The Lawletter Vol 38 No 2
Alistair Edwards, Senior Attorney, National Legal Research Group
Some states have statutes prohibiting a merchant from requiring its credit card customers to give or write certain "personal identification information" in a credit card transaction or on a credit card form. For example, pursuant to section 105 of chapter 93 of Massachusetts General Laws, the Massachusetts General Court has declared:
(a) No person, firm, partnership, corporation or other business entity that accepts a credit card for a business transaction shall write, cause to be written or require that a credit card holder write personal identification information, not required by the credit card issuer, on the credit card transaction form. Personal identification information shall include, but shall not be limited to, a credit card holder's address or telephone number. The provisions of this section shall apply to all credit card transactions; provided, however, that the provisions of this section shall not be construed to prevent a person, firm, partnership, corporation or other business entity from requesting information [that] is necessary for shipping, delivery or installation of purchased merchandise or services or for a warranty when such information is provided voluntarily by a credit card holder.
Mass. Gen. Laws Ann. ch. 93, § 105(a). Similarly, California's Song‑Beverly Credit Card Act ("Credit Card Act") provides:
(a) Except as provided in subdivision (c), no person, firm, partnership, association, or corporation that accepts credit cards for the transaction of business shall do any of the following:
(1) Request, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to write any personal identification information upon the credit card transaction form or otherwise.
(2) Request, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the person, firm, partnership, association, or corporation accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise.
Cal. Civ. Code § 1747.08(a)(1)-(2).
Several courts have recently considered whether a Zone Improvement Plan code ("ZIP code") constitutes personal identification information. For example, in Pineda v. Williams‑Sonoma Stores, 246 P.3d 612 (Cal. 2011), the California Supreme Court held that a business's act of requesting and recording a cardholder's ZIP code could violate the Credit Card Act and that the customer's ZIP code constituted personal identification information. There, the court explained:
Section 1747.08, subdivision (a) provides, in pertinent part, "[N]o person, firm, partnership, association, or corporation that accepts credit cards for the transaction of business shall . . . : [¶] . . . [¶] (2) Request, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the person, firm, partnership, association, or corporation accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise." (§ 1747.08, subd. (a)(2), italics added.) Subdivision (b) defines personal identification information as "information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder's address and telephone number." (§ 1747.08, subd. (b).) Because we must accept as true plaintiff's allegation that defendant requested and then recorded her ZIP code, the outcome of this case hinges on whether a cardholder's ZIP code, without more, constitutes personal identification information within the meaning of section 1747.08. We hold that it does.
Id. at 616 (footnote omitted).[1]
Likewise, in Tyler v. Michaels Stores, 840 F. Supp. 2d 438 (D. Mass. 2012), the U.S. District Court for the District of Massachusetts, applying the Massachusetts statute, recently held that the collection of ZIP codes by a retail chain violated the Massachusetts law prohibiting the writing of personal identification information on a credit card transaction form. In reaching this conclusion, the court held that a ZIP code constitutes "personal identification information." There, the court explained:
Therefore, this Court holds that ZIP code numbers are "personal identification information" under Section 105(a), because a ZIP code number may be necessary to the credit card issuer to identify the card holder in order to complete the transaction. This construction is more consistent with the Massachusetts legislative intent to prevent fraud than a statutory construction that simply views the ZIP code as a component of an address that later can be used to obtain a full address for marketing purposes.
Id. at 446; see also see also Tyler v. Michaels Stores, Civ. Act. No. 11‑10920‑WGY, 2012 WL 397916, at *4 (D. Mass. Feb. 6, 2012) (certifying to the Massachusetts Supreme Judicial Court the questions under Mass. Gen. Laws. Ann. ch. 93, § 105(a): "1. . . . [M]ay a ZIP code number be 'personal identification information' because a ZIP code number could be necessary to the credit card issuer to identify the card holder in order to complete the transaction? 2. . . . [M]ay a plaintiff bring an action for this privacy right violation absent identity fraud? [and] 3. . . . [M]ay the words 'credit card transaction form' refer equally to an electronic or a paper transaction form?").
Of course, the above discussion is relevant only to those states, like California and Massachusetts, that have statutes prohibiting a merchant from writing, collecting, causing to be written, or otherwise recording a credit card customer's personal identification information. Therefore, the first step for any attorney faced with this issue would be to research the statutory law of his or her state.[1]Interestingly, the California Supreme Court recently held that the Credit Card Act provision prohibiting merchants from requesting and recording personal identification information concerning the cardholder does not apply to online purchases in which the product is downloaded electronically, since the safeguards against fraud that are provided in the Credit Card Act, such as visually inspecting the credit card, are not available to online merchants selling downloadable products. Apple Inc. v. Superior Court, 292 P.3d 883 (Cal. 2013).