Question: When Is a Characteristic Shared By More Than 20,000; 30,000; or Even 50,000 People "Personal Identification Information"?

According to the California Supreme Court, the answer is: when that characteristic is the person's ZIP code. Last week the California Supreme Court issued its decision in Pineda v. Williams-Sonoma Stores, Inc., holding that, under the Song-Beverly Credit Card Act of 1971 (Cal. Civ. Code §§ 1747 et seq.), businesses are prohibited from requesting and recording consumers' ZIP codes during credit card transactions. In her complaint, Jessica Pineda alleged that at the time she used her credit card to make a purchase at one of defendant's stores, she was asked to provide her ZIP code. She claimed that this request violated Civil Code Section 1747.08, which provides for civil penalties against businesses that request and record "personal identification information." Under the statute, "personal identification information" is "information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder's address and telephone number." Although the trial court rejected Pineda's claim, the California Supreme Court reversed the trial court's ruling sustaining defendant's demurrer (i.e., defendant's motion to dismiss on the pleadings), which the intermediate appellate court had upheld. In reaching this decision, the Court made several observations: Because a ZIP code is part of an address, the Legislature "must" have intended to preclude requesting and recording ZIP codes as a component of the cardholder's address. Just because a ZIP code is shared by many individuals does not render it "dissimilar" to a street address, which also is often shared by multiple people. ZIP codes are unnecessary to the transaction. Interpreting the statute to preclude requesting ZIP codes is consistent with the Legislative history and purpose of the statute, which the Court found was designed to restrict the collection of information for marketing purposes "by prohibiting retailers from soliciting and recording information about the cardholder that is unnecessary to the credit card transaction." To many, the California Supreme Court's ruling might seem astonishing. How could a piece of information common to so many people be "personal identification information" – i.e., how could such information be deemed to identify any individual in particular? After all, such data would not even allow the post office to deliver mail. But there are factors that may help explain the Court's ruling: the plaintiff alleged (no facts were subject to dispute at this stage) that defendant was able use the ZIP code (along with the plaintiff's name) to find her specific address through a software database search. Thus, although the ZIP code itself was not enough to pinpoint her, the Court was faced with an allegation that the ZIP code could be combined with additional information to identify her "personally." Approaching privacy law through this lens has very broad risk exposure implications. It suggests that, in dealing with a particular person, just about any information relating to that person, whether relating solely to that person or rather to a potentially vast group of other persons, may be "protected" information for privacy purposes. How other courts may deal with this issue will be very telling for the future interpretation and application of data privacy law. Meanwhile, in just a few days since the California Supreme Court's ruling, over a dozen lawsuits have been filed against major retailers alleging that they have violated this requirement for many years. Notwithstanding the law's uncertainty before the February 10 ruling, plaintiffs in these other cases are seeking significant penalties. – Sean Morris

Read more detail on Recent Advertising Law Posts –

This entry was posted in Advertising Law and tagged , , , , , , , , , , . Bookmark the permalink.

Leave a Reply