The Law and Business of Social Media
March 18, 2013 - Privacy, Litigation

It’s Déjà Vu All Over Again: Massachusetts Allows Actions for Violation of Privacy Rights Based on Collection of ZIP Codes

Massachusetts appears to have followed California’s lead in opening a litigation floodgate over ZIP code collection at the point of sale. In 2011, the California Supreme Court held in Pineda v. Williams-Sonoma Stores, Inc., 246 P.3d 612 (Cal. 2011), that a retailer illegally collects personal identification information (PII) when it requests and records ZIP codes from customers paying by credit card. More than 240 class action lawsuits followed.

The Massachusetts Supreme Judicial Court’s recent opinion in Tyler v. Michaels Stores, Inc. (No. SJC-11145) could bring a similar wave of litigation. The Tyler opinion strongly suggests retailers operating in Massachusetts should end the practice of collecting ZIP codes during credit card transactions, and foreshadows future litigation based on this practice. Like the Pineda court, the Massachusetts Supreme Court concluded that a ZIP code constitutes PII under Massachusetts’s credit card PII statute, G.L. c. 93, § 105(a) (“the Credit Card law”). More important for retailers, however, is the Court’s ruling that a plaintiff may bring an action for violation of privacy rights absent identity fraud. This ruling could make Massachusetts the next venue for an explosion of “ZIP code” litigation, and, as we note below, provide reason for retailers to review PII collection policies nationwide.

Massachusetts’s Credit Card law, which closely tracks California’s Song-Beverly Act, prohibits businesses “that accept[] a credit card for a business transaction” to “write, cause to be written or require that a credit card holder write [PII], not required by the credit card issuer, on the credit card transaction form.” PII is defined as including, but is not limited to, a credit card holder’s address or telephone number. Similar to California’s statute, the Credit Card law does not apply where a business asks for PII for “shipping, delivery or installation of purchased merchandise or services or for a warranty when such information is provided voluntarily.” A violation of the Credit Card law constitutes an unfair and deceptive trade practice, as defined in G.L. c. 93A, § 2.

The March 11, 2013 opinion came in response to three questions certified by the United States District Court for the District of Massachusetts, where the Tyler case was pending. Plaintiff Melissa Tyler brought the putative class action claiming, among other things, that Michaels collected her ZIP code and then used her name and ZIP code to figure out her address for marketing purposes. While the district court granted Michaels’s motion to dismiss, the court agreed to certify three questions to the Massachusetts Supreme Court:

  1. Does a ZIP code constitute PII under the Credit Card law?
  2. Can a plaintiff bring an action for such a privacy right violation absent identity fraud under the Credit Card law?
  3. Do the words “credit card transaction form” refer equally to an electronic or paper transaction form under the Credit Card law?

Looking at the text of the statute and its legislative history, the Massachusetts Supreme Court determined that the principal purpose of the Credit Card law “is to guard consumer privacy in credit card transactions,” and answered all three certified questions in the affirmative (Slip Opn. At 4,6). Like the California Supreme Court in Pineda, the Massachusetts Supreme Court reasoned that a ZIP code is PII because a ZIP code, when combined with the consumer’s name, provides retailers with enough information to identify the consumer’s address or telephone number, “the very information [the law] expressly [prohibits]”(Id. at 4).

The Massachusetts Supreme Court’s answer that a plaintiff may bring an action for violation of the Credit Card law absent identity fraud is important for retailers, as it opens the door to litigation based on a wide range of injuries (or lack of actual injuries). To bring a claim, the Court instructed plaintiffs to allege a “separate and identifiable ‘injury’ resulting from the allegedly unfair or deceptive conduct,” and provided two examples of such injuries: (1) “actual receipt by a consumer of unwanted marketing materials as a result of the merchant’s unlawful collection of the consumer’s [PII]” and (2) “the merchant’s sale of a customer’s [PII] or the data obtained from that information to a third party”(Id. at 5-6). These examples flowed directly from the Court’s conclusion that the primary purpose of the statute is to protect consumer privacy, not to protect against identity fraud.

While these types of injuries may now suffice to justify actions in Massachusetts state court, it remains to be seen whether they will satisfy Article III, which governs standing in federal court. Regardless, the Tyler decision creates a definite litigation risk for retailers in Massachusetts for alleged violations of the Credit Card law, which provides for damages and reasonable attorneys’ fees to successful plaintiffs. Even if the aftermath of Tyler puts retailers in the same position as Pineda put retailers in California, there are strategies under Massachusetts law that retailers can deploy to minimize exposure.

While two state decisions hardly make for a trend, the writing certainly appears to be on the wall that courts may view ZIP codes as PII, particularly given the rise of privacy litigation in recent years. Because many states have statutes on the books like California’s Song-Beverly Act and Massachusetts’s Credit Card law, the time may be right for retailers and other businesses to review ZIP code (or PII) collection policies more widely.