February 11, 2011
California Supreme Court Rules That a ZIP Code is Personal Identification Information -- Pineda v. Williams-Sonoma
[Post by Venkat Balasubramani]
Pineda v. Williams-Sonoma, S178241 (Cal. Supreme Court; Feb. 10, 2011)
Plaintiff made a purchase at Williams-Sonoma and when she went to pay, the cashier asked for plaintiff's ZIP code. Thinking she was required to provide it in order to complete the transaction, plaintiff provided it.
Plaintiff sued under the Song-Beverly Credit Card Act (the Credit Card Act) which prohibits a store that accepts credit cards from:
request[ing], or requir[ing] as a condition to accepting the credit card as payment...the cardholder to provide personal identification information, which the [store] records upon the credit card transaction form or otherwise.
The statutes defines personal identification information as:
information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder's address and telephone number.
The trial court dismissed the claims, finding that a ZIP code does not fall under the definition of personal identification information, and the court of appeals affirmed. (Interestingly, plaintiff brought an invasion of privacy claim. The court did not accept review over the invasion of privacy claim, which the court of appeals dismissed on the basis that the plaintiff did not have a privacy interest in her address, which was contained in a database.) In reversing the decision of the court of appeals, the court points out that Williams-Sonoma had a particular motivation when it asked for plaintiff's ZIP code:
[Williams-Sonoma] subsequently used customized computer software to perform reverse searches from databases that contain millions of names, e-mail addresses, telephone numbers, and street addresses, and that are indexed in a manner resembling a reverse telephone book. The software matched plaintiff's name and ZIP code with plaintiff's previously undisclosed address, giving defendant the information, which [Williams-Sonoma] now maintains in its database. Defendant uses its database to market products to customers and also sell the information it has compiled to other businesses.
The court looked to the statutory language which includes the cardholder's address and telephone number as illustrative examples. Although the court of appeals took these examples to mean that more general information which can't by itself be used to locate a person was not included in the statute, this court disagreed. The court rejects the argument that the ZIP code shouldn't be included because it is only a component of an address, reasoning that under this approach a retailer could ask for portions of an address but not the entire thing (thus achieving its purpose of being able to market to the individual without asking for the entire address). The appeals court also reasoned that an address and telephone number is specific to an individual while a ZIP code refers to a group of people. (As the court notes, ZIP stands for "Zone Improvement Plan.") The court rejects this as well, noting that both residential and work telephone numbers could refer to more than one person but these are nevertheless encompassed by the statute.
Ultimately, the court looks to the intent behind the statute and finds that the legislature intended the statute to encompass:
information unnecessary to the sales transaction that, alone or together with other data such as a cardholder's name or credit card number, can be used for the retailer's business purposes.
In the court's view, any other interpretation of the statute would allow retailers to "end-run" the statute's purpose. The court also cites extensively to the statute's legislative history, which was concerned with retailers' extraction (at the point of credit card transaction) of information that would be used for marketing purposes. In addition to the statutory construction arguments, Williams-Sonoma made due process and vagueness arguments, but the court doesn't give these much credit.
This is an interesting one that brings to mind the debate over whether an IP address is personal information (an issue Microsoft hashed out, but which I'm guessing we'll see again). (See "Court: IP Addresses Are Not 'Personally Identifiable' Information.") There's been a dispute over whether the collection of email addresses violates the California statute, but apart from a ruling on a CAN-SPAM preemption defense, I don't recall seeing a conclusive ruling on whether an email address fits the statute's definition of personal identification information. ("California Privacy Law Not Preempted by CAN-SPAM Act.") In light of this ruling, I would say that an email address will be treated as personal identification information for purposes of the statute. On the other hand, a federal trial court held that the statute does not apply to online transactions, so email addresses collected in this context may not necessarily pose a problem. (See Saulic v. Symantec Corp., 596 F. Supp. 2d 1323 (C.D. Cal. 2009). In light of Pineda, I'm guessing plaintiffs and advocacy groups are going to try to revisit this issue.)
It's hard to muster much sympathy for Williams-Sonoma here, since they obviously used the information to market to plaintiff (this may be my bias at work - like most people, I think that catalog marketing is a truly odious practice, although Professor Goldman mentioned by email that he disagrees). On the other hand, Williams-Sonoma made a pretty reasonable argument that the statute looks like it applies to pieces of information which can be used to identify the purchaser. A cardholder's ZIP code "without more" doesn't seem like it should constitute personal identification information. You can use a person's address or telephone number to market to someone, but you can't use a ZIP code. Also, I wondered about the fact that gas stations (for example) sometimes require credit card users to input their ZIP codes as an anti-fraud measure (I'm guessing they argue that they don't violate the statute because they don't archive the information - at a quick glance I don't see a fraud exception in the statute, although there is a "positive identification" provision).
However, what sways me (and the court alludes to this in referencing a change in the statute to address retailer "requests" for information) is that stores ask customers for their ZIP codes in the context of these transactions and customers often provide it because they think it's some sort of fraud protection measure. If the retailer is going to turn around and just run this information through the database for marketing purposes, this feels duplicitous.
It looks like the statute was last amended in 1991, but since then (given the proliferation of databases), tracking someone down with bits of information has gotten much easier, and will become even easier over time. Given this, I wonder if the legislature considered prohibiting retailers from using information obtained via a credit card transaction to identify and market to customers unless the customer opts in. It's increasingly tricky to think of data as personally identifiable information versus non-personally identifiable information. Eric has posted about Professor Ohm's reidentification work, which shows how the distinction between PII and non-PII is becoming less useful: "Data Anonymization and Re-identification Lecture Featuring Paul Ohm, SCU, April 7." This looks like a good example of this.
"My zip code is none of your business!" (Chris Hoofnagle)
"A Ridiculous California Court Ruling: Zip Codes are Private" (Kashmir Hill)