advertisement
advertisement

This is page 3 of:

Yes, You Really Can Still Ask For ZIP Codes. Just Do It Properly

March 3rd, 2011

That federal court ruled in favor of the auto parts dealership, noting “the Court agrees that AutoZone’s request for plaintiff’s telephone number was in order to register the brake pads for a warranty and was not requested in connection with Plaintiff’s use of a credit card to complete a purchase” and the court ruled that “the request for information in connection with the warranty registration process is not done for marketing purposes, but to provide a service to customers if they lose their warranty information and to prevent fraud in the return of products covered by a warranty.”

One issue was left essentially unresolved by the Pineda case. The court did not address the fact that the statute makes it unlawful to require personal information “as a condition to accepting the credit card.” It does not appear that Williams-Sonoma ever argued that it collected ZIP code information from all customers, regardless of whether they paid by payment card and, therefore, providing the information was not “a condition of accepting a credit card.”

Neither did Williams-Sonoma appear to argue that the collection of the information was purely voluntary and that it would have completed the transaction even if the information was withheld, although it is not clear that the consumer knew that or that Williams-Sonoma even tried to make that clear to customers.

Many merchant agreements may require (or at a minimum permit) the use of a ZIP code as verification of identity. It is for this reason that gas stations require customers to enter a ZIP code as authentication to put an “authorization hold” (technically a “double hold”) when a consumer is purchasing gas at a pump. Because no other form of identification is presented, and to prevent fraud, the ZIP code information acts as a substitute for other authorization. If the merchant agreement “required” this information, then the merchant would be obligated by contract to collect it.

Other statutes may require retailers to collect information about their customers for the purposes of warranty, repair, notification, etc. In such cases, the collection of the information would also constitute a “special purpose.”

Ultimately, the impact of Pineda may be limited. More merchants are creating loyalty card programs, whereby consumers voluntarily provide their personal information in return for “points,” discounts or sometimes nothing at all. Just as Napoleon Bonaparte once proudly declaimed that he could make men march into battle and die for nothing more than a strip of ribbon, merchants can get customers to give up their names, addresses, E-mail addresses, telephone numbers, pet’s names and just about any personal information in return for a plush doll or a buck off.

Because the provision of personal information under these loyalty programs is independent of the manner of payment, they would not likely come under the rubric of the Song-Beverly law, although general data privacy and protection laws would continue to apply to this information. The data collected could then be used for the purposes for which it is collected, including marketing.

The short takeaway is “don’t ask your California customers for their ZIP codes as a condition of taking a credit card.” The broader message from the Pineda case is to document your data collection and use policies and to make sure that your customers know what they are giving and why. Oh, and don’t collect ZIP codes from payment card customers just to market to them.

If you disagree with me, I’ll see you in court, buddy. If you agree with me, however, I would love to hear from you.


advertisement

3 Comments | Read Yes, You Really Can Still Ask For ZIP Codes. Just Do It Properly

  1. Jeff Schwartz Says:

    This column misstates the holding in Pineda. Although the court discussed Williams-Sonoma’s use of the data, it held that “requesting and recording a cardholder’s ZIP code, without more, violates the Credit Card Act.”

    This means that the purpose for asking and recording such information is irrelevant.

    Any merchant who thinks they’re in compliance with the law because of the way it uses (or doesn’t use) the data is sadly mistaken and a target for a lawsuit.

    And, this includes gas stations. There is no protection because the merchant is using the illegally collected and recorded data to prevent fraud.

    On the contrary, I recently filed Flores v. Chevron, case no. BC455706 in Los Angeles Superior Court, alleging such violations against all the major oil companies operating in CA.

  2. Mark D. Rasch Says:

    I disagree. The decision specifically says that it made its decision “In light of the statute‟s plain language, protective purpose, and legislative history…” It merely held that a ZIP code constitutes “personal identification information” as that phrase is used in section 1747.08. Thus, requesting and recording a cardholder‟s ZIP code, without more, violates the Credit Card Act.” True as far as it goes, but not necessarily for all purposes at all times. I think the decision can and should be limited on its facts. If a retalier collects this — or frankly ANY personal information — about a credit card customer for purposes for which the Beverley Song Act was intended to preclude – a violation. If the collection, IMHO is for an unrelated and proper purpose, and the use is limited to that purpose, I think a court would find an acceptable use irrespective of the fact that the statute, read broadly, could prohibit that collection.

    Example, a store collects “personal information” as that is defined when it uses a video surveillance camera as a theft prevention technology. Is that prohibited under the statute if the consumer then uses a credit card? The statute defines personal identification information as “information concerning the cardholder, other than information set forth on the credit card…” Clearly the cardholder’s picture in the video camera, what they are wearing, who they are with constitute “information concerning the cardholder.” Under your interpretation, video surveillance of people who might pay by credit card is prohibited under the language of the statute, regardless of the purpose of the collection or the way the data is used.

    The nature of the thing purchased (e.g., size, color, etc.) also reveals “information concerning the cardholder” but is routinely collected, stored and used.

    The statute also provides a “special purposes” exemption. It says that it is OK to both collect, store AND use personalk information if it is used for a “special purpose incidental but related to the individual credit card transaction, including, but not limited to, information relating to shipping, delivery, servicing, or installation of the purchased
    merchandise, or for special orders.”

    This is a non-exclusive list of “special purposes.” Clearly, fraud prevention can be a special purpose, IMHO, provided that both the collection and use are narrowly tailored for that purpose.

    The statute also does not EXPRESSLY have a consent or opt out provision. Under your rationale, if you ask a credit card customer, “would you like to be on our mailing list?” and the customer says “yes” this would violate the statute.

    On online transactions, collecting the IP address, browser settings, etc. about the credit card customer is “information about the customer” which, under your definition would be precluded, despite at least one federal court case (pre Pineda, of course) to the contrary.

    The case, narrowly read to say “dont collect unnecessary information principally for marketing” is consistent with the language, purpose and history of the statute. The case read broadly to say “don’t collect ANY information about ANYONE who ultimately makes a credit card purchase unless it is to ship them the product” goes too far. Not that a court CANT go too far, I just dont think the Pineda case stands for that proposition.

    You cannot divorce the language of the statute from its purpose and intent. Thus, as I read Pineda, it is not JUST about what information you collect — it is about WHY and what you do with it. The decision is replete with references to the purpose of the statute – to enforce fair information collection and use practices primarily to prevent the collection and use of personal information for improper marketing purposes.

    I can come up with dozens of examples of retailers who collect information about credit card customers for what I consider “proper” non-marketing purposes. Warranty, repair, return, rebate, recall, installation, are all examples NOT expressly in the statute. I would argue that these are “special” collections AND that these are not “a condition of a credit card purchase.”

    Again, trying to make sense of the decision… this is NOT legal advice!

  3. Mike McCormack Says:

    Folks,

    I am a consultant, and have worked for the lead counsel in this case in the past, Mr. Gene Stonebarger. As I understand it, this decision does not apply to merchants who are collecting a zip code for use in the AVS-part of a card transaction only, and not attempting to use the zip and/or marry the zip code up with other bits of information to identify the consumer.

Newsletters

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
advertisement

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

StorefrontBacktalk
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.