Article's Authored by Mr. Rianda

Back to Articles

Retailers Beware

The February 10, 2011 ruling of the California Supreme Court in the case of Pineda v. Williams-Sonoma has broad implications for retailers located in that state or retailers that do business with California residents. In the ruling, the court held that retailers cannot record the zip code numbers of customers as part of a credit card transaction. Below I will discuss the case, its ramifications and some exceptions that may allow retailers some relief from the ruling.

The Case:

The case resulted from a visit by Jessica Pineda to a Williams Sonoma store. When Ms. Pineda went to the cash register to make her purchase with a credit card, the store employee asked her for her zip code. Ms. Pineda provided the zip code assuming she had to in order to complete the transaction. The zip code was stored in the store’s computer along with the other transaction information. Unbeknownst to Ms. Pineda, Williams Sonoma then used her name and zip code, through the use of a reverse directory, to find her address. Williams Sonoma was then able to send her catalogs and other solicitation materials. Ms. Pineda objected to the retailer obtaining her zip code in order to solicit her and brought a lawsuit against Williams-Sonoma

The court in the case was interpreting California Civil Code section 1747.08 which holds as follows:

Except as provided in subdivision (c), no person, firm, partnership, association, or corporation that accepts credit cards for the transaction of business shall do any of the following: . . . Request, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the person, firm, partnership, association, or corporation accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise. . . .For purposes of this section “personal identification information,” means information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.

The question before the court was, does a zip code alone constitute personal identification information under the law? The court ruled that it did based in part on the fact that the law was designed to protect consumers, and as a result should be interpreted to be given the broadest impact possible.

Violation of the law can result in the following penalties:

Any person who violates this section shall be subject to a civil penalty not to exceed two hundred fifty dollars ($250) for the first violation and one thousand dollars ($1,000) for each subsequent violation, to be assessed and collected in a civil action brought by the person paying with a credit card, by the Attorney General, or by the district attorney or city attorney of the county or city in which the violation occurred.

As you can see, the law could have serious implications for a retailer. The penalties are such that plaintiffs’ attorneys will have a huge incentive to bring these types of cases resulting in damages that could be in the millions of dollars for larger retailers.

The Impact:

Retailers now arguably are prohibited from “recording” any personal identification information of their customers, which includes according to this ruling a simple zip code number. A law that was originally designed to keep thieves from dumpster diving to get personal information merchants had written on the old carbon-type credit card receipts now has much broader implications.

Merchants obtain zip codes in order to use that information with their credit card providers to verify a cardholder’s identity and therefore receive lower processing rates. Every time I go to fill up my gas tank, I am asked to provide my zip code at the pump. Is it now a violation of the law for gas stations to ask for this information? This law has the unintended effect of causing merchants to be unable to use that vital information in order to reduce the risk of fraudulent transactions, and as a result merchants to have to pay more to process credit cards.

Possible Exceptions:

The law provides for a number of exceptions that could allow retailers to obtain zip codes as part of the sale process. One is “[i]f the person, firm, partnership, association, or corporation accepting the credit card is contractually obligated to provide personal identification information in order to complete the credit card transaction.” So, if the merchant agreement with the card processor requires a merchant to obtain zip code information, then the law does not apply. In my experience most merchant agreements do not have this contractual obligation but processors could easily add it in order to allow merchants to be exempt from the law.

Another possible exemption is in the law itself. The merchant is only subject to the law if it “writes, causes to be written, or otherwise records” the information. Therefore if the merchant does not record the zip code in any way just asking for it will not violate the law. For instance if a merchant merely uses a payment gateway that uses the zip code information to verify the customers identity, but the gateway and the merchant do not store that information, arguably there would be no violation of the law.

An additional exception is “[i]f personal identification information is required for a special purpose incidental but related to the individual credit card transaction, including, but not limited to, information relating to shipping, delivery, servicing, or installation of the purchased merchandise, or for special orders.” For example if internet merchants are shipping a product to the consumer they can record the consumer’s address. The same goes for brick and mortar stores if they are going to deliver an appliance or piece of furniture to the consumer’s home, the retailer could record the consumer’s home address and not violate the law.

The law has exceptions but the easiest way to counter its effect would appear to be that all card processors add to their merchant agreements a provision which states that merchants are required to obtain zip code information if available. Hopefully the people in charge will take note and make the changes necessary in order to allow merchants to continue to collect zip code information in an effort to reduce fraudulent transactions.

Back to Articles