California Supreme Court Says Zip Codes are PII-Really. (As California Goes, So Goes the Nation? Part Two)
Thinking hard about how business and consumer interests can be harmonized by effective and privacy/security-friendly policies and practices? We thought so. Worried that zip codes might be treated as personal information in this country? Probably not. All that may be changing. In a ruling already attracting criticism and attention from some high profile privacy bloggers, the California Supreme Court ruled Thursday, in Pineda v. Williams-Sonoma, that zip codes are "personal identification information" for purposes of California's Song-Beverly Credit Card Act, California Civil Code section 1747.08, reversing the Court of Appeal's decision that we discussed last year. For those of you who may be wondering, yes - the statute provides for penalties of up to $250 for the first violation and $1,000 for each subsequent violation, and does not require any allegations of harm to the consumer. California has already seen dozens, if not hundreds, of class action lawsuits around the Song-Beverly Credit Card Act. The Court's interpretation of "personal identification information" as including zip codes is likely to spark a new round of class action suits. California retailers should carefully consider the Pineda decision in crafting and updating their personnel policies and training programs with respect to collection of information during credit card transactions.
The legislation at issue prohibits retailers from asking customers for their personal identification information and recording it during credit card transactions. Section 1747.08(a) provides that "no . . . firm . . . that accepts credit cards for the transaction of business shall . . . [r]equest, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the . . . firm . . . accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise." Subdivision (b) defines "personal identification information" as “information concerning the cardholder . . . including, but not limited to, the cardholder's address and telephone number.”
The California Supreme Court reversed the Court of Appeal, holding that the definition means exactly what it says - personal identification information means any "information concerning the cardholder." The Court cited Webster's, noting that "concerning" is "a broad term meaning “pertaining to; regarding; having relation to; [or] respecting." The Court rejected the Court of Appeal's reasoning that a zip code pertains to a group of individuals, not a specific individual, finding that the reference to address in the definition of "personal identification information" must also include components of an address. The Court attacked the Court of Appeal's assumption that a complete address and telephone number are not specific to an individual. The Court took the position that interpreting the term "personal identification information" to mean any information of any kind "concerning" a consumer is consistent with the consumer protection goals of the statute. The Court reasoned:
the legislative history of the Credit Card Act in general, and section 1747.08 in particular, demonstrates the Legislature intended to provide robust consumer protections by prohibiting retailers from soliciting and recording information about the cardholder that is unnecessary to the credit card transaction.
The Court's discussion of "information concerning" reminds me of the boilerplate definitions we litigators always use (and then fight about) in discovery requests and meet and confers. The litigators out there know what I am talking about: "for purposes of these document requests, the term 'concerning' means 'discussing, describing, reflecting, containing, commenting, evidencing, constituting, setting forth, considering, pertaining to," and on, and on, and on . . . Such definitions, interpretations, and arguments may be fun for litigators, but in real life no one knows what they really mean and they have no practical application. If "concerning" can mean anything, it kind of means nothing for purposes of providing practical guidance for reasonable business practices.
Further, while the Court's reading of the statute might make sense in a vacuum as a matter of plain language statutory interpretation based on the phrase "information concerning," the Court's analysis seems to omit any discussion of the words "personal identification" in the term "personal identification information." Zip codes may be information "concerning" a person, but they do not personally identify any individual.
Finally, and perhaps most significantly, it is not clear how collection of zip codes, while perhaps unnecessary to credit card transactions, is of any potential harm to the consumer. And that, as the Court notes, is the point of the statute - consumer protection. The Court does not discuss any potential harm to the consumer from collection of zip codes. That is not surprising since collection of zip codes does not give rise to any obvious or apparent consumer harm.
I'm off to speak at the RSA Conference. Look forward to hearing your thoughts on this one. Happy weekend to all.