IAPP-GDPR Web Banners-300x250-FINAL


In the month’s time since the California Supreme Court decided that ZIP codes are personal information, 106 class-action lawsuits have been filed. That’s because the court asserted that the ruling, which reversed a 2008 Court of Appeals decision, would apply retroactively.

As attorney M. Scott Koller, CIPP, of McKennon Schindler wrote in The Privacy Advisor, the decision in Pineda v. Williams-Sonoma followed a class-action lawsuit filed by Jessica Pineda.

“In 2008, Pineda visited a Williams-Sonoma store in California and was asked to provide her ZIP code but was not informed of the purpose for which the data was collected. Later, Williams-Sonoma used the information Pineda provided to conduct a ‘reverse’ lookup and was able to determine Pineda’s mailing address by matching her zip code and name in a third-party database.  Williams-Sonoma later stored the information in their own database for direct marketing purposes,” Koller wrote.

Pineda’s suit alleged that such action violates California’s Song-Beverly Credit Card Act of 1971, which states that retailers may not collect and store personally identifiable information from cardholders in credit card transactions.

Williams-Sonoma requested that the court’s interpretation of the act apply only prospectively, as the company was operating under the provisions of the law at the time. But in its 7-0 ruling, the presiding justices wrote, “We are not persuaded. In our view, the statute provides constitutionally adequate notice of proscribed conduct,” adding that the court could identify “no reason that would justify a departure from the usual rule of retrospective application.”

Koller says given the court’s opinion, the flurry of class actions is not surprising.

“The court said, ‘look, if you’d read the statute you’d have known that ZIP codes are personally identifying information,’ so that was pretty much a signal to the plaintiff’s bar and class-action firms out there that it was going to be open season,” Koller said.

Linda Woolley of the Direct Marketing Association (DMA) called the court’s decision and its retroactive liability provision “very troubling.” The DMA, which represents more than 3,400 companies in the U.S. and 48 other nations, disagrees with the court that a ZIP code is personal information.”

“A ZIP code is pretty benign,” she said. “It doesn’t identify somebody individually. You don’t need a ZIP code to mail a letter.”

Woolley said the DMA has received “unbelievable amounts of feedback” from its members well outside of California’s borders.

“This has great implications for what marketers do in terms of data collection,” she said.

David McDowell, a partner at Morrison Foerster, said the court’s decision to apply the ruling retrospectively is an example of the court “not being particularly in touch with the reality of what their decision is going to mean,” resulting in the multitude of class-action suits filed within the last month.

McDowell said the Song-Beverly Act was passed in order to protect consumers from dumpster-diving criminals aiming for carbon copies of credit card slips, which often contained personally identifiable information--such as phone numbers, for example--in addition to the customer’s credit card number.

Twenty years later, fraud protection was built into credit card transactions involving providing personal information; to protect consumers against fraud, gas pumps and retailers, among others, began prompting customers for ZIP codes.

“The world changed pretty dramatically in those 20 years,” McDowell said.

Martin Abrams, executive director of the Center for Information Policy Leadership at Hunton & Williams, says defining what constitutes personal information is the wrong approach.

There is no such thing as personal information vs. non-personal information anymore, not in a highly connected online world, Abrams said. Rather, there is information that is easily linkable to the individual, like a name and address together, or information that requires more work to link, like a ZIP code, Abrams said.

“The answer to this question is not to figure out what is technologically easy to link, because technology will increasingly make things easy to link,” Abrams said. “It’s about taking a different road based on a policy perspective. What do we promise never to link, and what are the sanctions around those promises?”

Ellen Giblin, CIPP, CIPP/C, CIPP/G, an attorney at Littler Mendelson, P.C., said she believes the court’s decision doesn’t extend beyond what’s reasonable in that it simply narrowly defines what constitutes an address. In the future, information collected by the retailer for authentication purposes should be “separate and distinct” to the customer from information collected for marketing purposes.

The Pineda v. Williams-Sonoma case illustrates a growing tension in the U.S., Abrams said, between a freedom to observe and make sense of what we observe—the hallmark of commercial data usage since credit reporting files were first computerized in the late 1960s—and a sense of seclusion that is highly valued in America but is diminishing.

It will be interesting to see what happens next, Koller said, who predicts that courts will likely take the suits’ retroactive nature into account when it comes to establishing compensation.

“I think we’re going to see some limitation in terms of the amount of damages on some of these companies,” he said, adding that the companies were relying on a Party City Corp. v. Superior Court decision in 2008, which said that a ZIP code does not constitute personally identifiable information.

Morrison and Foerster partner D. Reed Freeman, CIPP, said the number of class-action lawsuits indicates a sea change in the U.S.

“These cases leave corporate America with little doubt that the era of the privacy class action, which was largely dormant for the last decade, is back in full force. “

Written By

Angelique Carson, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»