Earlier this month, the Massachusetts Supreme Court issued an opinion holding that zip codes “may well qualify” as personally identifiable information under the Massachusetts law controlling the treatment of PII in credit card transactions. The Massachusetts case echoes a 2011 ruling from the California Supreme Court which similarly held zip codes to be PII. Like the earlier California case, the Massachusetts case potentially affects merchants who collect and use zip codes in connection with credit card transactions and, as a result, may now be subject to class action lawsuits for unfair or deceptive trade practices.
Michaels Stores, the defendant in the underlying action, was accused of collecting the zip code of a customer paying for her purchase with a credit card at a retail location. The customer sued, alleging that the zip code was not required to complete the credit card transaction, and that the collection consequently violated the relevant statutory provision. That provision requires:
No person, firm, partnership, corporation or other business entity that accepts a credit card for a business transaction shall write, cause to be written or require that a credit card holder write personal identification information, not required by the credit card issuer, on the credit card transaction form.
Mass. Gen. Law ch. 93A § 105(a) (2012).
The plaintiff also claimed that, with the help of commercially available databases, Michaels then used her name and zip code to identify her address and phone number and send her unsolicited marketing communications. The plaintiff filed a class action complaint under provisions of Massachusetts law creating a private right of action for unfair and deceptive trade practices.
Assuming the truth of the plaintiff’s claims, the Court rejected Michaels’s argument that zip codes would not be PII. The key to the Court’s holding was the supposed ease with which zip codes, combined with a consumer’s name, could be used to identify particular individuals via “publicly available databases.” “In those circumstances,” wrote the Court, failing to treat zip codes as PII would “undermine the statutory purpose of consumer protection.”
The Court also took the opportunity to explicate the standard of harm or injury that a plaintiff must allege and prove when suing under a theory of unfair and deceptive trade practices. In particular, the Court held that the violation of a consumer’s legal rights alone is not necessarily a harm or injury. Instead, the Court held that “the violation of the legal right that has created the unfair or deceptive act or practice must cause the consumer some kind of separate, identifiable harm arising from the violation . . . .”
However, according to the Court, the requisite distinct harm or injury could be “the actual receipt by a consumer of unwanted marketing materials as a result of the merchant’s unlawful collection” of PII. Or, alternately, the harm could be “the merchant’s sale of a customer’s personal identification information or the data obtained from that information.” In either of these cases, potential plaintiffs could be entitled to statutory minimum damages of twenty-five dollars (leading, of course, to much larger figures in case of class actions involving many affected consumers).
The Court made clear that merely collecting zip codes would not be enough to create the distinct injury or harm necessary:
In the present case, for example, if Michaels obtained a customer’s zip code, placed that information in a file (paper or electronic), and never used the information for any purpose thereafter, a consumer would not have a cause of action . . ., even though Michaels’s request for and saving of the zip code information may have violated § 105(a) and thereby qualified as an unfair or deceptive act.
Liability attaches instead in the circumstance where the merchant improperly collects “and uses the information for its own business purposes.”
Finally, the Court refused to distinguish between paper or electronic transactions, holding that the statute applies equally to both.