card Terminal is a Transaction Form
Michaels argued that it did not violate § 105(a)’s prohibition against writing PII “on the credit card transaction form” because § 105(a) did not encompass electronically stored transaction forms. The court rejected this argument principally because the language of § 105(a) did not distinguish between paper and electronic transaction forms in its application to “all credit card transactions.” Id. at 16. This explanation should have sufficed. But the court continued, and muddied the waters a bit, by articulating the relationship between receipts and transaction forms in a way that suggests that receipts simultaneously are and are not credit card transaction forms. Id. at 17-18, & n.7.

Lack of Harm Dooms Tyler’s Claims
Notwithstanding all the court did to explain how the plaintiff successfully stated a violation of § 105(a), the court still refused to entertain the plaintiff’s statutory claims against Michaels. According to the court, a valid claim under Chapter 93A requires a showing of “an injury or loss suffered by the consumer” as well as “a causal connection between the defendant’s deceptive act or practice and the consumer’s injury.” Id. at 19. Unfortunately for the plaintiff, the court concluded that neither the simple fact of a violation of § 105(a), nor the alleged “misappropriation” of her valuable PII (whether or not it was used to send her unwanted commercial advertising) amounted to a legally cognizable injury. Similarly, the court explained in a lengthy footnote, Tyler’s alleged injuries failed to establish her Article III standing to sue Michaels in federal court. Id. at 22, n.8. As such, the granted Michaels’ motion to dismiss as to the plaintiff’s § 105(a) claims. Out you go, David!

Unjust Enrichment Claims Fail
Like her § 105(a) claims, the court dismissed the plaintiff’s unjust enrichment claim because she failed to allege all of the essential elements of the claim. In the court’s opinion, Tyler failed to establish that any “reasonable person would expect compensation for providing a ZIP code to a merchant.” Id. at 27. This, according to the court, negated any assertion by the plaintiff that Michaels’ acceptance and retention of the “benefit” of her ZIP code was unjust. Once again, that explanation should have sufficed. But again, the court elaborated. And in doing so it undercut its prior conclusions as to whether ZIP codes are PII by stating that “[a]rguably the recording of these ZIP codes constitutes a statutory violation, because certain credit card issuers do not require Michaels to request customers’ ZIP codes to process the transaction.” Id. at 28. “Arguably?” Really? Did the court mean what it said when it held that the plaintiff sufficiently alleged a violation of § 105(a) or not? See id. at 18-19.

Plaintiff Not Entitled to Declaratory Relief
Because the Declaratory Judgment Act is not an independent grant of federal jurisdiction, the court was forced to dismiss the plaintiff’s request for declaratory relief along with her other claims.

Court Encourages Certification
Finally, as if imploring the parties to seek further review, the court announced that it would enter a judgment of dismissal “one week from the date of the issuance of this memorandum of decision” in order to give the parties adequate time to move for certification to the Massachusetts Supreme Judicial Court. Id. at 30 & n.10.

So what are we left with? Considering the court’s apparent lack of confidence in its own decision and its near insistence that the parties seek certification of the decision to the Massachusetts Supreme Court, it may be too early to say what, if anything, this decision means for other retailers even in Massachusetts. Is certification actually in order? Probably a tough call when you look at the gap between the accuracy of the result and the accompanying ZIP code reasoning. Retailers who were unhappy with the California Supreme Court’s opinion in Pineda probably will not be any more pleased with the court’s ZIP code reasoning here. But the result? You bet!

The Song Beverly Act prohibits businesses from requesting that cardholders provide “personal identification information” during credit card purchase transactions that do not fall within one of the exceptions in subdivision (c), and then recording that information. Personal identification information is defined as “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.” The trial court in Pineda concluded that a ZIP code, without more, did not constitute personal identification information. The Court of Appeal affirmed the trial court’s decision in all respects, in large part because a ZIP code pertains to a group of individuals, unlike an address or telephone number that is “specific in nature regarding an individual.”

The California Supreme Court, however, rejected the trial court’s and the Court of Appeal’s reasoning. Relying (too heavily it seems) on the Song Beverly Act’s protective purpose and expansive language, the court concluded that the word “address” should be construed as “encompassing not only a complete address, but also its components.” The court expressed concern about Williams-Sonoma’s “reverse append” practices and the potential for retailers to make an end-run around the statute by collecting indirectly what they cannot legally collect directly. But the Court’s language does not appear to be limited to collecting and using ZIP codes to perform such reverse appends. Rather, the decision broadly states that “[i]n light of the statute’s plain language, protective purpose, and legislative history, we conclude that a ZIP code constitutes ‘personal identification information’ as that phrase is used in section 1747.08.” In so holding, the Supreme Court essentially reversed the Court of Appeal’s decision in Party City Corp. v. Superior Court, 169 Cal. App. 4th 497 (2008), in which the Court of Appeal first explained that a ZIP code identifies a relatively large group rather than an individual. In fact, the Party City record showed that there were 24,953 individual addressees in the plaintiff’s ZIP code. Consequently, the Court of Appeal concluded that a ZIP code was not, as a matter of law, the kind of personalized or individual identification information that falls within the scope of the Act.

In addition to some spirited debate, the Pineda decision is likely to generate a healthy number of lawsuits against California retailers. So ZIP up those jackets and be prepared to weather the storm!
 

In Party City, the plaintiff claimed that Party City’s request for a zip code in conjunction with a credit card purchase violated the Act. The trial court agreed, granting the plaintiff summary judgment. The Court of Appeal granted a writ of mandate and overturned the trial court concluding that summary judgment should be entered for Party City. The Court of Appeal found that zip codes are not personal identification information based on the plain language of the statute. In applying a plain reading, the court first examined postal regulations to understand what zip codes encompass. The court determined that zip codes as defined by the postal service are not individualized identification criteria. Rather they are used to "provide identification of a relatively large group." Because "tens of thousands of people have the same zip code" the court concluded a zip code standing alone is not the same as an individual’s address or telephone number. The court found its interpretation bolstered by the principle that statutes that create mandatory civil liabilities should be construed in favor of the "persons sought to be subject to their operation."

This is the third California appellate decision this year taking a narrow interpretation of the Act. See here and here for blog posts on earlier appellate court decisions holding that the Act does not apply in the merchandise returns context.

California Civil Code § 1747.08 prohibits a retailer that accepts credit cards from, among other things, requesting, or requiring as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the retailer writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise. Subdivision (e) of the statute provides that "[a]ny person who violates this section shall be subject to a civil penalty not to exceed two hundred fifty dollars ($250) for the first violation and one thousand dollars ($1,000) for each subsequent violation, to be assessed and collected in a civil action brought by the person paying with a credit card, by the Attorney General, or by the district attorney or city attorney of the county or city in which the violation occurred."

The TJX Companies, Inc., T.J. Maxx of CA, LLC, Marshalls of CA, LLC, Marshalls of MA, Inc., and Marmaxx (collectively, TJX) sought a writ of mandate compelling the trial court to grant their motion to strike portions of the complaint that defined the class as users of credit cards "within the last three . . . years." The court found that the penalty imposed in subdivision (e) of the statute, using the language "shall be subject to" is mandatory and therefore is "[a]n action upon a statute for a penalty" subject to the one-year statute of limitation of California Code of Civil Procedure section 340.

The court also held that the plain language of section 1747.08 does not apply to returned merchandise and directed the court to vacate its order overruling TJX’s demurrer to the complaint. Among other things, the court noted that "there are substantial opportunities for fraud" in connection with merchandise returns and "it behooves the merchant to identify the person who returns merchandise, which subsequent examination may disclose to have been used, damaged, or even stolen."