This is page 2 of:
Yes, You Really Can Still Ask For ZIP Codes. Just Do It Properly
ZIP code collection is fine, as long as you have a reason and use those ZIP codes only for that reason. A key part of the rationale behind the California statute was not so much to protect the collection or disclosure of such information but to prevent that information from being used for marketing. In a case involving AutoZone, for example, the California appellate court determined that the statutory prohibition on requiring personal identification information as a condition of “any credit card transaction” did not apply to a return that was made in exchange for a reversal of the original credit card purchase transaction, because the goal of collecting that data was not to market to the consumer but to ensure the reliability of the return.
In the Pineda case, the employees of Williams-Sonoma had no reason to collect the ZIP codes of customers other than for marketing purposes and, therefore, such collection was improper if, as the court found, such information was “personal information” under the statute. The Pineda court noted, “a cardholder’s ZIP code is similar to his or her address or telephone number, in that a ZIP code is both unnecessary to the transaction and can be used, together with the cardholder’s name, to locate his or her full address.”
As a retailer, you have to ask yourself, “What information am I collecting and why?” If you are collecting information to complete the transaction, because of a contractual obligation, because of a legal requirement, to ship or process the goods or services or even for fraud prevention purposes, you may be OK under California law. If you collect the information and then delete (or don’t store) it, such as if you were merely validating the transaction, then you are also OK.
The key is to document your data collection practices and rationale. Also, it is not clear that the narrow decision in Pineda actually reversed two federal court opinions interpreting the California statutes. In these cases, the courts held that merchants’ collection of personal information for purposes other than as a requirement of accepting a credit card did not violate the California statute.
In Watkins v. AutoZone Parts, the federal court wrote: “AutoZone’s warranty registration service permits its customers to have eligible products registered for warranties regardless of what method of payment the customer uses to purchase products and the process for registering a warranty does not depend upon the customer paying for the warrantied item with his or her credit card. AutoZone’s warranty database does not contain any information regarding the method of payment the customer used to purchase the covered product, including but not limited to customers’ credit card numbers and credit card expiration dates. AutoZone requests customers to provide personal identification information to connect the identity of the customer who registers for a warranty to the product covered by the warranty, and to identify potential fraud.”
-Marc
March 3rd, 2011 at 2:50 pm
This column misstates the holding in Pineda. Although the court discussed Williams-Sonoma’s use of the data, it held that “requesting and recording a cardholder’s ZIP code, without more, violates the Credit Card Act.”
This means that the purpose for asking and recording such information is irrelevant.
Any merchant who thinks they’re in compliance with the law because of the way it uses (or doesn’t use) the data is sadly mistaken and a target for a lawsuit.
And, this includes gas stations. There is no protection because the merchant is using the illegally collected and recorded data to prevent fraud.
On the contrary, I recently filed Flores v. Chevron, case no. BC455706 in Los Angeles Superior Court, alleging such violations against all the major oil companies operating in CA.
March 3rd, 2011 at 3:55 pm
I disagree. The decision specifically says that it made its decision “In light of the statute‟s plain language, protective purpose, and legislative history…” It merely held that a ZIP code constitutes “personal identification information” as that phrase is used in section 1747.08. Thus, requesting and recording a cardholder‟s ZIP code, without more, violates the Credit Card Act.” True as far as it goes, but not necessarily for all purposes at all times. I think the decision can and should be limited on its facts. If a retalier collects this — or frankly ANY personal information — about a credit card customer for purposes for which the Beverley Song Act was intended to preclude – a violation. If the collection, IMHO is for an unrelated and proper purpose, and the use is limited to that purpose, I think a court would find an acceptable use irrespective of the fact that the statute, read broadly, could prohibit that collection.
Example, a store collects “personal information” as that is defined when it uses a video surveillance camera as a theft prevention technology. Is that prohibited under the statute if the consumer then uses a credit card? The statute defines personal identification information as “information concerning the cardholder, other than information set forth on the credit card…” Clearly the cardholder’s picture in the video camera, what they are wearing, who they are with constitute “information concerning the cardholder.” Under your interpretation, video surveillance of people who might pay by credit card is prohibited under the language of the statute, regardless of the purpose of the collection or the way the data is used.
The nature of the thing purchased (e.g., size, color, etc.) also reveals “information concerning the cardholder” but is routinely collected, stored and used.
The statute also provides a “special purposes” exemption. It says that it is OK to both collect, store AND use personalk information if it is used for a “special purpose incidental but related to the individual credit card transaction, including, but not limited to, information relating to shipping, delivery, servicing, or installation of the purchased
merchandise, or for special orders.”
This is a non-exclusive list of “special purposes.” Clearly, fraud prevention can be a special purpose, IMHO, provided that both the collection and use are narrowly tailored for that purpose.
The statute also does not EXPRESSLY have a consent or opt out provision. Under your rationale, if you ask a credit card customer, “would you like to be on our mailing list?” and the customer says “yes” this would violate the statute.
On online transactions, collecting the IP address, browser settings, etc. about the credit card customer is “information about the customer” which, under your definition would be precluded, despite at least one federal court case (pre Pineda, of course) to the contrary.
The case, narrowly read to say “dont collect unnecessary information principally for marketing” is consistent with the language, purpose and history of the statute. The case read broadly to say “don’t collect ANY information about ANYONE who ultimately makes a credit card purchase unless it is to ship them the product” goes too far. Not that a court CANT go too far, I just dont think the Pineda case stands for that proposition.
You cannot divorce the language of the statute from its purpose and intent. Thus, as I read Pineda, it is not JUST about what information you collect — it is about WHY and what you do with it. The decision is replete with references to the purpose of the statute – to enforce fair information collection and use practices primarily to prevent the collection and use of personal information for improper marketing purposes.
I can come up with dozens of examples of retailers who collect information about credit card customers for what I consider “proper” non-marketing purposes. Warranty, repair, return, rebate, recall, installation, are all examples NOT expressly in the statute. I would argue that these are “special” collections AND that these are not “a condition of a credit card purchase.”
Again, trying to make sense of the decision… this is NOT legal advice!
March 8th, 2011 at 2:14 pm
Folks,
I am a consultant, and have worked for the lead counsel in this case in the past, Mr. Gene Stonebarger. As I understand it, this decision does not apply to merchants who are collecting a zip code for use in the AVS-part of a card transaction only, and not attempting to use the zip and/or marry the zip code up with other bits of information to identify the consumer.