Retail Did You Know? Zip Codes Are Personal Information In Massachusetts
Massachusetts’s highest court recently ruled that zip codes are personal identification information under the state law governing sales in connection with credit card purchases, which prohibits retailers from requesting and recording personal identification information at the point of sale. This edition of Morgan Lewis Retail Did You Know? describes the new decision and its impact on the industry.
Massachusetts law prohibits a retailer that accepts credit cards from requesting and recording “personal identification information” that is not required by the credit card issuer. The statute defines “personal identification information” to include a credit card holder’s address or telephone number. Violations are deemed to be an unfair and deceptive trade practice under Massachusetts consumer protection law.
In 2011, the California Supreme Court drew nationwide attention with its ruling regarding a similar California law known as the Song-Beverly Act. In Pineda v. Williams-Sonoma Stores, Inc.,1 the California court held that zip codes are “personal identification information” and that retailers cannot request and record zip codes in connection with credit card purchases at the point of sale. The decision triggered a wave of class action litigation in California regarding retailers’ practices of encouraging sales associates to collect zip codes for use in marketing efforts. The Massachusetts Supreme Judicial Court has now joined California in categorizing zip codes as “personal identification information.”
Tyler v. Michaels Stores, Inc.
The high court’s decision stemmed from a class action filed in Massachusetts federal court in 2011 by Melissa Tyler, a customer of Michaels Stores, Inc.2 The complaint alleged that Michaels recorded her and other customers’ zip codes on credit card transaction forms in violation of Massachusetts law. Confronted with Michaels’s motion to dismiss, the federal court held that zip codes were confidential “personal identification information” under the Massachusetts law but that the complaint failed to allege any recognizable injury. After granting Michaels’s motion to dismiss the case, the federal court certified the relevant legal questions for decision by the Massachusetts Supreme Judicial Court, with the following among them: (a) whether zip codes are “personal identification information” and (b) whether an injury can be alleged under Massachusetts law where there is simply an allegation of invasion of privacy and not identity theft. Under Massachusetts law, a plaintiff seeking to recover must allege that he or she was “injured” by the act or practice claimed to be unfair and deceptive.
The Massachusetts Supreme Judicial Court answered both questions in the affirmative. Noting that the definition of “personal identification information” was nonexclusive—with addresses and telephone numbers listed as examples—the court held that zip codes fall within the definition since they can be combined with the customer’s name to identify, through other public sources, the address and phone number of the customer. The court determined that excluding zip codes from information covered by the statute “would render hollow the statute’s explicit prohibition on the collection of customer addresses and telephone numbers[.]”
Addressing the injury required by the statute, the court rejected Michaels’s argument that a plaintiff could not sue under the statute absent identity theft. Although preventing identity theft may have been one purpose for the statute, the court found there was no express statement to that effect and that other injuries or harm, such as receipt of unwanted marketing material from the retailer or sale of the customer’s contact information to a third party, would be sufficient to allege injury under Massachusetts law. Notably, the court declined to hold that violation of the statute itself was enough to plead a claim, reaffirming earlier precedent that concluded the statute requires a customer to allege “some kind of separate, identifiable harm arising from the violation itself.”
Retailers should promptly review their business practices in Massachusetts stores to ensure that personal identification information, including zip codes, is not being requested by sales associates at the point of sale. The decision also suggests that caution may be advisable nationwide because plaintiffs’ attorneys may contend that other state laws prohibit similar practices.
1. Pineda v. Williams-Sonoma Stores, Inc., 246 P.3d 612 (Cal. 2011).
2. Tyler v. Michaels Stores, Inc., No. SJC-11145 (Mass. Mar. 11, 2013).