New Consumer Privacy Decision by the MA Supreme Court Requires Retailers' Attention and Review of Their Data Collection and Use Policies for Consumers’ ZIP Codes
We’ve all had the experience of being asked for our ZIP code when making a purchase. Collecting this information at point of sale or otherwise has been a common and growing practice among retailers. However, a recent decision by the Massachusetts Supreme Judicial Court (“SJC”) in Tyler v. Michaels Stores, Inc. on March 11, 2013 and class action complaints filed on the heels of Tyler against Williams-Sonoma and Restoration Hardware on April 15, 2013 demand that retailers doing business in Massachusetts review their current consumer data collection and use policies, specifically where retailers collect shoppers’ ZIP codes when processing credit card transactions.
In the Tyler case, the highest court in Massachusetts found that collection of ZIP code information by a Michaels employee while processing an electronic credit card transaction (and where the credit card issuer did not require Michaels to request ZIP codes), violates Mass. Gen. Laws ch. 93, § 105(a) (the “Statute), a state consumer privacy statute that restricts the collection of personal identification information (“PII”) during credit card transactions.
Specifically, in response to the three questions certified to the SJC, the high court unanimously found in favor of the plaintiff that: 1) the Statute defines PII in a non-exclusive manner (including but not limited to a credit card holder’s address or phone number), and since the consumer’s ZIP code, when combined with the consumer’s name, provides the merchant with enough information to identify through publicly available databases the consumer’s address or telephone number, the consumer’s ZIP code is also considered PII under the Statute; 2) there is nothing in the Statute that limits its purpose to the prevention of identify fraud and its inclusive terms and legislative history reflect the Statute’s broader intent to guard consumer privacy and specifically to limit disclosure of PII leading to identification of a particular consumer generally; and 3) the Statue applies to all credit card transactions, including electronic and paper credit card transaction forms.
Importantly, in the Tyler case, the SJC also identified at least two types of injury or harm that might in theory be caused by a merchant’s violation of the Statute, including 1) the actual receipt by a consumer of unwanted marketing materials as a result of the merchant’s unlawful collection of the consumer’s PII, and 2) the merchant’s sale of a customer’s PII or the data obtained from that information to a third party. In class action lawsuits recently filed against Restoration Hardware and Williams-Sonoma, plaintiffs allege suffering both of the above injuries under the Statute based on the specific retailers’ collection of ZIP code information from plaintiffs when they made purchases using credit cards at defendants’ stores, as well as unjust enrichment by the retailers by their unlawful use of PII. Damage awards requested include: statutory damages in the amount of $25 per class member, tripled, as allowed by the Statute; additional damages based on the asserted claim of unjust enrichment; as well as interest, costs and attorney’s fees.
In sum, highlighted by the recent SJC decision in Tyler and subsequently filed lawsuits based on that Court’s consumer friendly ruling in Tyler,retailers with stores and operations in Massachusetts should review their current consumer data collection and use policies to ensure that they do not include the collection of shoppers’ ZIP codes when processing credit card transactions. Further, retailers doing business in other states should do the same, as a number of states (including California, Delaware, Georgia, Kansas, Maryland, Minnesota, Nevada, New Jersey, Ohio, Oregon, Rhode Island, and the District of Columbia) have statutes limiting the types of information that merchants can collect from consumers.