Williams-Sonoma Zip Code Ruling: Just In Time To Be Irrelevant

Written by Frank Hayes
February 17th, 2011

Collecting Zip codes from customers is now illegal in California—just in time to be irrelevant. Last Thursday (Feb. 10), the state’s Supreme Court ruled that Williams-Sonoma broke a 1991 law when the kitchenware chain’s associates asked customers for their Zip codes during credit-card transactions and then retained the information to use for marketing.

That spells trouble for many large retail chains that have been asking customers for their Zip codes for years. But ironically, this problem may already be history. Today, every time a customer does an online or mobile transaction, a retailer automatically gets detailed information on who the customer is. With loyalty programs and other CRM initiatives, customers voluntarily offer up detailed information on who they are. As a practical matter, retail chains were going to stop doing this soon anyway; the clock just ran out on it a little early.

Unfortunately for retailers, the California court ruled that collecting Zip codes during credit-card transactions has been illegal since 1991. “In light of the statute’s plain language, protective purpose, and legislative history, we conclude a Zip code constitutes ‘personal identification information'” as that phrase is used in the law, wrote Associate Justice Carlos R. J. Moreno in the unanimous opinion. “Thus, requesting and recording a cardholder’s Zip code, without more, violates the Credit Card Act.”

Predictably, more than a dozen class-action Zip-code lawsuits have been filed in the past week, including complaints against Wal-Mart, Target, Macy’s, Bed Bath & Beyond, Radio Shack, Old Navy, Crate & Barrel, Victoria’s Secret, The Container Store, Shell and Tiffany. Those past offenses could rack up hefty fines by the time the cases are resolved.

There are a pair of ironies here. One is that Williams-Sonoma insisted collecting Zip codes couldn’t be illegal because so many people live in the same Zip code. How could that be personally identifiable information? That argument didn’t sway the justices—possibly because Williams-Sonoma actually identified the addresses of customers based on just their names and Zip codes. That probably should have been a warning flag.

Williams-Sonoma “used customized computer software to perform reverse searches from databases that contain millions of names, E-mail addresses, telephone numbers, and street addresses, and that are indexed in a manner resembling a reverse telephone book,” the court wrote. “The software matched plaintiff’s name and Zip code with plaintiff’s previously undisclosed address, giving [Williams-Sonoma] the information, which it now maintains in its own database. [Williams-Sonoma] uses its database to market products to customers and may also sell the information it has compiled to other businesses.” Sounds pretty much like personal identification, doesn’t it?


5 Comments | Read Williams-Sonoma Zip Code Ruling: Just In Time To Be Irrelevant

  1. Ernie Says:

    It’s a shame the court did not do more research into the use of zip codes in transactions. Gas stations have been pushed to prompt for zip codes at the pump by the card brands as a fraud prevention method. One can argue that the merchant should not store it, which seems fine. Taking away this fraud prevention tool will be a big win for the criminals in CA.

    There is more irony in this story. New Jersey passed a law last year effectively requiring merchants capture zip codes when selling gift cards. If the merchant doesn’t have a some personal information of the purchaser, zip code being sufficient, the merchant must turn over the breakage to the state.

  2. Tim Says:

    I’m still trying to get a ruling from our Acquirer, but how will this play out when the POS is looking for a ZIP for Address Verification? Sure, you shouldn’t need this if the card was swiped, but unfortunately that is not always the case.

    I understand that the retailer can collect the ZIP but just not use it for marketing reasons. Unfortunately all the customer knows is that they do not have to give out their ZIP.

  3. SoftwareDeveloper Says:

    Typical California. Does this mean that providing your drivers license or other form of ID that is asked for consitute an unlawful act? Most ID’s have an address and all Drivers Licenses do as well.

    What should have been judged is that the storing of any address / phone information should be regarded as illegal unless the person is signing up for a “Reward / Marketing” type program.

    Once again people in power that don’t understand a process make bad decisions. I sure hope no one steals his credit card.

  4. Jim Huguelet Says:

    Although I have not heard a definitive confirmation yet one way or the other, my reading of the decision:

    makes me lean towards the interpretation that the Court’s objection was specifically WS’s recording of the ZIP code after the sales transaction was complete (note the use of the verbiage “end of the transaction” in the ruling) for later use in marketing activities. If that’s indeed the case, asking for it in the course of card transaction approval would seem to be a legitimate and lawful activity – the language esp. on page 12 seems to support this. However, if you read the first paragraph on page 13, you could easily take the contrary view. I am keenly interested to see which view is ultimately correct – as this would indeed be a significant setback to fraud prevention efforts in many industries in many parts of the US if it was no longer allowed.

  5. Justene Adamec Says:

    The practice of asking for driver’s licenses to verify identity is allowed by the statute and the court repeats that in its decision. Recording the information is prohibited.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.