Yesterday, the Massachusetts Supreme Judicial Court (“SJC”) ruled that zip codes constitute “personal identification information” under G.L. c. 93. The question of law came to the SJC from the U.S. District Court for Massachusetts stemming from Tyler vs. Michaels Store, Inc, which was dismissed in January. This ruling echoes California’s 2011 decision that the Song-Beverly Credit Card Act prohibits merchants from requesting zip codes from customers paying by credit card (for additional information see our client alert here.)
The plaintiff alleged that on several occasions when she made purchases at Michaels with a credit card she was asked to provide her zip code. The plaintiff provided her zip code because she thought it was necessary in order to complete the transactions, but the credit card issuers did not require the merchant to capture zip codes. Michaels has a policy of writing names, credit card number and zip codes on electronic credit card transaction forms. Michaels then used the information to find the customer’s address and subsequently sent the customer marketing materials.
On January 6, 2012 the District Court granted Michaels motion to dismiss on grounds that the complaint failed to allege an injury under G.L. c. 93A. On January 13, 2013 the plaintiff filed a motion to certify the following questions:
Under G.L. c 93, § 105 (a) is a zip code “personal identification information”?
Under G.L. c. 93, § 105 (a ) may a plaintiff bring an action for a privacy right violation absent identity fraud?
Under G.L. c. 93, § 105 (a), do the words “credit card transaction form” refer equally to an electronic or a paper transaction form?”
The SJC answered “yes” to all three questions. Before addressing the three certified questions the court reviewed section 105 (a) and concluded that the intended purpose of the law is to “guard consumer privacy in credit card transactions, not to protect against credit card identify theft.”
(1) Meaning of “personal identification information”
The SJC agreed with the lower court in finding that the zip code indeed constitutes “personal information” under the statute, but for slightly different reasons. The statute defines “personal identification information” as including, but not limited to, “a credit card holder’s address or telephone number.” The plaintiff argued that zip code is part of the address and therefore personal identification information under the statute. The SJC said that even if they found that reasoning to fail, zip code is still personal identification information because when the zip code is combined with the consumer’s name it provides the merchant with enough information to get the consumer’s address which is personally identification information as defined under the statute. The court added that if they found zip code to not being “personally identifiable information” then it would “render hollow the statute’s prohibition on the collection of customer addresses and telephone numbers, and undermine the statutory purpose of consumer protection.”
(2) Requirements for bringing an action under §105(a).
The SJC found no reason why the statute would be limited to victims of identity fraud and reiterated their standing that the statute is intended to “address invasion of consumer privacy by merchants…” The court expanded on this premise concluding that there are at least two types of injury or harm that could be caused by the merchant’s violation of the statute (a) the actual receipt by a consumer of unwanted marketing materials as a result of the merchant’s unlawful collection of consumer personal identification information; and (b) the merchant’s sale of a consumer’s personal identification information to a third party.
(3) Meaning of “credit card transaction form.”
The court reviewed the statute and found no indication that the term “credit card transaction form” is limited to paper form and said the statute applies to all transactions, whether they are processed manually or electronically. The court reasoned that because the statute contains no limiting language and interpreting the statue to exclude electronic transactions would render the statue obsolete in a “world where paper credit card transaction are rapidly vanishing…”
A business that follows a practice of requesting and recording zip codes as part of credit card sales transactions in Massachusetts for purposes other than fulfilling an order or completing a transaction (in both brick and mortar establishments and online) should cease this practice. The SJC’s answer to question three clearly extends the reach of the statute to online retailers (an issue currently being fought in California, see our blog post here) who collect a zip code for some reason other than as part of an online transaction (shipping address, etc.). An open question is whether this can be read to potentially expand the “categories” of “personal information” as defined under M.G.L. 93H that, if breached, trigger notification obligations.