Opinion, Berkeley Blogs

My zip code is none of your business!

By Chris Hoofnagle

The California Supreme Court held today in Pineda v. Williams Sonoma that a zip code is personal information, meaning that California retailers who ask for it when you pay with a credit card violate the State's Song-Beverly Act of 1971. That law prohibits retailers from:

Request[ing]...the cardholder to write any personal identification information upon the credit card transaction form or otherwise...Request[ing]...the cardholder to provide personal identification information, which the person, firm, partnership, association, or corporation accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise...[Using] in any credit card transaction, a credit card form which contains preprinted spaces specifically designated for filling in any personal identification information of the cardholder.

Now, before you conclude that this is all silly, consider what Williams-Sonoma was doing--it was asking consumers for their zip code without telling them that it, "subsequently used customized computer software to perform reverse searches from databases...resembling a reverse telephone book. The software matched plaintiff's name and ZIP code with plaintiff‟s previously undisclosed address, giving defendant the information, which it now maintains in its own database. Defendant uses its database to market products to customers and may also sell the information it has compiled to other businesses." So, if you pay with a credit card and give the retailer your zip code, they can figure out your home address and send you catalogs. (To easily opt out of catalogs, check out Catalog Choice).

A prohibition on this practice is big news for privacy and competition--

  • It further frustrates the ability of merchants to collect data on consumers. In the retail space, merchants face big challenges in uniquely identifying their consumers. For instance, there are at least three "Chris Hoofnagles" in the United States. How do you disambiguate them? You create artifices like loyalty cards. These loyalty programs are going to be subject to much more scrutiny as a result of Pineda
  • Merchants can't just say "cash only" to avoid the statute, because consumer purchase volume now is predominately credit/debit
  • This is probably "good for privacy," because it is one more way to stop collection of data, which is then reused for marketing purposes
  • But it may be bad for competition, because it further solidifies the card issuer as the entity that "owns the consumer"
  • That may ultimately lead to bad outcomes for privacy, because the decision might cause blowback--if the merchants are smart, they'll go amend Song Beverly to allow even broader data collection, using the argument that big, bad credit card companies' monopoly on consumer data is unfair to small businesses
  • And things may get even more interesting, because although one court has held that Song-Beverly does not apply to online transactions (Saulic v. Symantec Corp., 596 F.Supp.2d 1323 (C.D.Cal. Jan 05, 2009)), that decision is weakened by the reasoning of Pineda. The Saulic court focused upon the absence of the word "internet" in the relevant portion of Song-Beverly, which was added in 1990. It also was concerned that fraud problems that are intensified by distance selling require collection of personal information. The Pineda court, however, correctly recognizes that Song-Beverly is remedial, and should be interpreted broadly. It includes an exception for shipping, so your online purchases can be delivered.

    What about fraud? Song-Beverly does allow a requirement for "positive identification," "provided that none of the information contained thereon is written or recorded on the credit card transaction form or otherwise." One could imagine a system where sellers of digital goods require consumers to provide addresses, but then delete them as soon as they are verified, which is possible with standard address verification systems. I don't think it is a stretch to revisit Saulic and make it possible for consumers to buy digital goods online without having their addresses reused for marketing and other purposes.

    Update: Pineda and the Law of the Jungle.