If you or your company have a loyalty program or collect customer information in any form, and reverse data mine for additional customer information, you face the risk of being sued in California for a violation of the California Constitutional right to privacy. Recently, in Watkins v. Autozone Parts, Inc., No. 08-cv-01509-H, 2008 WL 5132092 (S.D. Cal. Dec. 5, 2008), the United States District Court for the Southern District of California held that all a plaintiff needs to allege to state a claim for a breach of the constitutional right to privacy is that the defendant requested plaintiff’s personal information and then “covertly” reverse data mined for additional information about that plaintiff. As you may know, this decision cuts against the recent trend in California Courts of Appeal decisions aimed at narrowing the types of actions involving the collection of customer data that can be brought against retailer defendants (see e.g. Absher v. AutoZone, Inc., 164 Cal. App. 4th 332 (2008); TJX Cos., Inc. v. Sup. Ct., 163 Cal. App. 4th 80 (2008)), and creates great uncertainty for companies with respect to their ability to collect customer information.

In Watkins, plaintiff brought a putative class action alleging that Autozone violated the California Song-Beverly Credit Card Act, California Civil Code §1747.08 (the “Act” or “Section 1747.08”) by unlawfully requesting and recording personal customer information, and then “covertly” engaging in a “reverse search” to determine additional customer personal information, in violation of the California Constitution’s privacy provision.

First, the court held that plaintiff plead facts sufficient to support a claim for a violation of Section 1747.08. See 2008 WL 5132092, at *6. Second, and more significantly, in holding that plaintiff sufficiently plead a claim for invasion of privacy, the court reasoned that:

plaintiff adequately alleged a legally protected privacy interest in his home address;
the allegations that Autozone obtained and subsequently used his home address information from using his telephone number and credit card information after plaintiff’s purchase at Autozone satisfied the pleading requirements of a reasonable expectation of privacy in these circumstances; and
plaintiff sufficiently alleged that the invasion into his privacy was “serious,” given his allegation that Autozone used his private information for profit without his consent and without informing him of the use of his information. See id.
Further, the court stated that the purpose of statutory provisions (including Section 1747.08) prohibiting the requesting of personal information from credit card customers “speaks to the potential seriousness of invasions that may occur.” Id. at *7 (citation omitted).

This holding creates great uncertainty for companies in determining in what circumstances collecting customer information and then reverse data mining is permissible. For instance:

Can a company utilize information that was obtained from a credit card customer for shipping purposes to reverse data mine for additional information about that customer?
Does a retail company violate a customer’s right to privacy by using a credit card customer’s zip code to obtain additional information about that customer given the recent California Court of Appeal holding that a zip code is not “personal identification information” under Section 1747.08? See Party City Corp. v. Sup. Ct. of San Diego County, No. D053530 (Cal. Ct. App. Dec. 19, 2008).

While Party City dealt with a retailer’s request for zip codes for demographic reasons, rather than for reverse data mining (like in Watkins), the decision itself is not so limited. Thus, arguably this decision, unlike Watkins, would permit retailers to request zip codes, and then reverse data mine for additional customer information. (For a more detailed discussion of California’s Song-Beverly Credit Card Act and its implication on retailers, please see the Kelley Drye Advisory entitled “Sellers Beware: Another Flurry of Class Actions Being Filed Against Retailers Accepting Credit Cards in California.” )

Further, given the minimal pleading requirements to state a right to privacy claim after Watkins, more plaintiffs are likely to add such a claim to actions brought under Section 1747.08 merely to increase the amounts and types of relief available. While Section 1747.08 provides for up to $1,000 in civil penalties per violation, a right to privacy claim under the California Constitution may permit an award of damages and/or injunctive relief, to which private citizens are not entitled under Section 1747.08.

However, your company is not without recourse. Several compelling arguments can be made against a right to privacy claim brought pursuant to Watkins, including:

Any such alleged wrong does not rise to the level of the “serious invasion,” which is typically reserved for conduct such as stalking and filming of neighbors in their homes.
A home address or telephone number – commonly found in publicly available telephone directories, on the Internet, and even on envelopes – is not the type of information that carries an objectively reasonable expectation of privacy.
In light of these decisions, companies would be well-advised to reconsider their ability to collect customer personal information, and to reverse data mine.

Use Of Customer Information For Data Mining May Be A Violation Of California Constitutional Right To Privacy