Williams-Sonoma Zip Code Ruling: Just In Time To Be Irrelevant

Written by Frank Hayes
February 17th, 2011

Collecting Zip codes from customers is now illegal in California—just in time to be irrelevant. Last Thursday (Feb. 10), the state’s Supreme Court ruled that Williams-Sonoma broke a 1991 law when the kitchenware chain’s associates asked customers for their Zip codes during credit-card transactions and then retained the information to use for marketing.

That spells trouble for many large retail chains that have been asking customers for their Zip codes for years. But ironically, this problem may already be history. Today, every time a customer does an online or mobile transaction, a retailer automatically gets detailed information on who the customer is. With loyalty programs and other CRM initiatives, customers voluntarily offer up detailed information on who they are. As a practical matter, retail chains were going to stop doing this soon anyway; the clock just ran out on it a little early.

Unfortunately for retailers, the California court ruled that collecting Zip codes during credit-card transactions has been illegal since 1991. “In light of the statute’s plain language, protective purpose, and legislative history, we conclude a Zip code constitutes ‘personal identification information'” as that phrase is used in the law, wrote Associate Justice Carlos R. J. Moreno in the unanimous opinion. “Thus, requesting and recording a cardholder’s Zip code, without more, violates the Credit Card Act.”

Predictably, more than a dozen class-action Zip-code lawsuits have been filed in the past week, including complaints against Wal-Mart, Target, Macy’s, Bed Bath & Beyond, Radio Shack, Old Navy, Crate & Barrel, Victoria’s Secret, The Container Store, Shell and Tiffany. Those past offenses could rack up hefty fines by the time the cases are resolved.

There are a pair of ironies here. One is that Williams-Sonoma insisted collecting Zip codes couldn’t be illegal because so many people live in the same Zip code. How could that be personally identifiable information? That argument didn’t sway the justices—possibly because Williams-Sonoma actually identified the addresses of customers based on just their names and Zip codes. That probably should have been a warning flag.

Williams-Sonoma “used customized computer software to perform reverse searches from databases that contain millions of names, E-mail addresses, telephone numbers, and street addresses, and that are indexed in a manner resembling a reverse telephone book,” the court wrote. “The software matched plaintiff’s name and Zip code with plaintiff’s previously undisclosed address, giving [Williams-Sonoma] the information, which it now maintains in its own database. [Williams-Sonoma] uses its database to market products to customers and may also sell the information it has compiled to other businesses.” Sounds pretty much like personal identification, doesn’t it?


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.