Over the past several years, there has been a wave of lawsuits brought under California’s Song-Beverly Act alleging that the collection of postal Zone Improvement Plan (ZIP) codes by businesses in connection with credit card transactions violates the Act. The catalyst for this wave is Pineda v. Williams-Sonoma Stores, Inc.,1 California’s Song-Beverly Act, “prohibits businesses from requesting that cardholders provide ‘personal identification information’ during credit card transactions, and then recording that information.” Under the Song-Beverly Act, a consumer’s address is considered personal identification information (PII). The Supreme Court of California construed the word “address” under the statute as encompassing components of an address, including postal ZIP codes, because ZIP codes can be combined with customers’ names to locate their complete addresses.2
This wave has now reached Massachusetts, albeit in a slightly different form. In 2011, a customer of Michaels Stores filed a complaint on behalf of herself and a putative nationwide class of customers in the District of Massachusetts, alleging that the retailer collected her ZIP code in connection with a credit card purchase and then used her name and ZIP code in conjunction with other commercially available databases to find her address and telephone number in order to send her unsolicited marketing materials.3 In its opinion,4 the district court held that ZIP codes constituted “personal identification information” under Mass. Gen. Laws c. 93, § 105, and therefore, there had been a statutory violation by the defendant. But the court granted the defendant’s motion to dismiss, concluding that the plaintiff had failed to allege any cognizable damages as a result of the violation. At the invitation of the court, the plaintiff filed a subsequent motion, which the court granted, to certify a series of questions regarding the proper interpretation of Mas. Gen. Laws c. 93, § 105 to the Supreme Judicial Court of Massachusetts (SJC)5. These questions sought clarity on whether and in what circumstances the collection of ZIP codes by retailers violates the state consumer protection act.
On March 11, 2013, the SJC issued its opinion on these questions. The SJC found that:
A critical issue in the case—as with many privacy cases—involved the question of injury. The SJC rejected the argument that a mere violation of the statute, without more, constituted a cognizable injury. Instead, the SJC held that plaintiffs were required to show a “separate, identifiable harm” arising from the violation.
It is unclear how low the bar established by the SJC will be set. On the one hand, the Court ruled that “if Michaels obtained a customer’s ZIP code, placed that information in a file (paper of electronic), and never used the information for any purpose thereafter, a consumer would not have a cause of action for damages.” 2013 WL 854097, at *6 n.17 (emphasis supplied). On the other hand, the Court made clear that the actual receipt by a consumer of unwanted marketing materials or the merchant’s sale of a customer’s “personal identification information” or the data obtained from that information to a third party would constitute a compensable injury under the statute. The language used by the Court in so holding is telling:
As for damages, it seems unlikely that a merchant’s use of a consumer’s personal identification information [to send unsolicited marketing materials or to sell to a third party] would cause the consumer to suffer either a readily quantifiable loss of money or property or measure emotional distress. Nonetheless, receipt of unwanted marketing materials as a result of a . . . violation represents an invasion of the consumer’s personal privacy causing injury or harm worth more than a penny, and the consumer is thus entitled to the minimum statutory damage award of $25 under MASS. GEN. L. c. 93A, § 9(3). The issue of damages becomes more complicated where a merchant sells a consumer’s personal identification information acquired [in violation of the Act], because the harm comes from the merchant’s disclosure of the consumer’s private information on the open market, not from a direct assault on her privacy. Disgorgement of the merchant’s profits may provide an appropriate means of calculating damages in the latter situation, both because it is a close approximation of the value of the consumer’s personal identification information on the open market and because such a damage award would remove any financial incentive to merchants to violate the statute. For a single consumer, the amount of damages for such an injury also would likely amount to less than $25, thus triggering the minimum damage award provided by [the Act].
In Massachusetts, the stakes are particularly high for violations of the Consumer Protection Act; as the SJC noted, such violations carry with them minimum statutory damages of $25 per injury. In a putative class action,6 these nominal damages may add up quickly.
Given the SJC’s holding, coupled with the statutory damages available under the Massachusetts Consumer Protection Act, retailers operating in Massachusetts who routinely collect ZIP codes from their customers in order to process credit card or other sales transactions may be subject to damages in connection with such transactions. If the ZIP code information is used to send unsolicited marketing materials to customers, or the ZIP code information or the data obtained from that information is sold to a third party, the retailer clearly faces a risk of damages from that use. Beyond that, the issue is unclear as retailers collect their customers’ ZIP codes for reasons other than selling the “personal identification information” to third parties or targeted mailing campaigns. For example, retailers may collect ZIP codes in order to process credit card payments or to survey customers’ general geographic locations in the interest of future expansion into underserved or untapped markets. Based on the Michaels Stores decision, it is unclear whether these or other uses of consumer information represent “an invasion of the consumer’s personal privacy causing injury or harm worth more than a penny.” This low bar, combined with the $25 minimum damages under the statute, suggests that retailers operating in Massachusetts should review their practices with respect to ZIP code information collection immediately.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:Del-Sesto-Ronald
1. Pineda v. Williams-Sonoma Stores, Inc., 246 P.3d 612 (Cal. 2011).
2. Since the Pineda decision was filed, subsequent developments in California law have provided a so-called “fraud prevention exception” to the Song-Beverly Act, which exempts retailers from liability when they seek PII for the purposes of preventing credit card fraud. See, e.g. Apple, Inc. v. Superior Court, 151 Cal.Rptr.3d 841, 848-49, 292 P.3d 883 (2013). Furthermore, given the additional relevant case law still pending in California, additional modifications to the Pineda ruling are likely to occur in the future. How these developments will affect Massachusetts law is yet to be determined.
3.Melissa Tyler v. Michaels Stores, Inc., No. SJC-11145, 2013 WL 854097 (Mass. Mar. 11, 2013).
4.Melissa Tyler v. Michaels Stores, Inc., 840 F.Supp.2d 438 (2012).
5. Mass. Gen. Laws c. 93 §105(d) provides that “[a]ny violation of the provisions of this chapter shall be deemed to be an unfair and deceptive trade practice, as defined in section 2 of chapter 93A,” thus giving rise to a cause of action under the Consumer Protection Act.
6. Because the Massachusetts statute provides for nominal damages only to persons who can show injury under the state consumer protection act, this relief is limited primarily to Massachusetts residents or those shopping at stores located in the Commonwealth.
This article was originally published by Bingham McCutchen LLP.