Clicky

Header graphic for print
InfoLawGroup privacy. security. technology. media. advertising. intellectual property.

California Supreme Court Says Zip Codes are PII-Really. (As California Goes, So Goes the Nation? Part Two)

Posted in Data Privacy Law or Regulation, Lawsuit, Penalties and Fines, Privacy and Security Litigation, Privacy Law

Thinking hard about how business and consumer interests can be harmonized by effective and privacy/security-friendly policies and practices? We thought so. Worried that zip codes might be treated as personal information in this country?  Probably not.  All that may be changing.  In a ruling already attracting criticism and attention from some high profile privacy bloggers, the California Supreme Court ruled Thursday, in Pineda v. Williams-Sonoma, that zip codes are "personal identification information" for purposes of California’s Song-Beverly Credit Card Act, California Civil Code section 1747.08, reversing the Court of Appeal‘s decision that we discussed last year.  For those of you who may be wondering, yes – the statute provides for penalties of up to $250 for the first violation and $1,000 for each subsequent violation, and does not require any allegations of harm to the consumer.  California has already seen dozens, if not hundreds, of class action lawsuits around the Song-Beverly Credit Card Act.  The Court’s interpretation of "personal identification information" as including zip codes is likely to spark a new round of class action suits. California retailers should carefully consider the Pineda decision in crafting and updating their personnel policies and training programs with respect to collection of information during credit card transactions.

The legislation at issue prohibits retailers from asking customers for their personal identification information and recording it during credit card transactions. Section 1747.08(a) provides that "no . . . firm . . . that accepts credit cards for the transaction of business shall . . . [r]equest, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the . . . firm . . . accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise."  Subdivision (b) defines "personal identification information" as “information concerning the cardholder . . . including, but not limited to, the cardholder’s address and telephone number.”

The California Supreme Court reversed the Court of Appeal, holding that the definition means exactly what it says – personal identification information means any "information concerning the cardholder."  The Court cited Webster’s, noting that "concerning" is "a broad term meaning “pertaining to; regarding; having relation to; [or] respecting."  The Court rejected the Court of Appeal’s reasoning that a zip code pertains to a group of individuals, not a specific individual, finding that the reference to address in the definition of "personal identification information" must also include components of an address. The Court attacked the Court of Appeal’s assumption that a complete address and telephone number are not specific to an individual. The Court took the position that interpreting the term "personal identification information" to mean any information of any kind "concerning" a consumer is consistent with the consumer protection goals of the statute.  The Court reasoned:

the legislative history of the Credit Card Act in general, and section 1747.08 in particular, demonstrates the Legislature intended to provide robust consumer protections by prohibiting retailers from soliciting and recording information about the cardholder that is unnecessary to the credit card transaction.

The Court’s discussion of "information concerning" reminds me of the boilerplate definitions we litigators always use (and then fight about) in discovery requests and meet and confers.  The litigators out there know what I am talking about:  "for purposes of these document requests, the term ‘concerning’ means ‘discussing, describing, reflecting, containing, commenting, evidencing, constituting, setting forth, considering, pertaining to," and on, and on, and on . . . Such definitions, interpretations, and arguments may be fun for litigators, but in real life no one knows what they really mean and they have no practical application.  If "concerning" can mean anything, it kind of means nothing for purposes of providing practical guidance for reasonable business practices

Further, while the Court’s reading of the statute might make sense in a vacuum as a matter of plain language statutory interpretation based on the phrase "information concerning," the Court’s analysis seems to omit any discussion of the words "personal identification" in the term "personal identification information."  Zip codes may be information "concerning" a person, but they do not personally identify any individual.

Finally, and perhaps most significantly, it is not clear how collection of zip codes, while perhaps unnecessary to credit card transactions, is of any potential harm to the consumer. And that, as the Court notes, is the point of the statute – consumer protection.  The Court does not discuss any potential harm to the consumer from collection of zip codes.  That is not surprising since collection of zip codes does not give rise to any obvious or apparent consumer harm.  

I’m off to speak at the RSA Conference.  Look forward to hearing your thoughts on this one.  Happy weekend to all.

 

  • http://www.finemanlaw.com Neil B. Fineman

    >
    Zip codes, like telephone numbers, can be used to assist companies in building customer databases by the use of reverse appending. By knowing the person’s name and zip code, the retailer works with a third-party data broker to determine the customer’s full address. (After all, how many people named “Forsheit” are in your zip code?) The retailer then maintains a customer database that includes the customer’s name, address, and credit card number. Would anyone feel confident about allowing a minimum wage clerk to have access to such sensitive information? In a 2009 study entitled, Data Loss Risks During Downsizing, As Employees Exit, So Does Corporate Data, the Ponemon Institute reported that 59% of ex-employees admitted to stealing company data. Surely, that is one possible harm to the consumer. Yet retailers consistently put their bottom line over customer safety. The Pineda decision, like the Florez v. Linens ‘N Things decision cited in Pineda, recognizes that corporate profits must take a back seat to consumer safety.

  • http://www.infolawgroup.com Tanya L. Forsheit

    Neil – thanks for your comment. Legal customer databases exist, with or without zip codes. There is no connection between the mere existence of a legal customer database and data theft or harm of any kind. The fact that such theft could happen does not mean that it will, or does, happen. The problem of rogue employees/ex-employees is present in all companies holding any sensitive information, even just HR data. That is just another reason why all companies need to put in place appropriate policies and procedures to limit access to information to those who need to know for business purposes, and to terminate access to former employees. Zip codes have nothing to do with it.

  • Paul Paray

    Don’t mean to harp on this case (especially since you are in RSA mode) but saw your LinkedIn link to this post and had to chime in one more time…
    I’ve handled many discovery disputes and the courts never ever get hung up on the broad language used in document demands and interrogatories. The courts I’ve seen handle these demands usually do the right thing despite the broad language used — not unlike what was done here. In other words, where I disagree with you concerns your spin on the word “concerning”. The Court’s ruling does not imply “concerning” yields everything possible or “anything” (as you put it). There is a common meaning attached to the word and statutory construction rules required that the Court take a stab at applying such a meaning to the law in front of them.
    No matter what some have said, this is NOT a privacy ruling. This is a statutory construction 101 ruling…a correct one at that.