California Court Rules that Gathering ZIP Codes for Fraud Prevention does not Violate the Credit Card Act

On March 14, 2012 a California district court ruled in Flores v. Chevron that a gas station gathering ZIP Codes for fraud prevention did not violate Civil Code § 1747.08, the Song-Beverly Credit Card Act (“Credit Card Act”).  The Credit Card Act prohibits businesses from recording a customer’s personal information in conjunction with a credit card purchase.  The Act has an exception from this prohibition for the collection of personal information “required for a special purpose incidental but relating to the individual credit card transaction.”

In Flores, a customer challenged the traditional fraud prevention practice at gas stations of asking for the billing ZIP Code of the credit card being used to purchase gas.  The case follows the 2011 California Supreme Court decision in Pineda v. Williams-Sonoma Stores, in which the Court ruled that the collection of ZIP Codes by retailers at the register during a credit card transaction was a violation of the Credit Card Act.  Williams-Sonoma stores were collecting ZIP Codes for the purposes of marketing and advertising research at the time customers were paying for purchases with their credit cards, which the Court found to be precisely the type of collection of personal information that is prohibited by the Credit Card Act.  In Flores, however, the district court ruled that the gas station’s stated purpose of collection -- fraud prevention -- is a “special purpose” that qualifies the collection of customer ZIP Codes as permitted activity outside the scope of the Credit Card Act’s prohibition on the recording of personal information. 

Interestingly, because the court determined that the Credit Card Act did not apply due to the exception, the court refused to consider plausible fraud prevention alternatives that would be less intrusive on personal information, such as collecting a card’s CCV code instead of a ZIP Code. The court acknowledged that the use of ZIP Codes may not have been the least intrusive methods and that the gas station’s choice of ZIP Codes for fraud prevention may have been motivated by a desire to gain leverage with consumers in marketing the gas station’s fraud prevention efforts. The court observed, however, that because the statute did not apply due to the special purposes exception, there is no need for courts and lawyers to help “design” gas stations’ fraud prevention marketing campaigns. According to the district court, if recording ZIP Codes is a permissible method of fraud prevention, then there is no jurisdiction for a court to tell gas stations to use another method of fraud prevention instead.

The court’s use of the “special purpose” exception is further noteworthy because the court chose not to rely on a narrower exemption within the Act that specifically exempts “retail motor fuel dispenser[ies] … [that use] the ZIP Code information solely for prevention of fraud, theft, or identity theft.” The district court’s reliance on the broader exception raises the question whether the gas station (or other retailers with a similar fraud prevention program) may subsequently use for marketing purposes ZIP Codes initially collected for fraud prevention. If the Credit Card Act is interpreted to permit subsequent marketing use of fraud prevention data, one has to wonder whether the Pineda case would have had a different outcome if Williams-Sonoma had been collecting the ZIP Codes initially for a fraud prevention program and subsequently using the information for marketing research. While there is an argument that such an interpretation may be inconsistent with the purpose of the Credit Card Act, we will continue to monitor how the courts interpret the Act.

Privacy LawLexBlog Admin