Privacy & Information Security Law Blog

On February 10, 2011, the California Supreme Court ruled in Pineda v. Williams-Sonoma Stores, Inc. that ZIP codes are “personal identification information” under the state’s Song-Beverly Credit Card Act of 1971 (the “Credit Card Act”).  This finding effectively prohibits California businesses from requesting and recording cardholders’ ZIP codes during credit card transactions.

When the plaintiff made a purchase by credit card at the defendant retailer, a cashier requested her ZIP code and she provided it, believing that it was necessary to complete the transaction.  The plaintiff alleged that the store then used her name and ZIP code to locate her home address, which it added to a marketing database.  The Court of Appeals affirmed the trial court’s dismissal of the claim, holding that a ZIP code, without more, does not constitute personal identification information under the Credit Card Act.  The California Supreme Court reversed and remanded.

The Court first looked to statutory construction in its analysis of whether ZIP codes constitute personal identification information.  The Credit Card Act defines personal identification information as “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.”  The Court found that the word “address” in the statute should be construed as encompassing not only a complete address, but also its components.  Furthermore, the Court rejected the lower court’s conclusion that a ZIP code is not personal identification information because it pertains to a group, rather than a specific individual.  The Court found that ZIP codes are like addresses or telephone numbers in that such information is “unnecessary to the sales transaction” and “alone or together with other data such as a cardholder’s name or credit card number, can be used for the retailer’s business purposes.”  The Court noted that this interpretation is also consistent with the Credit Card Act’s provision which allows businesses to require the cardholder to provide a form of identification, such as a driver’s license, “provided that none of the information contained thereon is written or recorded.”

In addition to examining the statute’s provisions, the Court reviewed the legislative history of the Credit Card Act.  The Court found that the California Legislature “intended to provide robust consumer protections by prohibiting retailers from soliciting and recording information about the cardholder that is unnecessary to the credit card transaction.”  A primary issue motivating the creation of the statute was how retailers acquired additional personal information, unnecessary to the transaction, to build mailing and telephone lists for its in-house marketing or to sell or others.  Later amendments of the statute prohibited businesses from recording information in consumers’ provided identification; the purpose of which was to prevent retailers from matching this information with the consumer’s credit card number.

The Court rejected the defendant’s argument that its construction of the Credit Card Act violates due process, and found that a broad interpretation of the Credit Card Act did not render the statute unconstitutionally vague because the law includes adequate notice of prohibited conduct.