California Supreme Court Restricts Businesses' Collection of ZIP Codes
A unanimous California Supreme Court has ruled that businesses are prohibited from requesting and recording customers' ZIP codes. Pineda v. Williams-Sonoma Stores, Inc., 51 Cal. 4th 524 (Feb. 10, 2011). This ruling should encourage businesses with California outlets to review their information-gathering practices. Given that California privacy law often proves influential elsewhere, the ruling may prove to have even broader significance.
The lawsuit, a proposed class action, arose from a transaction in which plaintiff Jessica Pineda made a credit card purchase at a Williams-Sonoma store. The store clerk requested the customer's ZIP code, which she provided. That information, along with the customer's name and credit card number, were recorded in an electronic cash register and became part of Williams-Sonoma's database. As described by the Supreme Court, Williams-Sonoma "subsequently used customized computer software to perform searches from databases that contain millions of names, e-mail addresses, telephone numbers, and street addresses" to match the plaintiff's "name with her previously undisclosed address," which address was then added to Williams-Sonoma's database. Information in that database is used for marketing and sold to others.
Plaintiff brought suit in June 2008, in San Diego Superior Court, alleging that Williams-Sonoma had violated provisions of the Song-Beverly Credit Card Act of 1971. With certain exceptions, Civil Code section 1747.08 prohibits businesses from requesting that cardholders provide "personal identification information" during credit card transactions and then recording that information. The statute defines personal identification information as "information concerning the cardholder . . . including, but not limited to, the cardholder's address and telephone number." The statute permits recovery of civil penalties of up to $250 for the first violation and up to $1000 for each subsequent violation. The proposed class action sought awards of such penalties.
Judge Ronald S. Prager "sustained a demurrer" by Williams-Sonoma, dismissing the complaint on the ground that a ZIP code does not constitute "personal identification information" within the meaning of the statute. A three-judge panel of the Court of Appeal affirmed that dismissal, relying on the then-recent Court of Appeal decision in Party City Corp. v. Superior Court, 169 Cal. App. 4th 497 (2008), reached in a similar case. That decision found ZIP codes were not covered because they pertain to groups of inhabitants, not individuals. The Court of Appeal accepted Williams-Sonoma's argument that the Party City decision was controlling and affirmed the dismissal. Pineda v. Williams-Sonoma Stores, Inc., 178 Cal. App. 4th 714 (4th Dist. 2009).
The Supreme Court took discretionary review. Williams-Sonoma was joined before the Supreme Court by a number of business amici, including Kmart, The Gap, Old Navy, Banana Republic, the California Retailers Association and the Direct Marketing Association, suggesting the perceived general importance of the issue. The Court of Appeal had noted that "numerous similar actions" had been filed in California.
Supreme Court Analysis
The Supreme Court saw the issue as being whether the legislature intended the statutory reference to the "cardholder's address" to include "components of the address" and concluded that the "answer must be yes."
Writing for the unanimous seven-member court, Associate Justice Carlos R. Moreno concluded that excluding components of an address "would render the statute's protection hollow," in that it would "permit retailers to obtain indirectly what they are clearly prohibited from obtaining directly, 'end-running' the statute's clear purpose." Thus, the Court of Appeal's "interpretation would vitiate the statute's effectiveness." The court felt its construction was necessary to implement the legislative intent "to provide robust consumer protections by prohibiting retailers from soliciting and recording information about the cardholder that is unnecessary to the credit card transaction." The court also rejected the request that its "interpretation should be prospectively applied only."
Implications for Business
The California Supreme Court's decision clearly will add strength to class actions now pending and, doubtless, others soon to be brought. The unanimous court's reasoning suggests its willingness to read this and other California privacy statutes broadly. Obviously, the compliance challenge for businesses is heightened when they cannot rely on the limits of the language of the statute itself but must guess how that language will be read at some future date when new technology is thought to permit a business to "end run" a legislative prohibition. Only time will tell how far the California Supreme Court will go, but this decision clearly suggests a need for businesses frequently to review their consumer-information-gathering practices.