This post was written by Dana B. Rosenfeld and Alysa Z. Hutnik
On February 10, 2011, the California Supreme Court released its decision in Pineda v. Williams-Sonoma Stores, Inc., holding that zip code information is personal identification information (“PII”) under the Song-Beverly Credit Card Act (the “Song-Beverly Act”) The court’s decision restricts businesses in California from requesting and recording a person’s zip code as part of a credit card transaction.
In Pineda, the plaintiff made a purchase at the retailer’s store with her credit card and, during the sales process, the cashier requested the plaintiff’s zip code. The plaintiff believed that her zip code was necessary to complete the transaction, and provided it to the cashier. The plaintiff later alleged that the retailer used the plaintiff’s zip code information and her name to find the plaintiff’s address and add it to the retailer’s marketing database, in violation of the Song-Beverly Act.
Under the Song-Beverly Act, a business is prohibited from requesting, or requiring as a condition to accepting a credit card payment, the cardholder’s personal information, which the business records. The California Court of Appeal had previously held that a zip code, without additional information, was not PII in Party City Corp. v. Superior Court. However, in Pineda, the California Supreme Court clarified California’s broad interpretation of PII. The court examined statutory language and legislative history in determining that zip code information is considered PII.
The Song-Beverly Act defines PII as “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.” The court examined dictionary definitions of “concerning” (such as “pertaining to” and “regarding”), and stated that a cardholder’s zip code is certainly information that pertains to or regards the cardholder.
To resolve the conflict posed by PartyCity, which stated that zip code was not PII because it pertains to a group of individuals that live in a certain area, as opposed to a single individual, the court provided three statutory explanations for its holding:
- A zip code is readily understood to be part of an address, and the statute expressly prohibits collection of an address. Thus, the word “address” in the Song-Beverly Act should be construed as encompassing not only a complete address, but also its components.
- A complete address and telephone number (both of which may not be collected under the Song-Beverly Act), can refer to more than one individual residing at the address or location of telephone service. The fact that a zip code may also refer to more than one person, does not make it dissimilar to an address and telephone number.
- Address and telephone number are both information unnecessary to the sales transaction that, alone or together with other data such as the cardholder’s name or credit card number, can be used for the retailer’s business purposes. Zip code information falls into this same category.
Further, the court examined the legislative history of the statute to support its holding that zip code information is PII. The court stated:
- When the Song-Beverly Act was revised to permit businesses to require cardholders to provide identification so long as it was not recorded, the revision was described as “a clarifying, non-substantive change.” The court stated that this suggests that the legislature understood the provision to already prohibit the requesting and recording of any of the information , including zip codes, contained on driver’s licenses and state ID cards.
- The Song-Beverly Act was revised to prohibit not only “requiring” the PII, but also “requesting” the information. This revision was intended to prevent a retailer from circumventing the law by claiming that the customer voluntarily provided the data.
Businesses that operate in California and collect customer information at the sales register should pay close attention to how this decision may affect them, with particular attention to when personal information is being collected, and if it might reasonably be construed as being requested during the transaction, and as a mandatory request to complete the transaction.