Every day, hundreds of thousands of consumers use credit cards to pay for goods and services in California. In connection with these transactions, it has become almost routine for retailers to ask consumers to provide their ZIP code. A recent California Supreme Court decision, however, Pineda v. Williams-Sonoma, has captured the attention of the California business community by calling this practice into question.

In Pineda, decided on February 10, 2011, a unanimous California Supreme Court held that collecting ZIP codes from cardholders during a credit card transaction violates California's Song-Beverly Credit Card Act of 1971 ("the Credit Card Act").1 The Credit Card Act prohibits companies from requesting and recording "personal identification information" during a credit card transaction, with certain limited exceptions.2 The Supreme Court's ruling broadly impacts all businesses in California that accept credit cards and request personal identification information during a consumer transaction. Nonetheless, the Court's sweeping announcement is narrowed by four statutory exceptions, which were not at issue in Pineda. This alert summarizes the Pineda opinion and analyzes some of the open questions surrounding credit card transactions given the Credit Card Act's statutory exceptions.

Background: Pineda v. Williams-Sonoma

When the Credit Card Act was enacted in 1971, its purpose was to institute fair business practices to protect consumers. The Act made major changes in business procedures dealing with credit cards but did not address the practices at issue here. Section 1747.08, which proscribes businesses from requesting "personal identification information," was first added in 1990 and amended in 1991 to become the provision that it is today.3 In the Act, "personal identification information" is defined as "information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder's address and telephone number."4 While it was generally understood that a cardholder's full address could not be requested during a credit card transaction under the Act, dispute remained over whether parts of a consumer's address were protected.

In 2008, the plaintiff in Pineda filed a putative class action against Williams-Sonoma for requesting her ZIP code during a credit card transaction. She alleged that she visited one of Williams-Sonoma's stores and, when she paid for her purchase with her credit card, the cashier asked for her ZIP code. Pineda believed she was required to provide the requested information in order to make her purchase, so she complied. The cashier entered her ZIP code into the electronic cash register and completed the transaction. The plaintiff's ZIP code was then entered into customized computer software that performed reverse searches from databases containing millions of pieces of information, enabling Williams-Sonoma to obtain plaintiff's full address. Williams-Sonoma was then allegedly able to sell the plaintiff's information to other businesses or use it to market its own products.

The trial court and the Court of Appeal both concluded that a ZIP code was not "personal identification information" under the Credit Card Act because a ZIP code identifies a group of individuals that live within a specific area, not an individual person. The California Supreme Court granted review and ultimately reversed.

The California Supreme Court disagreed with the lower courts on multiple grounds. First, the Court interpreted the Act to encompass not only a complete address, but also its components.5 The Court reasoned that the ZIP code portion of a consumer's address can be used to locate the consumer's full address. The Court noted that the Act's purpose was to prevent the misuse of personal identification information for, among other reasons, marketing. Given that technology exists to reverse-engineer a person's address from her ZIP code, the Court reasoned that holding a mere ZIP code not to be personal information would subvert the Act's primary purpose.

Next, the Court discussed the Act's legislative history, observing that it was intended to provide "robust consumer protections by prohibiting retailers from soliciting and recording information about the cardholder that is unnecessary to the credit card transaction."6 The Court found that the plaintiff's ZIP code was not necessary to the credit card transaction in this case. The Court, therefore, concluded that interpreting a consumer's ZIP code as "personal identification information" was the interpretation most consistent with the Act's legislative purpose.

Thus, as a result of the Act's language and legislative history, the Court ruled that California businesses may not request a consumer's ZIP code during a credit card transaction. Businesses that have done so or continue to do so will be subject to the penalty provision of the Act, Section 1747.08(e). This section states that any person who violates the Act is subject to a civil penalty not to exceed $250.00 for the first violation and $1,000.00 for each subsequent violation. Although the Court held that the Act would be applied retrospectively, it also explained that the maximum penalty need not be imposed, and that the amount of the penalty rested within the sound discretion of the trial court.7

Practical Implications and Open Questions for Credit Card Transactions

At first blush, the implications of the Court's holding in Pineda seem stark. The Court's opinion does not acknowledge any exceptions to the rule that businesses in California may not record a consumer's ZIP code or other personal identification information during a credit card transaction. Despite the apparent expansiveness of the Court's ruling, however, it does not affect all business transactions. The Act contains four exceptions, which allow businesses to collect personal identification information under the following circumstances:

  1. If the credit card is being used as a deposit to secure payment in the event of default, loss, damage, or other similar occurrence;
  2. Cash advance transactions;
  3. If the business accepting the credit card is contractually obligated to provide personal identification information by federal law or regulation; or
  4. If personal identification information is required for a special purpose incidental but related to the individual credit card transaction, including, but not limited to, information relating to shipping, delivery, servicing, or installation of the purchased merchandise, or for special orders.8

Not all of these exceptions are straightforward. For example, the fourth exception, permitting a business to obtain personal information for a "special purpose incidental but related to the individual credit card transaction,"9 is somewhat nebulous. On the one hand, the Act identifies shipping, delivery, and installation as examples of purposes incidental to the transaction, but the Act also does not limit the exception to these purposes. Many businesses, including gas stations, collect ZIP codes or other personal information to prevent fraud. Whether fraud prevention falls under the "special purpose" exception is now an open question. It is likely that the scope of this exception will be more thoroughly explored in Pineda's wake.

Additionally, the Credit Card Act explicitly allows businesses to request a cardholder's personal information during a credit card transaction if that information is not "written or recorded."10 In other words, a person can ask to see a credit cardholder's driver's license to prevent fraud, as long as the license information is not "recorded." This begs the question, in the case of gas stations, for instance, whether a customer's ZIP code is actually "written or recorded" when entered at the pump? Some members of the plaintiff's bar are ready to answer that question as "yes," while others concede that, if the information was not retained, it was not "recorded." Thus, there is further ambiguity as to whether a business that enters a cardholder's personal identification information into a system – without actually storing it – is in violation of the Act.

The gas station is but one example of the now open questions on the Credit Card Act's reach. The limited exceptions are not hollow, but neither are they precise. While Section 1747.08(d) reflects the legislature's desire for balance – privacy vs. fraud – only future litigation or legislation further clarifying the Act will confirm the Act's reach. In the interim, businesses accepting credit cards in California should proceed cautiously before requiring a customer to provide their ZIP code.

California's Credit Card Act as interpreted by Pineda Closely Resembles the Federal Fair and Accurate Credit Transaction Act

Since the Court's ruling in Pineda, at least 70 consumer class action lawsuits have been filed in California courts against retailers alleging violation of the Act. This mass movement by the plaintiff's bar is reminiscent of the class action suits filed against corporate defendants following the 2003 passage of the Fair and Accurate Credit Transaction Act ("FACTA").11

Similar to the Credit Card Act, FACTA precluded any merchant who accepted a credit card or debit card for a business transaction from printing more than the last five digits of the consumer's card number or the card's expiration date on the customer's receipt.12 A "willful" violation of FACTA automatically qualified plaintiffs for statutory damages ranging from $100 to $1,000 per violation. A negligent violation of FACTA would entitle plaintiffs to actual damages upon proof. As originally passed, the language of FACTA was ambiguous because it was not readily determinable as to whether a violation occurred when the merchant printed more than the last five digits of the card number and the card's expiration date, or whether printing just one of those violated FACTA. Moreover, FACTA also failed to adequately define the mental state required for a "willful" violation. Plaintiffs' class action lawyers, seeking to capitalize on the ambiguity and potential for windfall attorneys' fees, filed hundreds of class action suits against corporate defendants in California federal courts in the wake of FACTA, alleging "willful" violations.

Paul Hastings represented numerous clients in defense of lawsuits alleging violations of FACTA. Some arguments raised in defense of these cases were that plaintiffs could not state a claim because the presence of an expiration date on a receipt did not cause any injury to the consumer, as it posed no risk of identity theft. Further, an aggregated statutory damages award such as the one available under FACTA would be unconstitutionally excessive. In addition, a class action could not be the superior method for fair adjudication of FACTA cases because class certification would permit plaintiffs to recover annihilating statutory damages awards for violations of technical statutes out of proportion to any actual harm suffered, which would not be a "fair, efficient, or cost-effective adjudication of the controversy," as required for class certification. While the U.S. Court of Appeals for the Ninth Circuit recently overturned a denial of class certification on grounds that the statutory damages sought by plaintiffs were "out of proportion" to any harm suffered by the class, it left open the possibility that a defendant faced with "ruinous liability" due to an aggregated statutory damages class action may have a basis to seek denial of class certification.13 Similar arguments to those raised in FACTA cases can be raised in defense of cases brought under the Credit Card Act, where violation of the Act imposes a civil penalty not to exceed $250.00 for the first violation and $1,000.00 for each subsequent violation.14

In addition, rather than just defending the cases in court, following a review of the legislative history of the statute, Paul Hastings determined that a legislative remedy may be possible in this situation given the disconnect between the purpose of the relevant section of FACTA – to prevent identity theft – and the lack of any actual or potential harm suffered by people who only had the expiration date appear on an otherwise FACTA-compliant receipt. Clearly the way in which the plaintiffs' bar was using the statute was not the intent of Congress in passing the law. Paul Hastings then went into action, leading a coalition of U.S. retailers and associations in support of legislation to protect businesses from abusive and costly lawsuits stemming from FACTA. In May 2008, the House of Representatives unanimously passed H.R. 4008, the Credit and Debit Card Receipt Clarification Act, which amended FACTA to make clear that the inclusion of an expiration date on an otherwise FACTA-compliant credit or debit card receipt between December 4, 2004 and the date of enactment cannot be deemed a willful violation of FACTA. The following week, the U.S. Senate passed the bill without objection. Former President Bush signed the bill into law on June 3, 2008.

The success of this legislation, which was enacted less than seven months after bill introduction, was based on the coalition's ability to reach across both sides of the aisle to explain how this correction to FACTA was necessary to protect both business and consumer interests. As a result of the passage of the Credit and Debit Card Receipt Clarification Act, hundreds of companies that were named defendants in class action lawsuits filed under FACTA were retroactively immunized from liability that could have amounted to billion-dollar losses.

As was the case after Congress passed FACTA, the plaintiff's bar has been active in the wake of Pineda, filing more than 70 lawsuits under the Credit Card Act. A legislative lobbying effort by experienced, skilled attorneys may prove as effective in protecting businesses from liability under the Credit Card Act, as it was with protecting companies from liability under FACTA.

Conclusion

The California Supreme Court's decision in Pineda threatens all businesses accepting credit or debit cards in exchange for merchandise. Pineda creates an opportunity for class action lawsuits against any businesses operating in California, potentially including online businesses that sell to customers in California, that fail to comport their data collection policies with a strict interpretation of the Credit Card Act, which prohibits collection of consumer ZIP codes or other personal identification absent a statutory exception. In light of the broad holding of Pineda, it remains to be seen whether certain of those statutory exceptions, such as the special purpose exception, will expand. In addition, despite arguments by the plaintiff's bar, it remains unclear whether the mere act of entering personal identification information into a computer as part of a retail transaction is enough to trigger a violation of the Credit Card Act. For now, businesses in California should carefully scrutinize their collection and, especially, retention of personal identification information requested from a cardholder during a credit card transaction.

Footnotes

1. Pineda v. Williams-Sonoma Stores, Inc., 51 Cal. 4th 524 (2011).

2. Cal. Civ. Code § 1747.08 (2011).

3. Pineda, 51 Cal. 4th at 533-36.

4. Cal. Civ. Code § 1747.08(b).

5. Pineda, 51 Cal. 4th at 531-32.

6. Id. at 536.

7. Id.

8. Cal. Civ. Code § 1747.08(c)(1-4).

9. Id. at (c)(4).

10. Cal. Civ. Code § 1747.08(d).

11. Although enacted in 2003, FACTA became effective as to all transactions covered by the statute on December 4, 2006. 15 U.S.C. § 1681c(g).

12. 15 U.S.C. § 1681c(g).

13. Bateman v. Am. Multi-Cinema, Inc., 623 F.3d 708, 713, 723 (9th Cir. 2010).

14. Cal. Civ. Code § 1747.08(e).

The content of this article does not constitute legal advice and should not be relied on in that way. Specific advice should be sought about your specific circumstances.