A recent decision by the California Supreme Court — ruling that zip codes are "personal identification information" for purposes of the California statute which bars merchants from requesting PII during a credit card transaction — has added confusion to the question of when merchants can request personal information from their customers at the point-of-sale.
In February, 2011, a decision from the Supreme Court of California in a case brought against Williams-Sonoma overturned a lower state court ruling by holding that California law prohibits a merchant from requesting a customer's zip code as a condition of the customer using a credit card to pay for goods from the merchant. California law, like the laws of about fourteen other states (and the District of Columbia), prohibits merchants at the point-of-sale from requesting, requiring and/or recording a consumer's personal identification information ("PII") as a condition of using a credit card to pay for goods or services. This California statute, which is part of California's Song-Beverly Credit Card Act, has been the basis of class action litigation against merchants for several years. While the recent decision in the Williams-Sonoma case focuses solely on whether a zip code is personal to an individual consumer and thus PII under this California law, retail merchants should focus on the broader issue of when they are permitted to request information from their customers at the point-of-sale, not only in California, but in several other states, including New York, Massachusetts, Nevada and Pennsylvania, in which such laws are on the books.
What the Laws Prohibit
These laws, which are relatively uniform from state to state, prohibit merchants from requesting or requiring a consumer to supply personal information as a condition of using a credit card to purchase goods or services. (Only the New York law also applies to debit cards.) Some of the states permit the merchant to request PII during a credit card transaction as long as the merchant does not record the data on the credit card slip or in the merchant's records. The motivation behind these statutes was that the states (as well as Visa and MasterCard) did not want consumers to believe that they must divulge personal information because it is required to use the credit card, when in fact, the merchant wants the personal information for marketing purposes.
Some of the states provide limited exceptions under which a merchant may ask for personal information. For example, most of the statutes permit merchants to request address information when required for the shipment or delivery of goods, for special orders, or for other limited purposes. Some states also permit the merchant to request PII when it is contractually required to do so by the card issuer or by its acquirer. This may help merchants, such as gas stations, that request zip codes because their processing agreements require them to do so.
California Litigation
In the Williams-Sonoma case, the record shows that Williams-Sonoma had requested the plaintiff's zip code in a face-to-face sale while she was paying with a credit card. The consumer believed that she had to give her zip code to complete the purchase, but Williams-Sonoma requested the zip code in order to obtain the customer's full address, which it intended to use for marketing purposes. The California Supreme Court held that the zip code is part of the consumer's address, and thus "personal information" under the statute, and that a retailer's request for a zip code at the pointof- sale purely for marketing purposes contravened the statute. The Court articulated the legislative intent of the statute — to protect the personal privacy of consumers who pay for transactions with credit cards — and easily concluded that the statute was intended to prohibit merchants from collecting PII for their own business purposes in marketing to consumers. The Williams-Sonoma case overturned earlier state court decisions which held that a zip code is not "personal" to any particular individual because it pertains to a group of individual consumers who reside in a certain geographic area.
This decision can be contrasted with some earlier California decisions in which courts found that there may be certain narrow circumstances that were not intended to be covered by the statute when merchants may lawfully request PII from their customers. For example, one California court reasoned that the law did not apply to refund transactions, so it would not prevent a merchant from recording the customer's address when the customer was returning goods purchased with a credit card.
Following the Williams-Sonoma decision, several suits were filed in California against retailers, including Macys, Best Buy, Victoria's Secret, Wal-Mart, Bed, Bath & Beyond and Old Navy, each of which allegedly request the customer's zip code during a credit card transaction. All of the suits involved face-to-face transactions. While merchants have been sued in California for several years over alleged violations of that state's statute, little or no litigation challenging similar practices has been brought in other jurisdictions, and in some of the other states, the statute does not provide a private right of individuals to sue for violations.
E-commerce Merchants and the Use of PII for Fraud Prevention
These statutes were drafted before the widespread proliferation of online sales. In fact, most of them prohibit merchants from recording the personal information on the credit card slip. This harkens back to the "olden days" of carbon paper transaction slips when the personal information could actually be written on a piece of paper! Online merchants, in particular, request personal information from cardholders for address verification or other security purposes. However, none of the statutes explicitly states that a merchant may request PII for fraud prevention, especially when the card is not presented. The California statute (and the Nevada statute) may implicitly authorize this, however, because it permits a merchant to request PII for a "special purpose incidental but related to a card transaction." While fraud prevention is not specifically mentioned, it should be a justifiable incidental purpose, and requesting information for this purpose is not inconsistent with the legislative intent of these statutes.
E-commerce merchants can also take heart at a decision that held that the California statute does not apply to online card transactions. A California case brought against Symantec Corp. and Digital River, which operated Symantec's online store, challenged the right of these merchants to request personal information in an online transaction involving a digital download of software. In denying class certification, a Federal District Court in Los Angeles stated in 2009 that the California legislature appeared to have had a brick-and-mortar environment in mind, not an online environment where the merchant has no ability to confirm the identity of the purchaser. Thus, the Court reasoned that nothing suggests that the statute was intended to apply to online transactions. The Court contrasted the clear legislative purpose — to prevent the misuse of personal information for marketing purposes — with the competing interest of fraud prevention in online sales.
Although the decision in the Williams-Sonoma case does not discuss online transactions or requests for PII for fraud prevention, there is no reason to believe that the recent decision negates the holding in the Symantec case.
While the lack of specific statutory language authorizing PII to be collected by online merchants may cause some concern as to whether e-commerce merchants may be vulnerable to challenge, if the purpose of collecting the PII is not for marketing, the Symantec case should remain a valuable precedent.
Implications for Merchants
So, what are the implications for merchants that would like to obtain PII for marketing purposes? In general, the law does not prohibit merchants from requesting, collecting or retaining customer information, except in the fourteen states with such a statute, where this conduct is prohibited "as a condition of accepting a credit card." Merchants, both brick-and-mortar and online, are free to devise methods of soliciting personal information at times and in situations outside the credit card transaction, including encouraging customers to sign up for a loyalty program or to be on the merchant's mailing list, and at the point-of-sale after the credit card transaction has been completed.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
