Already home to one of the toughest data protection laws in the country, Massachusetts now joins California in having expansive protections for data exchanged during a credit card transaction.
On March 11, 2013, in Tyler v. Michaels Stores Inc., No. SJC-11145, (Mass. Mar. 11, 2013), Massachusetts' highest court held that a retailer can violate credit card data and consumer protection statutes if:
• a consumer pays in-store with a credit card; and
• that consumer's zip code is recorded at the point of sale.
Crucially, the violation can be triggered:
• even if no actual fraud was perpetrated; and
• even if no subsequent data theft occurs.
When courts in California reached a similar conclusion in the now infamous Pineda case (Pineda v. Williams-Sonoma Stores, Inc. (2011) 120 Cal.Rptr.3d 531, 246 P.3d 612), more than 150 class action lawsuits ensued.
Retailers in Massachusetts need to promptly review, therefore, not only their in-store point-of-sale practices but their online sales and marketing activities as well. A critical first step is development of careful, auditable means to distinguish between use of consumer data collected online and data separately collected from the same consumer in-store. Otherwise, a lawful online campaign conducted with full disclosure under a compliant privacy policy may, if point-of-sale data is also collected, be sufficient to sustain a cause of action by an entire class of plaintiffs, at least through the costly summary judgment phase.
Our initial recommendations are that retailers:
• review in-store and online data collection practices and modify as necessary to mitigate the risks raised by Tyler;
• establish a process to track consumer complaints related to marketing campaigns; and
• put a process in place to respond timely to such complaints and thereby leverage the available safe harbors.
Please do not hesitate to contact Rich Green rgreen@mccarter.com 860.275.6757 with questions regarding this new ruling.