StorefrontBacktalk

This is page 3 of:

Yes, You Really Can Still Ask For ZIP Codes. Just Do It Properly

March 3rd, 2011

That federal court ruled in favor of the auto parts dealership, noting “the Court agrees that AutoZone’s request for plaintiff’s telephone number was in order to register the brake pads for a warranty and was not requested in connection with Plaintiff’s use of a credit card to complete a purchase” and the court ruled that “the request for information in connection with the warranty registration process is not done for marketing purposes, but to provide a service to customers if they lose their warranty information and to prevent fraud in the return of products covered by a warranty.”

One issue was left essentially unresolved by the Pineda case. The court did not address the fact that the statute makes it unlawful to require personal information “as a condition to accepting the credit card.” It does not appear that Williams-Sonoma ever argued that it collected ZIP code information from all customers, regardless of whether they paid by payment card and, therefore, providing the information was not “a condition of accepting a credit card.”

Neither did Williams-Sonoma appear to argue that the collection of the information was purely voluntary and that it would have completed the transaction even if the information was withheld, although it is not clear that the consumer knew that or that Williams-Sonoma even tried to make that clear to customers.

Many merchant agreements may require (or at a minimum permit) the use of a ZIP code as verification of identity. It is for this reason that gas stations require customers to enter a ZIP code as authentication to put an “authorization hold” (technically a “double hold”) when a consumer is purchasing gas at a pump. Because no other form of identification is presented, and to prevent fraud, the ZIP code information acts as a substitute for other authorization. If the merchant agreement “required” this information, then the merchant would be obligated by contract to collect it.

Other statutes may require retailers to collect information about their customers for the purposes of warranty, repair, notification, etc. In such cases, the collection of the information would also constitute a “special purpose.”

Ultimately, the impact of Pineda may be limited. More merchants are creating loyalty card programs, whereby consumers voluntarily provide their personal information in return for “points,” discounts or sometimes nothing at all. Just as Napoleon Bonaparte once proudly declaimed that he could make men march into battle and die for nothing more than a strip of ribbon, merchants can get customers to give up their names, addresses, E-mail addresses, telephone numbers, pet’s names and just about any personal information in return for a plush doll or a buck off.

Because the provision of personal information under these loyalty programs is independent of the manner of payment, they would not likely come under the rubric of the Song-Beverly law, although general data privacy and protection laws would continue to apply to this information. The data collected could then be used for the purposes for which it is collected, including marketing.

The short takeaway is “don’t ask your California customers for their ZIP codes as a condition of taking a credit card.” The broader message from the Pineda case is to document your data collection and use policies and to make sure that your customers know what they are giving and why. Oh, and don’t collect ZIP codes from payment card customers just to market to them.

If you disagree with me, I’ll see you in court, buddy. If you agree with me, however, I would love to hear from you.

Posted in In-Store, IT Strategy/Industry, Payment Systems, Security/Fraud

3 Comments | Read Yes, You Really Can Still Ask For ZIP Codes. Just Do It Properly

Jeff Schwartz Says:
March 3rd, 2011 at 2:50 pm
This column misstates the holding in Pineda. Although the court discussed Williams-Sonoma’s use of the data, it held that “requesting and recording a cardholder’s ZIP code, without more, violates the Credit Card Act.”

This means that the purpose for asking and recording such information is irrelevant.

Any merchant who thinks they’re in compliance with the law because of the way it uses (or doesn’t use) the data is sadly mistaken and a target for a lawsuit.

And, this includes gas stations. There is no protection because the merchant is using the illegally collected and recorded data to prevent fraud.

On the contrary, I recently filed Flores v. Chevron, case no. BC455706 in Los Angeles Superior Court, alleging such violations against all the major oil companies operating in CA.
Mark D. Rasch Says:
March 3rd, 2011 at 3:55 pm
I disagree. The decision specifically says that it made its decision “In light of the statute‟s plain language, protective purpose, and legislative history…” It merely held that a ZIP code constitutes “personal identification information” as that phrase is used in section 1747.08. Thus, requesting and recording a cardholder‟s ZIP code, without more, violates the Credit Card Act.” True as far as it goes, but not necessarily for all purposes at all times. I think the decision can and should be limited on its facts. If a retalier collects this — or frankly ANY personal information — about a credit card customer for purposes for which the Beverley Song Act was intended to preclude – a violation. If the collection, IMHO is for an unrelated and proper purpose, and the use is limited to that purpose, I think a court would find an acceptable use irrespective of the fact that the statute, read broadly, could prohibit that collection.

Example, a store collects “personal information” as that is defined when it uses a video surveillance camera as a theft prevention technology. Is that prohibited under the statute if the consumer then uses a credit card? The statute defines personal identification information as “information concerning the cardholder, other than information set forth on the credit card…” Clearly the cardholder’s picture in the video camera, what they are wearing, who they are with constitute “information concerning the cardholder.” Under your interpretation, video surveillance of people who might pay by credit card is prohibited under the language of the statute, regardless of the purpose of the collection or the way the data is used.

The nature of the thing purchased (e.g., size, color, etc.) also reveals “information concerning the cardholder” but is routinely collected, stored and used.

The statute also provides a “special purposes” exemption. It says that it is OK to both collect, store AND use personalk information if it is used for a “special purpose incidental but related to the individual credit card transaction, including, but not limited to, information relating to shipping, delivery, servicing, or installation of the purchased
merchandise, or for special orders.”

This is a non-exclusive list of “special purposes.” Clearly, fraud prevention can be a special purpose, IMHO, provided that both the collection and use are narrowly tailored for that purpose.

The statute also does not EXPRESSLY have a consent or opt out provision. Under your rationale, if you ask a credit card customer, “would you like to be on our mailing list?” and the customer says “yes” this would violate the statute.

On online transactions, collecting the IP address, browser settings, etc. about the credit card customer is “information about the customer” which, under your definition would be precluded, despite at least one federal court case (pre Pineda, of course) to the contrary.

The case, narrowly read to say “dont collect unnecessary information principally for marketing” is consistent with the language, purpose and history of the statute. The case read broadly to say “don’t collect ANY information about ANYONE who ultimately makes a credit card purchase unless it is to ship them the product” goes too far. Not that a court CANT go too far, I just dont think the Pineda case stands for that proposition.

You cannot divorce the language of the statute from its purpose and intent. Thus, as I read Pineda, it is not JUST about what information you collect — it is about WHY and what you do with it. The decision is replete with references to the purpose of the statute – to enforce fair information collection and use practices primarily to prevent the collection and use of personal information for improper marketing purposes.

I can come up with dozens of examples of retailers who collect information about credit card customers for what I consider “proper” non-marketing purposes. Warranty, repair, return, rebate, recall, installation, are all examples NOT expressly in the statute. I would argue that these are “special” collections AND that these are not “a condition of a credit card purchase.”

Again, trying to make sense of the decision… this is NOT legal advice!
Mike McCormack Says:
March 8th, 2011 at 2:14 pm
Folks,

I am a consultant, and have worked for the lead counsel in this case in the past, Mr. Gene Stonebarger. As I understand it, this decision does not apply to merchants who are collecting a zip code for use in the AVS-part of a card transaction only, and not attempting to use the zip and/or marry the zip code up with other bits of information to identify the consumer.

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Kindle Convenience - StorefrontBacktalk is now available natively on the Kindle so you can read us on the place without a connection.

Read StorefrontBacktalk's Retailing Column every month at Retail-Week.com. Please click here for an archive of those columns.

Read StorefrontBacktalk's Retail Realities Column every week at CBSNews.com. Please click here for an archive of those columns.