StorefrontBacktalk

Yes, You Really Can Still Ask For ZIP Codes. Just Do It Properly

Written by Mark Rasch

March 3rd, 2011

Attorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Cybersecurity Director for CSC in Virginia.

When the California Supreme Court last month punished Williams-Sonoma for asking customers to reveal their ZIP codes, it sent many retail execs into a panic. Many assumed that they’d have to halt all requests for ZIP codes to avoid the cookware chain’s fate. Fear not. The law says you’re fine to ask consumers to zip away their codes, as long as you abide by some common-sense rules.

What that Supreme Court decision actually did was enforce a very specific part of the Song-Beverly Credit Card Act of 1971. That law says, in relevant part: “No corporation that accepts credit cards for the transaction of business shall request or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the person, firm, partnership, association, or corporation accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise.”

The clear language of the statute (with some noted exceptions) makes it a violation to collect any information about the cardholder as a condition of accepting a credit card. Where Williams-Sonoma got hurt was when the chain not only asked for the consumer’s ZIP code but then used the credit card number, name and ZIP code “to perform reverse searches from databases that contain millions of names, E-mail addresses, telephone numbers, and street addresses, and that are indexed in a manner resembling a reverse telephone book. The software matched plaintiff’s name and ZIP code with plaintiff’s previously undisclosed address, giving defendant the information, which it now maintains in its own database. [Williams-Sonoma] uses its database to market products to customers and may also sell the information it has compiled to other businesses.”

These facts are significant, because the court found that Williams-Sonoma had no business interest in collecting the plaintiff’s ZIP code other than to gather personal information with the intent to identify and market to her. Also, there was no indication that the ZIP code was required by Williams-Sonoma to complete the purchase, ship anything to her or deliver anything to the plaintiff.

In other words, the problem was not with the chain asking for the ZIP code. Williams-Sonoma was punished because it did not have any legitimate business need for that ZIP code—unlike, say, gas stations using it to authenticate payment card identity. Worse, the chain used the ZIP code to gather truly personal information and to then market—potentially intrusively—to that consumer. When it used the ZIP code to obtain personal information, it made the ZIP code itself personal information. That’s when the big gavel came down against the chain.

The court noted that “the legislative history demonstrates the legislature intended to provide robust consumer protections by prohibiting retailers from soliciting and recording information about the cardholder that is unnecessary to the credit card transaction.”

Posted in In-Store, IT Strategy/Industry, Payment Systems, Security/Fraud

3 Comments | Read Yes, You Really Can Still Ask For ZIP Codes. Just Do It Properly

Jeff Schwartz Says:
March 3rd, 2011 at 2:50 pm
This column misstates the holding in Pineda. Although the court discussed Williams-Sonoma’s use of the data, it held that “requesting and recording a cardholder’s ZIP code, without more, violates the Credit Card Act.”

This means that the purpose for asking and recording such information is irrelevant.

Any merchant who thinks they’re in compliance with the law because of the way it uses (or doesn’t use) the data is sadly mistaken and a target for a lawsuit.

And, this includes gas stations. There is no protection because the merchant is using the illegally collected and recorded data to prevent fraud.

On the contrary, I recently filed Flores v. Chevron, case no. BC455706 in Los Angeles Superior Court, alleging such violations against all the major oil companies operating in CA.
Mark D. Rasch Says:
March 3rd, 2011 at 3:55 pm
I disagree. The decision specifically says that it made its decision “In light of the statute‟s plain language, protective purpose, and legislative history…” It merely held that a ZIP code constitutes “personal identification information” as that phrase is used in section 1747.08. Thus, requesting and recording a cardholder‟s ZIP code, without more, violates the Credit Card Act.” True as far as it goes, but not necessarily for all purposes at all times. I think the decision can and should be limited on its facts. If a retalier collects this — or frankly ANY personal information — about a credit card customer for purposes for which the Beverley Song Act was intended to preclude – a violation. If the collection, IMHO is for an unrelated and proper purpose, and the use is limited to that purpose, I think a court would find an acceptable use irrespective of the fact that the statute, read broadly, could prohibit that collection.

Example, a store collects “personal information” as that is defined when it uses a video surveillance camera as a theft prevention technology. Is that prohibited under the statute if the consumer then uses a credit card? The statute defines personal identification information as “information concerning the cardholder, other than information set forth on the credit card…” Clearly the cardholder’s picture in the video camera, what they are wearing, who they are with constitute “information concerning the cardholder.” Under your interpretation, video surveillance of people who might pay by credit card is prohibited under the language of the statute, regardless of the purpose of the collection or the way the data is used.

The nature of the thing purchased (e.g., size, color, etc.) also reveals “information concerning the cardholder” but is routinely collected, stored and used.

The statute also provides a “special purposes” exemption. It says that it is OK to both collect, store AND use personalk information if it is used for a “special purpose incidental but related to the individual credit card transaction, including, but not limited to, information relating to shipping, delivery, servicing, or installation of the purchased
merchandise, or for special orders.”

This is a non-exclusive list of “special purposes.” Clearly, fraud prevention can be a special purpose, IMHO, provided that both the collection and use are narrowly tailored for that purpose.

The statute also does not EXPRESSLY have a consent or opt out provision. Under your rationale, if you ask a credit card customer, “would you like to be on our mailing list?” and the customer says “yes” this would violate the statute.

On online transactions, collecting the IP address, browser settings, etc. about the credit card customer is “information about the customer” which, under your definition would be precluded, despite at least one federal court case (pre Pineda, of course) to the contrary.

The case, narrowly read to say “dont collect unnecessary information principally for marketing” is consistent with the language, purpose and history of the statute. The case read broadly to say “don’t collect ANY information about ANYONE who ultimately makes a credit card purchase unless it is to ship them the product” goes too far. Not that a court CANT go too far, I just dont think the Pineda case stands for that proposition.

You cannot divorce the language of the statute from its purpose and intent. Thus, as I read Pineda, it is not JUST about what information you collect — it is about WHY and what you do with it. The decision is replete with references to the purpose of the statute – to enforce fair information collection and use practices primarily to prevent the collection and use of personal information for improper marketing purposes.

I can come up with dozens of examples of retailers who collect information about credit card customers for what I consider “proper” non-marketing purposes. Warranty, repair, return, rebate, recall, installation, are all examples NOT expressly in the statute. I would argue that these are “special” collections AND that these are not “a condition of a credit card purchase.”

Again, trying to make sense of the decision… this is NOT legal advice!
Mike McCormack Says:
March 8th, 2011 at 2:14 pm
Folks,

I am a consultant, and have worked for the lead counsel in this case in the past, Mr. Gene Stonebarger. As I understand it, this decision does not apply to merchants who are collecting a zip code for use in the AVS-part of a card transaction only, and not attempting to use the zip and/or marry the zip code up with other bits of information to identify the consumer.

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Kindle Convenience - StorefrontBacktalk is now available natively on the Kindle so you can read us on the place without a connection.

Read StorefrontBacktalk's Retailing Column every month at Retail-Week.com. Please click here for an archive of those columns.

Read StorefrontBacktalk's Retail Realities Column every week at CBSNews.com. Please click here for an archive of those columns.