CA Court Confirms that Pineda v Williams-Sonoma (the Zip-Code-as-PII Case) Applies Retrospectively — Dardarian v. OfficeMax
[Post by Venkat Balasubramani]
Dardarian v. OfficeMax North America, Inc., 11-CV-0947-YGR (N.D. Cal.; Jun. 25, 2012)
The Song-Beverly Act is a California statute that prohibits retailers from requesting personal identification information in connection with credit card transactions. In Pineda v. Williams-Sonoma, the California Supreme Court held that the definition of personal information includes a zip-code (i.e., retailers cannot ask for zip codes during credit card transactions). The court in that case held that its decision could be applied retrospectively and rejected Williams Sonoma’s arguments that it would be unfair to apply this decision to conduct before the date of the decision. (Here is our prior blog post recapping that case: “California Supreme Court Rules That a ZIP Code is Personal Identification Information — Pineda v. Williams-Sonoma.”)
The question in this case was whether OfficeMax offered any better arguments for why the statute should not be applied retrospectively against it. OfficeMax argued that the California Supreme Court’s decision in Pineda was a departure from previous precedent and that OfficeMax had relied on a lower court decision in Party City v. Superior Court, where a court of appeal held that a zip-code does not constitute personal information.
The court says that this is insufficient to escape retrospective application of the statute for several reasons. First, Pineda was a decision from the California Supreme Court and it did not overrule any existing precedent from the same court. Party City was a lower appellate court decision and the California Supreme Court did not sanction the lower court’s approach when it denied review. Moreover, the court finds that the Party City opinion was only around for two years before the California Supreme Court granted review in Pineda and announced the contrary rule. OfficeMax was unable to point to a “near-unanimous body of lower-court authorities” that sanctioned its practice of collecting zip-codes.
In addition to Party City, OfficeMax pointed to one other case it happened to be involved in in support of its argument that it relied on lower court decisions when it collected zip-codes: Thoms v. OfficeMax. In Thoms v. OfficeMax, the court granted OfficeMax’s demurrer based on the Party City decision. While both Party City and Thoms held that zip-codes are not personal information (and were effectively overruled in Pineda) the court says that OfficeMax did not start collecting zip-code information based on these decisions. It had a long-standing policy of collecting zip-codes and merely continued its practice in light of these two decisions. This isn’t the type of reliance (e.g., a change in behavior) that warrants against retrospective application.
OfficeMax also argued that Pineda granted review on the question of whether “reverse engineering” someone’s address based on their zip-code violated the statute and thus Pineda’s decision to address the larger question of whether a zip-code constituted personal information was a surprise. Although the court ruled on the broader question of whether it was appropriate to collect the zip-code information, OfficeMax argued that the decision in Pineda was unforeseeable. The court disagrees, noting that as early as when the parties filed their briefs in Pineda, the issue of whether a zip-code constituted personal information was on everyone’s radar screen and therefore, there was nothing unforeseeable about the court’s decision in Pineda.
Finally, the court also finds that public policy favors retrospective application of the statute. OfficeMax argued that it had ceased the practice of collecting zip-code information and that it never reverse engineered this information to obtain the addresses of its customers, but the court says that the policy furthered by the statute is to forbid retailers from collecting information that could result in a breach of the customer’s privacy. While the fact that OfficeMax did not reverse-engineer this information may bear on OfficeMax’s culpability, the fact that it collected the information in the first place meant that it engaged in conduct that the statute was aimed to prevent. The court also rejects OfficeMax’s argument that retrospective application would undermine the administration of justice by holding it liable for actions it thought were lawful when it engaged in them. The court says that OfficeMax should have taken the conservative route and not have collected this information in the first place.
Pineda was a harsh decision for retailers, and the court’s conclusion in that case was certainly not an obvious one given the language of the statute. Nevertheless, the court in this case does not give OfficeMax a reprieve and says that it should be held to this conduct.
The big take away from Pineda is that collecting seemingly innocuous bits of information that can be reverse engineered can trigger a privacy violation. (For another example of this, see the recent FTC settlement with MySpace, where the agency held that allowing third parties to derive someone’s identity through a unique ID was a privacy violation: “Syncing and the FTC’s MySpace Settlement.”) California is not alone in having this type of legislation directed at retailers in place. Here is a similar example from Massachusetts: “Mass. Court: ZIP Code is personal identification info under credit card statute but plaintiff must still allege harm—Tyler v. Michaels Stores.” (Interestingly, the retailer defeated the plaintiffs’ lawsuit in Massachusetts where the court concluded that the collection of information in that case did not result in any harm.)
OfficeMax made some reasonable procedural and fairness based arguments for why it should not be in the hook for its past conduct, but given the prophylactic nature of the statute, the court was not persuaded. This illustrates that when it comes to privacy statutes and regulation, while companies have done fairly well in defending against privacy lawsuits (and numerous lawsuit have been dismissed due to lack of harm) overall, companies may want to exercise caution where a statute that specifically prohibits the collection of certain information is implicated.
[cross-posted at IAPP's Daily Dashboard]