It's become commonplace for bricks-and-mortar merchants to ask shoppers for their ZIP code when they pay with a credit card (and even sometimes when they use cash). The court decision, and others like it on the books in California and a handful of other states, have some privacy lawyers suggesting retailers change their ways when it comes to collecting ZIP codes.
The Massachusetts court last month ruled in the class action suit that collecting personal information when conducting a credit card transaction violates state privacy law. In this case, it wasn't about data security or fraud. Rather, plaintiff Melissa Tyler argued that when Michaels Stores matched her ZIP code collected by a cashier with other data to retrieve her mailing address and phone number to target marketing communications to her, it violated an existing law prohibiting entities from requiring personal information when paying with a credit card.
"These rules that you can't collect ZIP codes are in laws regulating the use of credit cards," said Thomas Smedinghoff, partner at Edwards Wildman Palmer, regarding the Massachusetts and California laws. "I think we're going to see more of this in part because of the growing number of studies that indicate how easy it is to identify someone with very limited amounts of information," he said.
The Massachusetts law wouldn't prevent a company from using ZIP codes gathered by other means to target marketing offers, and would not affect things like data collected and used through loyalty card registrations, said Miriam Wugmeister, partner at Morrison & Foerster and chair of the firm's Global Privacy and Data Security Group. There are similar laws established in Delaware, Georgia, Kansas, Maryland, Minnesota and Nevada that limit merchants from requiring personal information in conjunction with a credit card transaction, she said.
Of course, ZIP codes are collected online in part to verify the identity of consumers using credit cards in ecommerce transactions to prevent fraud. The same goes for lots of pull-up and fill-up gas station pump purchases. It's unclear how the Massachusetts ruling would affect ZIP-code data collection for fraud prevention and ecommerce transactions.
In California, the law has evolved to consider ecommerce. The state's Song-Beverly Act, which deals with consumer protection, prohibits gathering of personal information during credit card transactions only in bricks-and-mortar instances, not when it comes to ecommerce purchases or digital downloads.
Erin Aures, associate in the Patent Law and Intellectual Property Groups in the Litigation Department at Proskauer Rose, suggested on the law firm's site, "retailers and businesses may want to review their policies regarding credit card transactions and how their employees request consumer information. In particular, retailers and other businesses may want to reconsider whether their employees should request a ZIP code, even if provided by consumers voluntarily, when such information is not required by the credit card issuer."
"We're trending towards an environment where asking for permission…is becoming the norm," said Christopher Wolf, director of the Privacy and Information Management practice group at Hogan Lovells, an international law firm. He suggested marketers need to pay attention to the Massachusetts ruling, which allows consumers to sue for damages.
"We're going to see more of [these types of law suits] in part because of the growing number of studies that indicate how easy it is to identify someone with very limited amounts of information," said Mr. Smedinghoff.