Privacy & Information Security Law Blog

On March 11, 2013, in Tyler v. Michaels Stores, Inc., the Massachusetts Supreme Judicial Court effectively reinstated the suit against the retailer by answering favorably for the plaintiff three certified questions from the United States District Court for the District of Massachusetts regarding Massachusetts General Laws Chapter 93, Section 105(a) entitled “Consumer Privacy in Commercial Transactions” (“Section 105(a)”). The court ruled that (1) a ZIP code constitutes personal identification information under the Massachusetts law; (2) a plaintiff may bring an action for a violation of the Massachusetts law absent identity fraud; and (3) the term “credit card transaction form” refers equally to electronic and paper transaction forms. The Massachusetts court’s determination that a ZIP code constitutes personal identification information is similar to the determination in Pineda v. Williams-Sonoma Stores, Inc., in which the California Supreme Court held that ZIP codes are “personal identification information” under California’s Song-Beverly Credit Card Act. More than 15 states, including Massachusetts and California, have statutes limiting the type of information that retailers can collect from customers.

The plaintiff’s class action complaint alleged that the defendant “illegally requested customers’ ZIP codes when processing their credit card transactions in violation of Section 105(a).” Specifically, Section 105(a) states that “[n]o person, firm, partnership, corporation or other business entity that accepts a credit card for a business transaction shall write, cause to be written or require that a credit card holder write personal identification information, not required by the credit card issuer, on the credit card transaction form.”

On January 6, 2012, the United States District Court for the District of Massachusetts granted the defendant’s motion to dismiss finding that although a ZIP code constitutes personal identification information under Section 105(a), the complaint, which did not assert there had been any identity theft, failed to allege that the collection of ZIP codes caused the plaintiff a cognizable injury. While the court found that the plaintiff had sufficiently alleged a cause of action under Section 105(a), it ultimately dismissed her complaint in its entirety because she failed to demonstrate a causal connection between the defendant’s “deceptive act” and any cognizable injury. At the judge’s invitation, however, the plaintiff filed a motion to certify three questions to the Massachusetts Supreme Judicial Court.

In answering each of the three questions in the affirmative, the Massachusetts Supreme Judicial Court asserted that the principal purpose of the statute is to guard consumer privacy in credit card transactions, and is not limited to preventing identity theft. In addition, the court held that “a plaintiff. . . . must allege, and ultimately prove that she has, as a result of the unfair or deceptive act, suffered a distinct injury or harm that arises from the claimed unfair or deceptive act itself.” The court explained that “[w]hen a merchant acquires personal identification information in violation of § 105(a) and uses the information for its own business purposes, whether by sending the customer unwanted marketing materials or by selling the information for a profit, the merchant has caused the consumer an injury that is distinct from the statutory violation itself.” The action will return to the United States District Court for further proceedings.

This decision undoubtedly will lead to similar suits in the future against retailers in Massachusetts that have been collecting ZIP codes at the point of sale. It also may encourage lawsuits alleging violations of state laws in the other states that have similar laws on the books addressing this issue.