Williams-Sonoma Zip Code Ruling: Just In Time To Be Irrelevant
Written by Frank HayesCollecting Zip codes from customers is now illegal in California—just in time to be irrelevant. Last Thursday (Feb. 10), the state’s Supreme Court ruled that Williams-Sonoma broke a 1991 law when the kitchenware chain’s associates asked customers for their Zip codes during credit-card transactions and then retained the information to use for marketing.
That spells trouble for many large retail chains that have been asking customers for their Zip codes for years. But ironically, this problem may already be history. Today, every time a customer does an online or mobile transaction, a retailer automatically gets detailed information on who the customer is. With loyalty programs and other CRM initiatives, customers voluntarily offer up detailed information on who they are. As a practical matter, retail chains were going to stop doing this soon anyway; the clock just ran out on it a little early.
Unfortunately for retailers, the California court ruled that collecting Zip codes during credit-card transactions has been illegal since 1991. “In light of the statute’s plain language, protective purpose, and legislative history, we conclude a Zip code constitutes ‘personal identification information'” as that phrase is used in the law, wrote Associate Justice Carlos R. J. Moreno in the unanimous opinion. “Thus, requesting and recording a cardholder’s Zip code, without more, violates the Credit Card Act.”
Predictably, more than a dozen class-action Zip-code lawsuits have been filed in the past week, including complaints against Wal-Mart, Target, Macy’s, Bed Bath & Beyond, Radio Shack, Old Navy, Crate & Barrel, Victoria’s Secret, The Container Store, Shell and Tiffany. Those past offenses could rack up hefty fines by the time the cases are resolved.
There are a pair of ironies here. One is that Williams-Sonoma insisted collecting Zip codes couldn’t be illegal because so many people live in the same Zip code. How could that be personally identifiable information? That argument didn’t sway the justices—possibly because Williams-Sonoma actually identified the addresses of customers based on just their names and Zip codes. That probably should have been a warning flag.
Williams-Sonoma “used customized computer software to perform reverse searches from databases that contain millions of names, E-mail addresses, telephone numbers, and street addresses, and that are indexed in a manner resembling a reverse telephone book,” the court wrote. “The software matched plaintiff’s name and Zip code with plaintiff’s previously undisclosed address, giving [Williams-Sonoma] the information, which it now maintains in its own database. [Williams-Sonoma] uses its database to market products to customers and may also sell the information it has compiled to other businesses.” Sounds pretty much like personal identification, doesn’t it?
-Marc
February 17th, 2011 at 9:52 am
It’s a shame the court did not do more research into the use of zip codes in transactions. Gas stations have been pushed to prompt for zip codes at the pump by the card brands as a fraud prevention method. One can argue that the merchant should not store it, which seems fine. Taking away this fraud prevention tool will be a big win for the criminals in CA.
There is more irony in this story. New Jersey passed a law last year effectively requiring merchants capture zip codes when selling gift cards. If the merchant doesn’t have a some personal information of the purchaser, zip code being sufficient, the merchant must turn over the breakage to the state.
February 17th, 2011 at 10:40 am
I’m still trying to get a ruling from our Acquirer, but how will this play out when the POS is looking for a ZIP for Address Verification? Sure, you shouldn’t need this if the card was swiped, but unfortunately that is not always the case.
I understand that the retailer can collect the ZIP but just not use it for marketing reasons. Unfortunately all the customer knows is that they do not have to give out their ZIP.
February 17th, 2011 at 11:22 am
Typical California. Does this mean that providing your drivers license or other form of ID that is asked for consitute an unlawful act? Most ID’s have an address and all Drivers Licenses do as well.
What should have been judged is that the storing of any address / phone information should be regarded as illegal unless the person is signing up for a “Reward / Marketing” type program.
Once again people in power that don’t understand a process make bad decisions. I sure hope no one steals his credit card.
February 19th, 2011 at 4:23 pm
Although I have not heard a definitive confirmation yet one way or the other, my reading of the decision:
http://www.courtinfo.ca.gov/opinions/documents/S178241.PDF
makes me lean towards the interpretation that the Court’s objection was specifically WS’s recording of the ZIP code after the sales transaction was complete (note the use of the verbiage “end of the transaction” in the ruling) for later use in marketing activities. If that’s indeed the case, asking for it in the course of card transaction approval would seem to be a legitimate and lawful activity – the language esp. on page 12 seems to support this. However, if you read the first paragraph on page 13, you could easily take the contrary view. I am keenly interested to see which view is ultimately correct – as this would indeed be a significant setback to fraud prevention efforts in many industries in many parts of the US if it was no longer allowed.
March 16th, 2011 at 4:38 pm
The practice of asking for driver’s licenses to verify identity is allowed by the statute and the court repeats that in its decision. Recording the information is prohibited.