Already home to one of the toughest data protection laws in the country, Massachusetts now joins California in having expansive protections for data exchanged during a credit card transaction.
On March 11, 2013, in Tyler v. Michaels Stores Inc., No. SJC-11145, (Mass. Mar. 11, 2013), Massachusetts' highest court held that a retailer can violate credit card data and consumer protection statutes if:
• a consumer pays in-store with a credit card; and
• that consumer's zip code is recorded at the point of sale.
Crucially, the violation can be triggered:
• even if no actual fraud was perpetrated; and
• even if no subsequent data theft occurs.
When courts in California reached a similar conclusion in the now infamous Pineda case (Pineda v. Williams-Sonoma Stores, Inc. (2011) 120 Cal.Rptr.3d 531, 246 P.3d 612), more than 150 class action lawsuits ensued.
Our initial recommendations are that retailers:
• review in-store and online data collection practices and modify as necessary to mitigate the risks raised by Tyler;
• establish a process to track consumer complaints related to marketing campaigns; and
• put a process in place to respond timely to such complaints and thereby leverage the available safe harbors.
Please do not hesitate to contact Rich Green firstname.lastname@example.org 860.275.6757 with questions regarding this new ruling.