Yes, You Really Can Still Ask For ZIP Codes. Just Do It Properly

Written by Mark Rasch
March 3rd, 2011

Attorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Cybersecurity Director for CSC in Virginia.

When the California Supreme Court last month punished Williams-Sonoma for asking customers to reveal their ZIP codes, it sent many retail execs into a panic. Many assumed that they’d have to halt all requests for ZIP codes to avoid the cookware chain’s fate. Fear not. The law says you’re fine to ask consumers to zip away their codes, as long as you abide by some common-sense rules.

What that Supreme Court decision actually did was enforce a very specific part of the Song-Beverly Credit Card Act of 1971. That law says, in relevant part: “No corporation that accepts credit cards for the transaction of business shall request or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the person, firm, partnership, association, or corporation accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise.”

The clear language of the statute (with some noted exceptions) makes it a violation to collect any information about the cardholder as a condition of accepting a credit card. Where Williams-Sonoma got hurt was when the chain not only asked for the consumer’s ZIP code but then used the credit card number, name and ZIP code “to perform reverse searches from databases that contain millions of names, E-mail addresses, telephone numbers, and street addresses, and that are indexed in a manner resembling a reverse telephone book. The software matched plaintiff’s name and ZIP code with plaintiff’s previously undisclosed address, giving defendant the information, which it now maintains in its own database. [Williams-Sonoma] uses its database to market products to customers and may also sell the information it has compiled to other businesses.”

These facts are significant, because the court found that Williams-Sonoma had no business interest in collecting the plaintiff’s ZIP code other than to gather personal information with the intent to identify and market to her. Also, there was no indication that the ZIP code was required by Williams-Sonoma to complete the purchase, ship anything to her or deliver anything to the plaintiff.

In other words, the problem was not with the chain asking for the ZIP code. Williams-Sonoma was punished because it did not have any legitimate business need for that ZIP code—unlike, say, gas stations using it to authenticate payment card identity. Worse, the chain used the ZIP code to gather truly personal information and to then market—potentially intrusively—to that consumer. When it used the ZIP code to obtain personal information, it made the ZIP code itself personal information. That’s when the big gavel came down against the chain.

The court noted that “the legislative history demonstrates the legislature intended to provide robust consumer protections by prohibiting retailers from soliciting and recording information about the cardholder that is unnecessary to the credit card transaction.”


3 Comments | Read Yes, You Really Can Still Ask For ZIP Codes. Just Do It Properly

  1. Jeff Schwartz Says:

    This column misstates the holding in Pineda. Although the court discussed Williams-Sonoma’s use of the data, it held that “requesting and recording a cardholder’s ZIP code, without more, violates the Credit Card Act.”

    This means that the purpose for asking and recording such information is irrelevant.

    Any merchant who thinks they’re in compliance with the law because of the way it uses (or doesn’t use) the data is sadly mistaken and a target for a lawsuit.

    And, this includes gas stations. There is no protection because the merchant is using the illegally collected and recorded data to prevent fraud.

    On the contrary, I recently filed Flores v. Chevron, case no. BC455706 in Los Angeles Superior Court, alleging such violations against all the major oil companies operating in CA.

  2. Mark D. Rasch Says:

    I disagree. The decision specifically says that it made its decision “In light of the statute‟s plain language, protective purpose, and legislative history…” It merely held that a ZIP code constitutes “personal identification information” as that phrase is used in section 1747.08. Thus, requesting and recording a cardholder‟s ZIP code, without more, violates the Credit Card Act.” True as far as it goes, but not necessarily for all purposes at all times. I think the decision can and should be limited on its facts. If a retalier collects this — or frankly ANY personal information — about a credit card customer for purposes for which the Beverley Song Act was intended to preclude – a violation. If the collection, IMHO is for an unrelated and proper purpose, and the use is limited to that purpose, I think a court would find an acceptable use irrespective of the fact that the statute, read broadly, could prohibit that collection.

    Example, a store collects “personal information” as that is defined when it uses a video surveillance camera as a theft prevention technology. Is that prohibited under the statute if the consumer then uses a credit card? The statute defines personal identification information as “information concerning the cardholder, other than information set forth on the credit card…” Clearly the cardholder’s picture in the video camera, what they are wearing, who they are with constitute “information concerning the cardholder.” Under your interpretation, video surveillance of people who might pay by credit card is prohibited under the language of the statute, regardless of the purpose of the collection or the way the data is used.

    The nature of the thing purchased (e.g., size, color, etc.) also reveals “information concerning the cardholder” but is routinely collected, stored and used.

    The statute also provides a “special purposes” exemption. It says that it is OK to both collect, store AND use personalk information if it is used for a “special purpose incidental but related to the individual credit card transaction, including, but not limited to, information relating to shipping, delivery, servicing, or installation of the purchased
    merchandise, or for special orders.”

    This is a non-exclusive list of “special purposes.” Clearly, fraud prevention can be a special purpose, IMHO, provided that both the collection and use are narrowly tailored for that purpose.

    The statute also does not EXPRESSLY have a consent or opt out provision. Under your rationale, if you ask a credit card customer, “would you like to be on our mailing list?” and the customer says “yes” this would violate the statute.

    On online transactions, collecting the IP address, browser settings, etc. about the credit card customer is “information about the customer” which, under your definition would be precluded, despite at least one federal court case (pre Pineda, of course) to the contrary.

    The case, narrowly read to say “dont collect unnecessary information principally for marketing” is consistent with the language, purpose and history of the statute. The case read broadly to say “don’t collect ANY information about ANYONE who ultimately makes a credit card purchase unless it is to ship them the product” goes too far. Not that a court CANT go too far, I just dont think the Pineda case stands for that proposition.

    You cannot divorce the language of the statute from its purpose and intent. Thus, as I read Pineda, it is not JUST about what information you collect — it is about WHY and what you do with it. The decision is replete with references to the purpose of the statute – to enforce fair information collection and use practices primarily to prevent the collection and use of personal information for improper marketing purposes.

    I can come up with dozens of examples of retailers who collect information about credit card customers for what I consider “proper” non-marketing purposes. Warranty, repair, return, rebate, recall, installation, are all examples NOT expressly in the statute. I would argue that these are “special” collections AND that these are not “a condition of a credit card purchase.”

    Again, trying to make sense of the decision… this is NOT legal advice!

  3. Mike McCormack Says:


    I am a consultant, and have worked for the lead counsel in this case in the past, Mr. Gene Stonebarger. As I understand it, this decision does not apply to merchants who are collecting a zip code for use in the AVS-part of a card transaction only, and not attempting to use the zip and/or marry the zip code up with other bits of information to identify the consumer.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.