Skip to main content

My zip code is none of your business!

Chris Hoofnagle, adjunct professor of information | February 10, 2011

The California Supreme Court held today in Pineda v. Williams Sonoma that a zip code is personal information, meaning that California retailers who ask for it when you pay with a credit card violate the State’s Song-Beverly Act of 1971. That law prohibits retailers from:

Request[ing]…the cardholder to write any personal identification information upon the credit card transaction form or otherwise…Request[ing]…the cardholder to provide personal identification information, which the person, firm, partnership, association, or corporation accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise…[Using] in any credit card transaction, a credit card form which contains preprinted spaces specifically designated for filling in any personal identification information of the cardholder.

Now, before you conclude that this is all silly, consider what Williams-Sonoma was doing–it was asking consumers for their zip code without telling them that it, “subsequently used customized computer software to perform reverse searches from databases…resembling a reverse telephone book. The software matched plaintiff’s name and ZIP code with plaintiff‟s previously undisclosed address, giving defendant the information, which it now maintains in its own database. Defendant uses its database to market products to customers and may also sell the information it has compiled to other businesses.” So, if you pay with a credit card and give the retailer your zip code, they can figure out your home address and send you catalogs. (To easily opt out of catalogs, check out Catalog Choice).

A prohibition on this practice is big news for privacy and competition–

  • It further frustrates the ability of merchants to collect data on consumers. In the retail space, merchants face big challenges in uniquely identifying their consumers. For instance, there are at least three “Chris Hoofnagles” in the United States. How do you disambiguate them? You create artifices like loyalty cards. These loyalty programs are going to be subject to much more scrutiny as a result of Pineda
  • Merchants can’t just say “cash only” to avoid the statute, because consumer purchase volume now is predominately credit/debit
  • This is probably “good for privacy,” because it is one more way to stop collection of data, which is then reused for marketing purposes
  • But it may be bad for competition, because it further solidifies the card issuer as the entity that “owns the consumer”
  • That may ultimately lead to bad outcomes for privacy, because the decision might cause blowback–if the merchants are smart, they’ll go amend Song Beverly to allow even broader data collection, using the argument that big, bad credit card companies’ monopoly on consumer data is unfair to small businesses

And things may get even more interesting, because although one court has held that Song-Beverly does not apply to online transactions (Saulic v. Symantec Corp., 596 F.Supp.2d 1323 (C.D.Cal. Jan 05, 2009)), that decision is weakened by the reasoning of Pineda. The Saulic court focused upon the absence of the word “internet” in the relevant portion of Song-Beverly, which was added in 1990. It also was concerned that fraud problems that are intensified by distance selling require collection of personal information. The Pineda court, however, correctly recognizes that Song-Beverly is remedial, and should be interpreted broadly. It includes an exception for shipping, so your online purchases can be delivered.

What about fraud? Song-Beverly does allow a requirement for “positive identification,” “provided that none of the information contained thereon is written or recorded on the credit card transaction form or otherwise.” One could imagine a system where sellers of digital goods require consumers to provide addresses, but then delete them as soon as they are verified, which is possible with standard address verification systems. I don’t think it is a stretch to revisit Saulic and make it possible for consumers to buy digital goods online without having their addresses reused for marketing and other purposes.

Update: Pineda and the Law of the Jungle.

Comments to “My zip code is none of your business!

  1. This is also old news. J.Crew has been sued over this so many times. They haven’t been allowed to ask for Zip Codes for five or six years now. Sucks for retailers though. I would always give a false zip code anyway.

  2. When a transaction takes place, face to face, the zip code is not required as the information is contained on the card and confirmed through the transaction process.

    If a merchant accepting cards over the telephone or any other situation where the card is not present, the zip code is the most important piece of data for a merchant to get to avoid a downgrade on their processing rates. A merchant may ask for the zip code knowing that if they don’t they could face an additional percentage fee on that transaction(depending on their pricing structure.)

    If a large retailer is asking for the zip code while the transaction is taking place at the point of sale, then, they are merely asking for additional information that may be used for marketing which, according to your article, is a no no.

    If, however, a consumer is making a transaction with their payment card over the phone or web, or even at the point of sale when the card will not work properly when swiped, the merchant may ask for the zip code as a security measure against a fraudulent card holder. If the zip code is not a match, the transaction may still go through, but the merchant will face a downgrade and get charged more by their processor.

    This is an interesting article. I just wanted to clarify that there are times that a merchant is justified in asking for the zip code on a payment card transaction.

  3. This is also old news. J.Crew has been sued over this so many times. They haven’t been allowed to ask for Zip Codes for five or six years now. Sucks for retailers though. I would always give a false zip code anyway.

  4. Some of this ruling and the regulations are non-sense. The only legal tender of exchange is US currency and coin.

    All other media is contractual. The US Constitution prohibits any state from passing any law interfering with the making or enforcement of contacts.

    If I offer for sale a five hundred dollar gold nugget and someone wishing to buy it offers to pay for it with US currency, and I verify that it is not counterfeit then I am obligated to accept it and the contract is complete. The value of the money is guaranteed by the US government and no other media is legal tender.

    Merchants are not required to accept any other method of payment. Therefore, it is the burden of the buyer to convince the seller, by what ever means necessary, to accept what-ever they offer. It could be anything: pretty rocks, clamshells, checks, first born puppies, personal information, checks, credit cards…anything.
    The merchant or seller always has the right to refuse anything but cash.

    Merely visually checking the ID of the purchaser does not prove a credit card is valid or has not exceeded its limit or on a closed account. Any school child can buy, on the internet, blank counterfeit cards, and devices that will emboss and magnetically write data on credit cards. It’s easy; the instructions are on the internet. Not having a complete ID record could impede the enforcement of the contract and the recovery of the stolen property. In addition some card users later will call the credit card company and claim they didn’t make the purchase.

    The merchant needs to be able to recover its property or money. That’s the nature of a contract. Both sides need to have recourse if the contract is violated. That means that if the merchant feels the need, they have the right to require a method of enforcing the contract, be it a credit card exchange contract or a check contract and can require whatever information the merchant feels comfortable with. If the buyer doesn’t want to give that information then they need to come up with the cash or not make the purchase
    In the case of Sonoma-Williams they were making and selling mailing lists. This is theft in that they were selling and profiting from something that does not belong to them. And in my opinion anbody selling and profiting this way is a criminal. Keeping a record of a transaction until the contract is fully completed is a requirement. Selling, sharing or using the information for anything other than enforcing the contract without the knowledge of the buyer is a violation of trust and should be illegal.

  5. Does the “or otherwise” part of the law include recording zip code data on a separate database from the credit card data (for example, zip code data on computer point of sale system, credit card data on a separate credit card terminal)? We collect zip code data from our customers for demographic purposes. It would be extremely difficult for us to correlate the two. What if the zip code data is requested prior to the start of the transaction–i.e. before the retailer could possibly know what kind of payment is going to be used? If the zip code data is collected prior to the start of the sale, is it considered part of the transaction?

    Not being able to determine where our customers come from would have a significant, negative impact on our small family business.

  6. Do you know if this is for card present (where the consumer is physicall at the merchants location) and for card not present (when the consumer is over the phone, internet, or mail) transactions?

Comments are closed.