A recent spate of lawsuits filed in the U.S. has questioned the practice of retailers collecting zip codes in order to complete credit card transactions. The scenario is familiar: while a customer is paying for a purchase with a credit card, the cashier asks the customer for his or her zip code. The customer provides the information thinking it is somehow necessary to complete the transaction. The cashier types the zip code into the cash register and the transaction is completed seconds later without further mention of the zip code.

In the class action lawsuit Pineda v. Williams-Sonoma Stores Inc. 51 Cal. 4th 524 (judgment issued February 10, 2011) (Pineda), the Supreme Court of California held that this practice was a violation of California's Song-Beverly Credit Card Act of 1971 (Act), which in section 1747.08 prevents retail merchants from requesting or requiring personal identification information from cardholders and recording it upon the credit card transaction form or otherwise. The Court reasoned that the zip code was the customer's personal information, that collecting it was unnecessary to complete the transaction and that the collection was contrary to the Act's intent of providing robust consumer protections by prohibiting retailers from soliciting and recording information about the cardholder that is unnecessary to the credit card transaction.

In the wake of Pineda, multiple class actions and lawsuits against the practice have been filed in California and elsewhere in the U.S. Could the practice of retailers collecting postal codes (the Canadian equivalent of zip codes) at the point of sale also be vulnerable to legal challenge in Canada? Under Canada's federal Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (PIPEDA), "[a]n organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes" (Schedule 1, principle 4.3.3). PIPEDA applies to the collection, use and disclosure of personal information of customers in the private sector (i) by federal works, undertakings or businesses throughout Canada, (ii) across provincial borders or internationally, and (iii) by private sector organizations in those provinces which do not have substantially similar private sector privacy legislation, which are all provinces except B.C., Alberta and Quebec. However, similar prohibitions as PIPEDA's also exist in the provincial private sector privacy laws of B.C., Alberta and Quebec.

The analysis under the Canadian legislation would be the same as in Pineda: the collection of the postal code would be vulnerable to challenge unless the retailer could prove that the collection of the postal code is reasonable and necessary to complete the transaction. In Canada, most likely the challenge would be made to one of the federal or provincial Privacy Commissioners, as opposed to being made a lawsuit in the courts, for breach of one of the Canadian privacy statutes. However, the common law of privacy in Canada is also evolving, with the Ontario Court of Appeal this year in Jones v. Tsige confirming a common law action for breach of privacy for deliberate and significant invasions of personal privacy. How far Jones v. Tsige can be extended remains to be seen. Unnecessary or over-collection of personal information by retailers and other business, nonetheless, is likely to draw the ire of certain consumers and, backed by Canadian privacy laws, may result in complaints through one forum or the other.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.