That spells trouble for many large retail chains that have been asking customers for their Zip codes for years. But ironically, this problem may already be history. Today, every time a customer does an online or mobile transaction, a retailer automatically gets detailed information on who the customer is. With loyalty programs and other CRM initiatives, customers voluntarily offer up detailed information on who they are. As a practical matter, retail chains were going to stop doing this soon anyway; the clock just ran out on it a little early.
Unfortunately for retailers, the California court ruled that collecting Zip codes during credit-card transactions has been illegal since 1991. "In light of the statute's plain language, protective purpose, and legislative history, we conclude a Zip code constitutes 'personal identification information'" as that phrase is used in the law, wrote Associate Justice Carlos R. J. Moreno in the unanimous opinion. "Thus, requesting and recording a cardholder's Zip code, without more, violates the Credit Card Act."
Predictably, more than a dozen class-action Zip-code lawsuits have been filed in the past week, including complaints against Wal-Mart, Target, Macy's, Bed Bath & Beyond, Radio Shack, Old Navy, Crate & Barrel, Victoria's Secret, The Container Store, Shell and Tiffany. Those past offenses could rack up hefty fines by the time the cases are resolved.
There are a pair of ironies here. One is that Williams-Sonoma insisted collecting Zip codes couldn't be illegal because so many people live in the same Zip code. How could that be personally identifiable information? That argument didn't sway the justices—possibly because Williams-Sonoma actually identified the addresses of customers based on just their names and Zip codes. That probably should have been a warning flag.
Williams-Sonoma "used customized computer software to perform reverse searches from databases that contain millions of names, E-mail addresses, telephone numbers, and street addresses, and that are indexed in a manner resembling a reverse telephone book," the court wrote. "The software matched plaintiff's name and Zip code with plaintiff's previously undisclosed address, giving [Williams-Sonoma] the information, which it now maintains in its own database. [Williams-Sonoma] uses its database to market products to customers and may also sell the information it has compiled to other businesses." Sounds pretty much like personal identification, doesn't it?Keep in mind that this is a California law, and this ruling is specific to the Golden State. The impact is bigger than that, though—partly because California is so big, but also because the state is a bellwether for both retail and legal trends. When California courts decide to expand the range of what qualifies as personally identifiable information in retail, other courts are likely to follow.
That leads to the other irony, which is that old-school techniques such as collecting Zip codes are already on the way out. To stop collecting that information is much less of a hardship for retailers today. Sure, it's easier than ever to feed names and Zip codes into database engines that spit out mailing lists to target unenthusiastic customers.
But today, huge numbers of in-store customers will voluntarily divulge much more—and much better—information. How much they spend, what stores they visit, what products they buy and which coupons they use can all be tracked in detail, and with customers' full cooperation.
Online, customers will volunteer E-mail addresses and personal information and even tie themselves to retailers' Facebook pages. Does that customer's IP address qualify as personally identifiable information? Interestingly enough, an IP address in the online world is much more specific—and therefore identifies a consumer much more closely—than does a Zip Code in the physical world.
This fact was actually addressed in a 2009 court case, when a federal judge in Seattle ruled that "in order for 'personally identifiable information' to be personally identifiable, it must identify a person. But an IP address identifies a computer." Is that a material distinction in a privacy discussion?
It hardly matters—the customers you want will likely be glad to tell you all about themselves.
Mobile commerce is still in its early stages, but it's quickly developing the same pattern. You don't have to be sneaky to squeeze phone numbers out of customers. They'll jump at the chance to sign up to receive your text alerts, coupons and other mobile shopping offers. And this is above and beyond all of the location- and cell-phone-specific data that mobile devices surrender automatically.
Remember Best Buy's ill-conceived in-store kiosks that looked just like its Web site, except with higher prices? Those turned out to be illegal, too. Today, of course, such a tricky gimmick is useless. So many customers can check a real Web site on their phones that a deceptive kiosk wouldn't last a week. It's not just illegal; it's obsolete.
The days of trying to trick the unwilling into listening to pitches they don't want to hear are gone. You have real, enthusiastic customers who believe loyalty programs and text alerts aren't annoyances or invasions of privacy but valuable shopping tools. They want to spend more money at their favorite retailers.
But wasting your associates' time in questionably legal efforts to scrape up a little information that can be spun out into mailing lists that will only irritate uncommitted customers? Even if it weren't illegal, that's a crime against retail.