Retailers That Ask For Customers’ Zip Codes During Credit Card Transactions Do Not Violate Consumer Protection Statute

Case: Pineda v. Williams-Sonoma Stores, Inc., Cal. Court of Appeal, Fourth District, Division One, No. D054355 (Oct. 23, 2009)

The One Sentence Summary:
A retailer did not violate the Song-Beverly Credit Card Act of 1971 (Cal. Civ. Code § 1747 et. seq.), nor did it invade its customer’s privacy, when it asked a customer who used a credit card for her zip code, where the zip code was later used to conduct a reverse database search for her address.

What They Were Fighting About:
Plaintiff Jessica Pineda purchased an item with her credit card at a Williams-Sonoma Store in California. The cashier asked for her zip code without informing her what would happen if she declined. Thinking that the information was required, Pineda provided her zip code. The store used this information in a computer program to conduct reverse searches of databases and acquired her address, which it then maintained in its own database.

Pineda filed a putative class action alleging, among other things, a violation of the Song-Beverly Credit Card Act of 1971 (Cal. Civ. Code § 1747 et. seq.). This Act prohibits businesses that accept credit cards from requesting and recording “personal identification information” about the card holder, including the card holder’s address and telephone number. Pineda also claimed that her privacy was invaded when the store requested and recorded her zip code, used this information to obtain her address, and used her address for its own profit.

Court Holdings:
The Court of Appeal affirmed the trial court’s order sustaining Williams-Sonoma’s demurrer and held:

• Relying on Party City Corp. v. Superior Court, 169 Cal. App. 4th 497 (2008), the court held that the Song-Beverly Credit Card Act does not prohibit retailers from asking consumers for their zip codes. The Party City Court reasoned that an “address and telephone number” were specific to an individual, whereas a zip code was a group identifier not prohibited under the Act.
• Using a legally-obtained zip code to acquire and use an address that is public is not “a serious invasion of privacy,” which is a necessary element of a privacy claim. Pineda failed to allege facts showing that her home address was not otherwise publicly available or that she undertook efforts to keep it private.
  
  

Click here to read more.

Protection of Consumer Payment Information Remains an Imperative for California Retailers

The One Sentence Summary:
While Governor Schwarzenegger recently vetoed a Bill that would have imposed greater obligations on retailers with respect to protection of consumer payment information, continued legislative efforts are likely and retailers remain subject to data security standards set by the Payment Card Industry.

Full Posting:
On October 17, Governor Schwarzenegger vetoed AB 779, which would have imposed greater responsibilities on retailers with respect to the storage of customer payment data, sending of customer payment data on public networks, and access to customer payment data. In addition, AB 779 would have imposed additional obligations on retailers with respect to notifying California residents whose personal information is acquired by an unauthorized person, and it would have imposed an obligation on retailers to reimburse data owners for costs incurred due to security breaches, including replacing cards and notifying customers.

AB 779 was passed by the Assembly by a vote of 68-0 and by the Senate by a vote of 30-6. In vetoing the Bill, the Governor cited ambiguities in the application of AB 779 and expressed concern that AB 779 could create a conflict with the responsibilities and liabilities already established by the Payment Card Industry (“PCI”), which is composed of the five major credit card brands.

The PCI security standards are minimum compliance and validation guidelines applicable to organizations that accept payment card transactions. They include guidelines for maintenance of a secure network; protection of cardholder data; maintenance of a vulnerability management program; implementation of access control measures; regular monitoring and testing of networks; and maintenance of an information security policy. The PCI standards are not enforced by PCI. Rather, individual payment card companies have the ability to enforce the standards, including by subjecting retailers to fines or revocation of card processing privileges for failure to comply. Additional information regarding PCI compliance can be found at http://www.pcicomplianceguide.org/.

Despite the Governor’s veto of AB 779, he acknowledged the need to protect consumer financial information. The Governor also encouraged the Bill’s author and the credit card industry “to work together on a more balanced legislative approach.”

What does the veto of AB 779 mean for California retailers? First, irrespective of the Governor’s veto, retailers are required to become PCI compliant or they risk fines or suspension of credit card processing privileges. If a retailer is not PCI compliant, efforts to gain compliance should begin immediately. Second, retailers can expect a second attempt by the California Legislature in 2008 at imposing additional obligations on retailers with respect to maintaining and protecting customer payment information. Becoming PCI compliant is an initial step in preparing for potential legislative enactments.

Click here to read more.