ZIP Code Is Protected Personal Information
An individual’s ZIP code is personally identifiable information that cannot be recorded and kept by California retailers as part of a credit card transaction, the California Supreme Court ruled.
Under California law, it is illegal for a business to request “personal identification information” during a credit card transaction and keep it. Among the examples of what cannot be requested are “the cardholder’s address and telephone number.”
Plaintiff made a purchase at a Williams-Sonoma store. She was asked to supply her ZIP code, which was then placed in the company’s data base. The company later used customized software to perform reverse searches from databases that contain millions of names, email addresses, telephone numbers, and street addresses. The software matched plaintiff’s name and ZIP code with her previously undisclosed address, giving the company her information. The company now maintains her information in its database to market products to customers and to sell to other businesses.
The trial court found that recording the ZIP code was not “personal identification information” under the statute and dismissed the case. The appellate court agreed, but the Supreme Court reversed.
The Supreme Court found that the “outcome of this case hinges on whether a cardholder’s ZIP code, without more, constitutes personal identification information” under the statute. “We hold it does.”
The court first found that a ZIP code is part of an address, which is protected from disclosure. “Otherwise, a business could ask not just for a cardholder’s ZIP code, but also for the cardholder’s street and city in addition to the ZIP code, so long as it did not ask for the house number. Such a construction would render the statute’s protections hollow. Thus, the word ‘address’ in the statute should be construed as encompassing not only a complete address, but also its components.”
The Supreme Court also found that by allowing a party to obtain and record a ZIP code, it “would permit retailers to obtain indirectly what they are clearly prohibited from obtaining directly, ‘end-running’ the statute’s clear purpose. This is so because information that can be permissibly obtained under the Court of Appeal’s construction could easily be used to locate the cardholder’s complete address or telephone number. Such an interpretation would vitiate the statute’s effectiveness.”
Jessica Pineda v. Williams-Sonoma Stores, Inc., Calif. Supreme Court No. S178241, filed February 10, 2011.