Cal. Supreme Court Holds that ZIP Codes are PII Under Song-Beverly Act
Cal. Civil Code § 1747.08, which is part of the Song-Beverly Credit Card Act of 1971 (as amended), prohibits entities that accept credit cards from asking or requiring cardholders to provide “personal identification information” at the time of a credit card transaction if the personal identification information is then recorded by the entity. “Personal identification information” is defined as “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and phone number.” Under § 1747.08(c), entities are allowed to ask for personal identification information (“PII”) in certain situations, e.g., when the credit card is being used as a deposit to secure payment in the event of default or damages; cash advance transactions, if the entity is required by contract or by federal law to collect and record the PII as part of the transaction; or when the PII is needed for “a special purpose” related to the transaction, such as shipping, delivery, servicing, etc.
In Pineda v. Williams-Sonoma Stores, 2011 WL 446921 (Cal. 2011), the plaintiff alleged that when she attempted to buy an item with her credit card at a Williams-Sonoma store in California, the clerk asked her for her ZIP code, which the plaintiff provided. The clerk then entered the ZIP code into the cash register and completed the transaction. Williams-Sonoma then used the information to obtain the plaintiff’s name full address for its database, which it uses to market products to consumers.
Plaintiff alleged that Williams-Sonoma had violated the Song-Beverly Act by asking for her ZIP code. At trial, Williams-Sonoma argued that a ZIP code was not “personal identification information” under the definition in the statute. The trial court agreed with Williams-Sonoma, stating that a ZIP code was not “personal identification information” as defined in Section 1747.08, and the California Court of Appeal affirmed that decision.
The California Supreme Court reversed the Court of Appeal’s decision, finding that “the only reasonable interpretation of § 1747.08 is that personal identification information includes a cardholder’s ZIP code.” The Court, citing legislative history that “demonstrates the Legislature intended to provide robust consumer protections by prohibiting retailers from soliciting and recording information about the cardholder that is unnecessary to the credit card transaction,” held that that the terms in the definition in §1747.08(b) were pieces of information that were “unnecessary to the sales transaction” and “alone or together with other data such as a cardholder’s name or credit card number,” could be “used for the retailer’s business purposes.”
Implications of the Pineda decision:
Brick-and-mortar stores in California cannot ask customers to provide any PII (including ZIP codes) when conducting credit card transactions if the business is going to record that information, unless the transaction falls under one of the exceptions in 1747.08(c). Under Section 1747.08(d), entities may still ask the cardholder to provide a drivers’ license or some other form of ID, as long as the information on the ID is not recorded.
However, in addition to the exceptions specified in § 1747.08(c), California state courts have also held that entities may ask customers to provide PII:
• For refund or merchandise return transactions. Absher v. AutoZone, Inc., 164 Cal. App. 4th 497 (Cal. Ct. App. 2008); TJX Companies, Inc. v. Superior Ct., 108 Cal. App. 4th 447 (Cal. Ct. App. 2003); or
• When the request is for purposes of registering a product warranty. Watkins v. Autozone Parts, Inc., 2009 WL 3214341 (S.D. Cal. 2009).
Online transactions. California state courts have not addressed the issue of whether the Song-Beverly Act prohibitions on requesting PII for credit card transactions apply to online retailers. However, in 2009, a federal court in the Central District of California held that the Song-Beverly Act prohibitions did not apply to online transactions, stating, “In keeping with the precedents finding that refund transactions are outside the category of transactions covered by the Act because of the unique fraud concerns created by those transactions, the Court also finds online transactions are not encompassed within the Act.” Saulic v. Symantec Corp., 596 F.Supp.2d 1323, 1336 (C.D. Cal 2009). Accordingly, it would appear that online retailers may still require consumers to provide ZIP codes and other PII in order to complete online credit card purchases.
Update: Despite the ruling in the Saulic case that online transactions are not subject to the Song-Beverly Act, a plaintiff has filed class action complaints in California state court against Amazon and PayPal, alleging that Amazon and PayPal violated the Song-Beverly Act and California’s unfair competition law by requiring him to enter his full billing address in order to make a purchase with his credit card. The plaintiff alleged that such information was not needed to complete the card transaction, as other information (e.g., the card security code or the buyer’s drivers’ license number) could have been used to verify identity. It is worth noting that the plaintiff’s complaint against Amazon does not specify whether the plaintiff purchased digital files that could be downloaded from the website or merchandise to be shipped to the plaintiff (in which case an address would be necessary to ship the merchandise to the plaintiff).
The Amazon and PayPal cases indicate that class action firms in California may be willing to file similar cases against other online retailers, despite the holding in the Saulic case.