Although California and Massachusetts have stolen the spotlight with high profile cases banning zip code collection in connection with credit card purchases, thirteen other states and the District of Columbia have similar laws. With voracious class action attorneys circling, it is critical for retailers to know their legal obligations in these jurisdictions and, if necessary, adjust their privacy practices and policies.
Yet, because these statutes are to varying degrees vague, untested, and archaic, compliance can be difficult. At the same time, the risks could scarcely be higher. Hundreds of companies have already been ensnared in consumer class action lawsuits in California and Massachusetts, and the litigation floodgates may now open in other states as well. And the math is simple. With penalties as high as $1,000 every single time a zip code, address, or telephone number is collected illegally--for periods going back as far as six years--even a relatively small company could face a liability in the millions or tens of millions of dollars. You're also likely to be required to pay the plaintiffs' legal fees if you lose, which are often as much as one-third of the penalty calculation.
The State Law Landscape. A general baseline for state statutes governing the collection of personal information during credit card transactions is a prohibition against retailers requiring customers to provide certain information in connection with a credit card transaction. California and a few other states, including Wisconsin, go further, barring even the requesting of such information. Other states, like Massachusetts, prohibit the "writing" of such information, usually on "a credit card transaction form" -- although, as the industry learned in Massachusetts, writing doesn't necessarily mean writing (it can mean inputting information electronically) and a "transaction form" might be interpreted to include a marketing database (the Massachusetts court dodged this issue for now).
Not Just Zip Codes. Seven states appear to limit their prohibitions to customers' addresses and telephone numbers, and not the sweeping concept of "personal identification information" included in the California and Massachusetts statutes. (In California, for example, "personal identification information" is defined as information not appearing on the face of a credit card, and so it could include not only zip codes, but also a state of residence, a birthday, an email address, or a person's gender.)
But, even in the states that expressly limit their bans to addresses and telephone numbers, the decisions in Massachusetts and California reveal a path by which these statutes might be interpreted to reach the collection of zip codes only. For example, the Supreme Court of Massachusetts felt free to deem zip codes to be "personal identification information" because "a consumer's zip code, when combined with
the consumer's name, provides the merchant with enough information to
identify through publicly available databases the consumer's address or
telephone number, the very information § 105 (a) expressly identifies as personal identification information." As a result, the court found that not extending the prohibition to zip codes "would render hollow the statute's explicit prohibition on the collection
of customer addresses and telephone numbers, and undermine the
statutory purpose of consumer protection." In other words, even if you are not collecting addresses and telephone numbers in these states, you could still be at risk.
Exceptions. Most of these statutes have exceptions that benefit direct marketers. California, for example, allows retailers to collect zip codes and other "personal identification information" if it "is required for a
special purpose incidental but related to the individual credit card
transaction, including, but not limited to, information relating to
shipping, delivery, servicing, or installation of the purchased
merchandise, or for special orders." In other states, like Massachusetts, the exception is more narrowly drawn, and, in some states, there are no exceptions at all. And even for those laws which allow address information to be collected for shipping, the exception does not extend to address collection in gift transactions where the billing address and the shipping address are different.
Enforcement. Of course, one of the biggest issues for direct marketers is the risk of being the subject of a government investigation or a class action lawsuit. The risk of government enforcement (by a state attorney general, for example) is likely low in all states except in the event of a data breach--which underscores the need for companies to have in place information privacy and security policies that reduce the risks of such a breach. As importantly, states are unlikely to seek astronomical penalties from retailers, something that is the bread and butter of class action cases.
The risk of a federal or state class action lawsuit--on behalf thousands upon thousands of consumers--is much higher. These privacy statutes are very attractive to class action lawyers because they often have a "per violation" penalty that can drive potential recoveries into the stratosphere. This, in addition to provisions that allow plaintiffs (but not defendants) to recover attorneys' fees, makes them a very attractive basis for filing a barrage of lawsuits in the hopes that some of them will succeed or, even in failing, provoke lucrative settlements.
In the past, privacy-related class actions have often foundered because the plaintiffs could not demonstrate any "injury." Many state consumer protection laws, including the one in Massachusetts, require such an injury to allow a suit to go forward. (Some, like California, Wisconsin, and the District of Columbia, do not require a showing of injury.) But, we learned from the Michaels case in Massachusetts that courts can stretch the concept of "injury" beyond recognition. The Supreme Court of Massachusetts found that the "invasion of privacy" caused by the receipt of a just one unwanted catalog was sufficient "injury" to maintain a class action lawsuit. In Michaels, it was alleged that the retailer used the zip code to obtain customers' mailing addresses, and then sent unsolicited catalogs to those addresses. That was the extent of the "harm."