United States: Check The White Pages For Personal Information: Massachusetts Decision Highlights The Expansion Of Consumer Privacy Litigation

Last week, in Tyler v. Michaels Stores, Inc., the Supreme Judicial Court of Massachusetts responded to certified questions presented by the district court and interpreted a Massachusetts statute to reflect the state's interest in protecting consumer privacy. No. SJC-11145, 2013 Mass. LEXIS 40 (Mass. Mar. 11, 2013). In particular, the court held that a consumer's zip code constitutes personal identification information, and that a consumer can bring an action under the relevant statute absent a claim of identify fraud.

Melissa Tyler filed a class action in 2011 in the U.S. District Court for the District of Massachusetts against Michaels Stores, Inc. ("Michaels"), on behalf of herself and a class of Michaels' customers. The complaint alleged that Michaels unlawfully wrote customers' personal identification information on credit card transaction forms in violation of Massachusetts G.L. c. 93 § 105(a) (section 105(a)). The District of Massachusetts certified three questions to the Massachusetts state court regarding the proper interpretation of section 105(a), including (1) whether a zip code qualifies as "personal identification information" under the statute; (2) whether a plaintiff can bring an action under section 105(a) for a privacy right violation absent identity fraud; and (3) whether the phrase "credit card transaction form" as used in section 105(a) refers to both electronic or paper transactions. The court answered each of these questions in the affirmative.

Section 105(a) prohibits "any person or business entity that accepts credit cards for business transactions from writing, or requiring a credit card holder to write, 'personal identification information' that is not required by the credit card issuer on the credit card transaction form." The statute defines "personal identification information" as including, but not limited to, a consumer's address and telephone number. The violation of the statute constitutes an unfair and deceptive trade practice under Massachusetts law.

Tyler alleged that each time she made a purchase at Michaels, a store employee requested her zip code information. Tyler provided her zip code to the employee under the assumption that she was required to disclose this information to complete the credit card transaction. In fact, Michaels' business practice was to write customers' names, credit card numbers and zip codes on transaction forms in connection with credit card purchases, and then use the name and zip code to access customer addresses and telephone numbers for marketing purposes. As a result, Tyler and the other class members received unsolicited marketing materials from Michaels.

Michaels argued that section 105(a) did not apply to Tyler's complaint because the statute is directed at preventing identity fraud. The court rejected Michaels' argument and declined to limit the statute. The court held that the statute in fact was intended to address the invasion of consumer privacy by retailers.

In addition, the court stated that a consumer's zip code qualifies as personal identification information. The court's determination in this regard indicates that there is no brightline test assessing what information is personal identification information. Rather, the court will focus on how this information is used to access personal information, as "a consumer's zip code, when combined with the consumer's name, provides the merchant with enough information to identify through publicly available databases the consumer's address or telephone number, the very information § 105(a) expressly identifies as personal identification information." Id. at *17.

The court recognized that the injury sustained as a result of Michaels' unfair and deceptive trade practice is not a "readily quantifiable loss of money or property or measurable emotional distress." Id. at *26. However, a consumer may sustain two types of injury as a result of a retailer's violation of section 105(a): (1) actual receipt of unwanted marketing materials; and (2) sale of a consumer's personal information. In either event, the retailer is using a consumer's personal information for its own business advantage. The court held that these damages likely qualify as sufficient injury under the Unfair Trade Practices Act.

Finally, the court held that the statute's reference to "writing" personal identification information on a credit card transaction form encompasses both paper and electronic transactions, as to limit the statute to paper transactions "would render the statute essentially obsolete in a world where paper credit card transactions are a rapidly vanishing event." Id. at *29-30.

The court's decision in Tyler is consistent with the decision of the California Supreme Court in Pineda v. Williams-Sonoma Stores, Inc., 246 P.3d 612 (Cal. 2011), in which the court held that a zip code is personal identification information for purposes of a California statute. In light of these decisions, businesses should review their marketing and data collection practices, as well as the statutes in effect in the jurisdictions in which they are doing business. As retailer suits and consumer privacy litigation increases, businesses should also evaluate their insurance coverage for cyber risks, and whether the wrongful collection of data falls within the scope of their policy's coverage.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.