In the month’s time since the California Supreme Court decided that ZIP codes are personal information, 106 class-action lawsuits have been filed. That’s because the court asserted that the ruling, which reversed a 2008 Court of Appeals decision, would apply retroactively.

As attorney M. Scott Koller, CIPP, of McKennon Schindler wrote in The Privacy Advisor, the decision in Pineda v. Williams-Sonoma followed a class-action lawsuit filed by Jessica Pineda.

“In 2008, Pineda visited a Williams-Sonoma store in California and was asked to provide her ZIP code but was not informed of the purpose for which the data was collected. Later, Williams-Sonoma used the information Pineda provided to conduct a ‘reverse’ lookup and was able to determine Pineda’s mailing address by matching her zip code and name in a third-party database.  Williams-Sonoma later stored the information in their own database for direct marketing purposes,” Koller wrote.

Pineda’s suit alleged that such action violates California’s Song-Beverly Credit Card Act of 1971, which states that retailers may not collect and store personally identifiable information from cardholders in credit card transactions.

Williams-Sonoma requested that the court’s interpretation of the act apply only prospectively, as the company was operating under the provisions of the law at the time. But in its 7-0 ruling, the presiding justices wrote, “We are not persuaded. In our view, the statute provides constitutionally adequate notice of proscribed conduct,” adding that the court could identify “no reason that would justify a departure from the usual rule of retrospective application.”

Koller says given the court’s opinion, the flurry of class actions is not surprising.

“The court said, ‘look, if you’d read the statute you’d have known that ZIP codes are personally identifying information,’ so that was pretty much a signal to the plaintiff’s bar and class-action firms out there that it was going to be open season,” Koller said.

Linda Woolley of the Direct Marketing Association (DMA) called the court’s decision and its retroactive liability provision “very troubling.” The DMA, which represents more than 3,400 companies in the U.S. and 48 other nations, disagrees with the court that a ZIP code is personal information.”

“A ZIP code is pretty benign,” she said. “It doesn’t identify somebody individually. You don’t need a ZIP code to mail a letter.”

Woolley said the DMA has received “unbelievable amounts of feedback” from its members well outside of California’s borders.

“This has great implications for what marketers do in terms of data collection,” she said.

David McDowell, a partner at Morrison Foerster, said the court’s decision to apply the ruling retrospectively is an example of the court “not being particularly in touch with the reality of what their decision is going to mean,” resulting in the multitude of class-action suits filed within the last month.

McDowell said the Song-Beverly Act was passed in order to protect consumers from dumpster-diving criminals aiming for carbon copies of credit card slips, which often contained personally identifiable information--such as phone numbers, for example--in addition to the customer’s credit card number.

Twenty years later, fraud protection was built into credit card transactions involving providing personal information; to protect consumers against fraud, gas pumps and retailers, among others, began prompting customers for ZIP codes.

“The world changed pretty dramatically in those 20 years,” McDowell said.

Martin Abrams, executive director of the Center for Information Policy Leadership at Hunton & Williams, says defining what constitutes personal information is the wrong approach.

There is no such thing as personal information vs. non-personal information anymore, not in a highly connected online world, Abrams said. Rather, there is information that is easily linkable to the individual, like a name and address together, or information that requires more work to link, like a ZIP code, Abrams said.

“The answer to this question is not to figure out what is technologically easy to link, because technology will increasingly make things easy to link,” Abrams said. “It’s about taking a different road based on a policy perspective. What do we promise never to link, and what are the sanctions around those promises?”

Ellen Giblin, CIPP, CIPP/C, CIPP/G, an attorney at Littler Mendelson, P.C., said she believes the court’s decision doesn’t extend beyond what’s reasonable in that it simply narrowly defines what constitutes an address. In the future, information collected by the retailer for authentication purposes should be “separate and distinct” to the customer from information collected for marketing purposes.

The Pineda v. Williams-Sonoma case illustrates a growing tension in the U.S., Abrams said, between a freedom to observe and make sense of what we observe—the hallmark of commercial data usage since credit reporting files were first computerized in the late 1960s—and a sense of seclusion that is highly valued in America but is diminishing.

It will be interesting to see what happens next, Koller said, who predicts that courts will likely take the suits’ retroactive nature into account when it comes to establishing compensation.

“I think we’re going to see some limitation in terms of the amount of damages on some of these companies,” he said, adding that the companies were relying on a Party City Corp. v. Superior Court decision in 2008, which said that a ZIP code does not constitute personally identifiable information.

Morrison and Foerster partner D. Reed Freeman, CIPP, said the number of class-action lawsuits indicates a sea change in the U.S.

“These cases leave corporate America with little doubt that the era of the privacy class action, which was largely dormant for the last decade, is back in full force. “

Written By

Angelique Carson, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»