If California and Massachusetts are indicators, courts are ready and willing to regulate the type of data retailers can collect from consumers during transactions as well as what kinds of data constitute personally identifiable information (PII).
Retailers in those states and more than a dozen others risk repercussions ranging from fines to class-action lawsuits to attorney general enforcement actions for violating rules surrounding the collection and use of PII, though the rules differ from one jurisdiction to another.
|ZIP Code Legal Activity By State|
California -- AB 844, which would protect consumers making purchases online, was introduced in March. The bill “prohibits an operator of any commercial Internet website or online service that collects personal identifiable information (PII) for a credit card or debit card transaction from requiring anything other than a ZIP code to complete the transaction.”
In a 2011 case, a customer sued a retailer for violating the Song-Beverly Credit Card Act of 1971. The court found that requesting and recording a cardholder's ZIP Code, without more, violates the act.
Delaware -- A retailer may not ask consumers using credit cards to write down their address or telephone number or request that such information be written down unless the information is required for delivery or services. See Del. Code Ann., tit. 11, § 914.
Violation, if found, is a fine of up to $10,000 per each violation in addition to a cease-and-desist order of the practices as well as attorney and investigative fees.
Massachusetts -- In Tyler v. Michaels Stores, the court found that under Massachusetts’s law, a ZIP code qualifies as PII. Additionally, introduced 2013 Bill Text MA H.B. 1429 would include “debit cards“ in Mass. Gen. Laws, ch. 93, § 105.
Massachusetts law holds that a business entity cannot write or require that the cardholder write PII not required by the credit card issuer to complete the transaction. Such info may be requested for a delivery or services however. For checks, businesses may not request PII—and credit card numbers—outside of the information contained on a driver’s license or other ID and a telephone number as conditions of accepting the check.
Kansas -- No retailer, person, firm, association or corporation can write down or have a consumer write down his or her personal information as a requirement for a transaction. They also may not collect, record or ask for the consumer’s address or telephone number for a transaction, unless required for delivery, services or installation of the purchased goods. The definition of PII is not limited to address and telephone number however. See Kan. Stats. Ann., § 50-669a.
Rhode Island -- The retailer accepting a credit card for a transaction cannot collect any PII that is not required by the credit card company to complete transactions, unless the information is needed for delivery or service. A retailer may however ask for ID and record this information upon request. See R.I. Gen. Laws, § 6-13-16.
Maryland -- The retailer cannot collect any PII, including address, that is not needed to complete the transaction or if the information is not needed for delivery or service. However, the retailer may request an ID containing such PII for credit card authentication purposes. See Md. Code Ann., Com. Law§ 13-317.
Minnesota -- A retailer may not request the address or telephone number of a buyer unless it is necessary for the shipping, delivery, or installation of consumer goods or special orders of consumer goods or services. See Minn. Stat. § 325F.982.
Nevada -- The most lenient of the laws; businesses can record credit card info on a check—as long as they ask the consumer—as a condition of accepting the check. See Nev. Rev. Stat., § 597.940.
New Jersey -- Imbert v. Harmon Stores (Bed, Bath and Beyond) was decided in 2011 without any written decision, which implies settlement, but made it past the pleading stage unlike Feder v.Williams-Sonoma, which was dismissed for failure to state a claim.
Additionally, no PII can be required for credit card transaction and retailers cannot request information that the issuer of the credit card does not require for transaction completion. See N.J. Stat. § 56:11-17.
New York -- Includes debit cards. Extensive and prohibits retailers from having customers write down any credit card information—including number—especially if such paper is copyable unless it is necessary to complete the transaction. This extends to cash registers that print receipts and also includes gift cards/traveler’s checks/money orders.
Additionally, in January 2013, NY S.B. 1420 was introduced which would include the word “electronically” when discussing how customers transmit PII information and would include “e-mail” to the definition of PII as well as “cell phones” to the definition of telephone numbers. See NY CLS GEN BUS section § 520-a.
Ohio -- No person can record a credit card number for a transaction when a check or other monetary instrument is presented for the transaction unless it fulfills a legitimate business purpose including collection purposes. Additionally, no person can record the telephone or social security number when payment is made by check or card. See § 1349.17.
Pennsylvania -- Merchant may not collect or have the customer write down any PII information that is not required for the transaction or for shipping/delivery services. Retailers may also not require customers to produce, write down or record a credit card or credit card number for check transactions. However, such information maybe requested or recorded as a condition when the credit card issuer guarantees the check. Finally, this law does not prohibit a person from requesting a person to produce a credit card for id purposes. See § 2602.
—Elizabeth Albers, CIPP/US
Massachusetts law states businesses may not “write, cause to be written or require that a credit card holder write personal identification information, not required by the credit card issuer, on the credit card transaction form.” Violations of the law are considered an “unfair and deceptive trade practice.”
The Massachusetts Supreme Judicial Court recently ruled in Tyler v. Michaels Stores that ZIP codes are covered under that law and considered personal information, allowing a class-action lawsuit that had previously been dismissed by a district court to proceed. The court’s ruling was significant in that it meant a plaintiff may bring an action for a privacy right violation under the state’s credit card statute even when the threat of identity theft does not exist.
“This is a very bad decision for retailers,” said Kent Sinclair of Stroz Friedberg. “It is going to allow, and has already started, to cause a number of retailers to be sued in the commonwealth of Massachusetts. Some would say it’s a good decision for privacy advocates and consumers but bad for retailers.”
David Gacioch of McDermott, Will & Emery says the ruling is a game-changer because it “significantly broadens the groups of potential plaintiffs and defendants—particularly given that the SJC left the door open to classifying additional things as sufficient harm in future cases,” he said.
Gacioch says the court’s decision may have implications for Attorney General enforcement actions, as the Attorney General is not required to show identifiable harm to a resident in order to bring an enforcement action seeking an injunction or monetary penalties.
At a recent IAPP KnowledgeNet in Boston, Sinclair said the Tyler v. Michaels case, for which he served as the defense attorney, raises a most important question for brands: To what use are you putting that data you’re collecting?
Companies should map the data they’re collecting from credit card transactions and any additional data and be sure whatever data is collected on an electronic credit card transaction form is not associated with any other kind of identifiable data.
The Massachusetts ruling differs slightly from a similar ruling in California, though both indicate a trend in classifying increasing categories of data as PII.
In 2011’s Pineda v. Williams Sonoma, the California Supreme Court held that ZIP codes are “personal identification information” under the Song-Beverly Credit Card Act, meaning retailers could not legally collect a ZIP code from a customer paying by credit card in order for the transaction to occur. The court decided the ruling applied retroactively, which incited a flurry of more than 200 class-action lawsuits.
But in the Massachusetts ruling, the court more narrowly said the credit card number could not be written on an electronic transaction form. It’s a small distinction, maybe, but legally, it has potentially significant implications.
“I think where a lot of disputes are going to go on is what is an electronic credit card transaction form,” Sinclair said.
But what does that mean for retailers? As those in Massachusetts and California change their practices, should other states follow suit proactively?
Mark Schreiber of Edwards Wildman said it’s hard to say.
“The law isn’t fixed in this area, and it goes back and forth on what is sufficient for standing, harm and class certification,” Schreiber said. “Just as the technology is in a state of development, so is the law, and it’s not a straight trajectory.”
Gacioch says while the ruling has no direct implication for companies outside of Massachusetts, they would be wise to check for similar laws within their jurisdictions.
Schreiber says one consequence of the case may be that class-representation issues “will still later be litigated, and they may not all go the plaintiffs’ way.”
Sinclair, who now works in digital risk management, said his peers in the legal community have begun to advise clients in Massachusetts to both prepare for litigation and to consider changing their data collection practices for marketing purposes. His company, Stroz Friedberg, is looking at ways it can help companies “with structuring the way they collect and maintain data in ways to increase the defensibility of their process and remediate for any problems that may exist now.”
He predicts ZIP codes won’t be the last type of data classified as PII; e-mail addresses may be next, for example.
“But I do think there’s a broader issue here,” he said. “That is, a willingness of the court to see marketing as something from which consumers need protection, and I think that’s one of the messages under this decision.”
An issue yet to be resolved from is that of online transactions. California has ruled that Song-Beverly does not apply to online purchases of electronically downloadable products; think Apple’s iTunes, for example. But Massachusetts hasn’t been specific.
“The California Supreme Court basically said, look, when Song-Beverly was passed, no one was even thinking about e-commerce involving electronically downloadable products and the unique fraud issues associated with it. This type of transaction just doesn’t fit, and we need to look at the balance the legislature tried to strike between consumer privacy and fraud prevention,” said Morrison Foerster’s Purvi Patel.
Patel said Massachusetts is in the same place California was before the California Supreme Court concluded electronically downloadable products were outside the scope of Song-Beverly. As was the case in California, there is the potential that Massachusetts could go either way, she said.
“In deciding the Massachusetts statute applies to electronic transaction forms, the Massachusetts Supreme Court said the statute broadly applies to all credit card transactions and contains no language limiting them to a paper form. Of course, the reality is that we use electronic transaction forms now. We don’t use paper forms anymore, and it’s possible Massachusetts courts could apply this rationale to online transactions,” she said. “But the conversation regarding online transactions hasn’t started yet in Massachusetts, though it’s likely just a matter of time before the issue is presented. There’s no guarantee that online wouldn’t be within the scope, but like California’s Song-Beverly, the Massachusetts statute predates the advent of e-commerce, so the arguments for excluding online transactions would be similar to what was marshaled in California.”
If you want to comment on this post, you need to login.