In March, we blogged about Tyler v. Michaels Stores, a recent Massachusetts Supreme Court ruling, holding that zip codes are personally identifiable information and disavowing data mining by zip code. That decision threatened and continues to threaten to bring forth a deluge of data mining litigation against retailers in Massachusetts, much like Pineda v. Williams-Sonoma has done in California. In March alone, two class actions were filed against Bed Bath & Beyond in Massachusetts, one by the same plaintiff as in Tyler v. Michaels Stores (complaints can be found here and here). In late May, a zip code data mining putative class action suit was filed against Guitar Center (complaint here). These cases may ignite analogous litigation in other states.

Merchants frequently ask for customer zip codes while conducting consumer transactions, particularly in those involving credit cards, even when credit card companies do not require such information. Merchants then identify customers’ addresses and phone numbers to target mass mailings or to sell the information to third parties. In Tyler v. Michaels Stores, the Massachusetts Supreme Court considered whether collecting zip codes in this context violates the Massachusetts’s consumer protection law. The court answered that it does, explaining that the law encompasses the protection of consumer privacy. Accordingly, a plaintiff will be able to assert injury under the statute even where there is no allegation of identity fraud if: (1) plaintiff actually received unwanted marketing materials as a result of the merchant’s unlawful collection of plaintiff’s personal identification information; or (2) the merchant sold plaintiff’s personal identification information to a third party.

The two putative class action lawsuits recently filed against Bed Bath & Beyond allege both types of harm. The complaints cite improper collection of zip codes during credit card transactions and violations of consumer privacy. According to the allegations, Bed Bath & Beyond used zip code information to: (1) obtain customer addresses and telephone numbers using commercially available databases; (2) send out unsolicited direct marketing information (including junk mail); and (3) possibly sell the information to third parties. The putative class action filed against retail giant Guitar Center in late May has similar allegations to those in the Bed Bath & Beyond complaints. In the Guitar Center case, the representative plaintiff claims that he received unwanted marketing materials in the mail. Additionally, he claims that Guitar Center misappropriated his economically viable personally identifiable information without due consideration. In Guitar Center, just as in the Bed Bath & Beyond cases, plaintiff seeks statutory damages of $25 per violation under the Massachusetts law, as well as treble damages.

Retailers are advised to remain mindful of these recent developments and, if necessary, modify their transactions— both in person and potentially online—as the developments in Massachusetts may influence laws in other jurisdictions.