Yes, You Really Can Still Ask For ZIP Codes. Just Do It Properly

Attorney Mark D. Rasch is the former head of the U.S. Justice Department's computer crime unit and today serves as Cybersecurity Director for CSC in Virginia.

When the California Supreme Court last month punished Williams-Sonoma for asking customers to reveal their ZIP codes, it sent many retail execs into a panic. Many assumed that they'd have to halt all requests for ZIP codes to avoid the cookware chain's fate. Fear not. The law says you're fine to ask consumers to zip away their codes, as long as you abide by some common-sense rules.

What that Supreme Court decision actually did was enforce a very specific part of the Song-Beverly Credit Card Act of 1971. That law says, in relevant part: "No corporation that accepts credit cards for the transaction of business shall request or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the person, firm, partnership, association, or corporation accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise."

The clear language of the statute (with some noted exceptions) makes it a violation to collect any information about the cardholder as a condition of accepting a credit card. Where Williams-Sonoma got hurt was when the chain not only asked for the consumer's ZIP code but then used the credit card number, name and ZIP code "to perform reverse searches from databases that contain millions of names, E-mail addresses, telephone numbers, and street addresses, and that are indexed in a manner resembling a reverse telephone book. The software matched plaintiff's name and ZIP code with plaintiff's previously undisclosed address, giving defendant the information, which it now maintains in its own database. [Williams-Sonoma] uses its database to market products to customers and may also sell the information it has compiled to other businesses."

These facts are significant, because the court found that Williams-Sonoma had no business interest in collecting the plaintiff’s ZIP code other than to gather personal information with the intent to identify and market to her. Also, there was no indication that the ZIP code was required by Williams-Sonoma to complete the purchase, ship anything to her or deliver anything to the plaintiff.

In other words, the problem was not with the chain asking for the ZIP code. Williams-Sonoma was punished because it did not have any legitimate business need for that ZIP code—unlike, say, gas stations using it to authenticate payment card identity. Worse, the chain used the ZIP code to gather truly personal information and to then market—potentially intrusively—to that consumer. When it used the ZIP code to obtain personal information, it made the ZIP code itself personal information. That's when the big gavel came down against the chain.

The court noted that "the legislative history demonstrates the legislature intended to provide robust consumer protections by prohibiting retailers from soliciting and recording information about the cardholder that is unnecessary to the credit card transaction."ZIP code collection is fine, as long as you have a reason and use those ZIP codes only for that reason. A key part of the rationale behind the California statute was not so much to protect the collection or disclosure of such information but to prevent that information from being used for marketing. In a case involving AutoZone, for example, the California appellate court determined that the statutory prohibition on requiring personal identification information as a condition of "any credit card transaction" did not apply to a return that was made in exchange for a reversal of the original credit card purchase transaction, because the goal of collecting that data was not to market to the consumer but to ensure the reliability of the return.

In the Pineda case, the employees of Williams-Sonoma had no reason to collect the ZIP codes of customers other than for marketing purposes and, therefore, such collection was improper if, as the court found, such information was "personal information" under the statute. The Pineda court noted, "a cardholder's ZIP code is similar to his or her address or telephone number, in that a ZIP code is both unnecessary to the transaction and can be used, together with the cardholder's name, to locate his or her full address."

As a retailer, you have to ask yourself, "What information am I collecting and why?" If you are collecting information to complete the transaction, because of a contractual obligation, because of a legal requirement, to ship or process the goods or services or even for fraud prevention purposes, you may be OK under California law. If you collect the information and then delete (or don't store) it, such as if you were merely validating the transaction, then you are also OK.

The key is to document your data collection practices and rationale. Also, it is not clear that the narrow decision in Pineda actually reversed two federal court opinions interpreting the California statutes. In these cases, the courts held that merchants' collection of personal information for purposes other than as a requirement of accepting a credit card did not violate the California statute.

In Watkins v. AutoZone Parts, the federal court wrote: "AutoZone's warranty registration service permits its customers to have eligible products registered for warranties regardless of what method of payment the customer uses to purchase products and the process for registering a warranty does not depend upon the customer paying for the warrantied item with his or her credit card. AutoZone's warranty database does not contain any information regarding the method of payment the customer used to purchase the covered product, including but not limited to customers' credit card numbers and credit card expiration dates. AutoZone requests customers to provide personal identification information to connect the identity of the customer who registers for a warranty to the product covered by the warranty, and to identify potential fraud."That federal court ruled in favor of the auto parts dealership, noting "the Court agrees that AutoZone's request for plaintiff's telephone number was in order to register the brake pads for a warranty and was not requested in connection with Plaintiff's use of a credit card to complete a purchase" and the court ruled that "the request for information in connection with the warranty registration process is not done for marketing purposes, but to provide a service to customers if they lose their warranty information and to prevent fraud in the return of products covered by a warranty."

One issue was left essentially unresolved by the Pineda case. The court did not address the fact that the statute makes it unlawful to require personal information "as a condition to accepting the credit card." It does not appear that Williams-Sonoma ever argued that it collected ZIP code information from all customers, regardless of whether they paid by payment card and, therefore, providing the information was not "a condition of accepting a credit card."

Neither did Williams-Sonoma appear to argue that the collection of the information was purely voluntary and that it would have completed the transaction even if the information was withheld, although it is not clear that the consumer knew that or that Williams-Sonoma even tried to make that clear to customers.

Many merchant agreements may require (or at a minimum permit) the use of a ZIP code as verification of identity. It is for this reason that gas stations require customers to enter a ZIP code as authentication to put an "authorization hold" (technically a "double hold") when a consumer is purchasing gas at a pump. Because no other form of identification is presented, and to prevent fraud, the ZIP code information acts as a substitute for other authorization. If the merchant agreement "required" this information, then the merchant would be obligated by contract to collect it.

Other statutes may require retailers to collect information about their customers for the purposes of warranty, repair, notification, etc. In such cases, the collection of the information would also constitute a "special purpose."

Ultimately, the impact of Pineda may be limited. More merchants are creating loyalty card programs, whereby consumers voluntarily provide their personal information in return for "points," discounts or sometimes nothing at all. Just as Napoleon Bonaparte once proudly declaimed that he could make men march into battle and die for nothing more than a strip of ribbon, merchants can get customers to give up their names, addresses, E-mail addresses, telephone numbers, pet's names and just about any personal information in return for a plush doll or a buck off.

Because the provision of personal information under these loyalty programs is independent of the manner of payment, they would not likely come under the rubric of the Song-Beverly law, although general data privacy and protection laws would continue to apply to this information. The data collected could then be used for the purposes for which it is collected, including marketing.

The short takeaway is "don’t ask your California customers for their ZIP codes as a condition of taking a credit card." The broader message from the Pineda case is to document your data collection and use policies and to make sure that your customers know what they are giving and why. Oh, and don't collect ZIP codes from payment card customers just to market to them.

If you disagree with me, I'll see you in court, buddy. If you agree with me, however, I would love to hear from you.