United States

ZIP code data collection suits: A growing litigation trend


February 2014 marked the three-year anniversary of the California Supreme Court opening the doors to class-action litigation against retailers for alleged collection of consumers’ ZIP codes in connection with credit card transactions.

The highest courts in California and Massachusetts have rendered decisions as to the scope and breadth of their respective states’ law, in both cases broadly construing their statutes to say that collection and/or recording of ZIP codes was prohibited in these circumstances. These decisions have led to some 200 putative class action lawsuits (roughly 150 in California and nearly 40 in Massachusetts). Interestingly, a District of Columbia (D.C.) federal court recently dismissed a similar suit alleging violation of a narrower D.C. statute, holding that  a ZIP code is not itself an address. 

Sixteen states and the District of Columbia have laws that restrict merchant collection of personal identification information (PII) at the point of sale (POS) in conjunction with a credit card sales transaction, and it is necessary to appreciate these state differences when developing strategies. These disparate laws and court rulings highlight the variety of what may be required for compliance with specific state POS requirements.   

California: Where it all started

In February 2011, the California Supreme Court decided Pineda v. Williams-Sonoma, Inc.[i]  At issue in Pineda was the scope of California’s Song-Beverly Credit Card Act (Song -Beverly)[ii]  which prohibited, among other practices, retailers’ conditioning the acceptance of credit cards at the point of sale on customers’ provision of PII. Asked whether a customer’s ZIP code, by itself, is PII under Song-Beverly, the California Supreme Court answered in the affirmative. It reasoned that the plaintiff’s full address is undoubtedly PII, and because her ZIP code is a part of her address, the statute must necessarily forbid the piecemeal collection of PII components. Because Song-Beverly’s protective purpose would otherwise be defeated by permitting piecemeal acquisition of parts of PII, a retailer’s requirement of a ZIP code, without more, was a violation of Song-Beverly (See Edwards Wildman Client Advisory).     

From the resulting cases in California is an emerging set of statutory and court-made rules for California retailers, including exceptions or exemptions for self-service gas pumps, return transactions, online purchases of downloadable products, certain store loyalty programs and collection of PII after a receipt.        

Massachusetts follows suit

In March 2013, the Massachusetts Supreme Judicial Court (SJC) rendered a similarly plaintiff-friendly outcome in Tyler v. Michaels Stores, Inc.[iii]  In Tyler, the plaintiff on behalf of herself and a class of similarly  situated customers brought suit in federal court, alleging that Michaels violated a Massachusetts consumer privacy statute.[iv] Plaintiffs also asserted that Michaels thereby violated the Massachusetts unfair business practices statute.[v]  The federal court certified three questions to the SJC, each of which the SJC answered in the affirmative: (i) a ZIP code can be PII, the collection and recording of which the law prohibited; (ii) a plaintiff need not be the victim of identity fraud in order to bring suit (receipt of unwanted mail from the merchant would be sufficient); and (iii) a violation may be premised on recording of PII on an electronic credit card transaction form. Within months of the Tyler decision, plaintiffs filed dozens of suits in Massachusetts state and federal courts alleging improper collection and recording of ZIP codes. See Edwards Wildman Client Advisory.       

D.C.: Does the buck stop here?

In March 2014, bucking the seeming trend established by the California and Massachusetts high courts, a District of Columbia federal court dismissed a putative class action for alleged violation of two D.C. laws concerning ZIP code collection in connection with credit card transactions. The D.C. statutes prohibited, respectively, (i) requesting and recording customers’ address or phone number on the credit transaction form as a condition of accepting credit cards[vi] and (ii) making false representations to consumers[vii].    Though acknowledging the differing results in Pineda and Tyler, the court in Hancock v. Urban Outfitters[viii] dismissed plaintiffs’ claims because (i) the absence of any representation that customers’ provision of PII was a condition of completing the credit transaction; (ii) a ZIP code is merely a component of an address and is not itself an address; and (iii) the transaction was complete upon the retail associate swiping the credit card, thus any request for information after that could not have been a condition of accepting a credit card for payment. See Edwards Wildman Client Alert.       


Each of the seventeen different PII collection statutes has distinct language, some untested.  As demonstrated by the Hancock case from the D.C. federal court, even similarly worded statutes may be interpreted differently. Accordingly, a variety of potential defenses need to be considered in different states regarding these cases.

[i] 51 Cal. 4th 524 (2011).

[ii] CA Civ. Code § 1747, et seq.

[iii] 464 Mass. 492 (2013).

[iv]G.L. c. 93, § 105(a).

[v] G.L. c. 93A.

[vi] D.C. Code §§ 47-3151, et seq.

[vii] D.C. Code §§ 28-3901 et seq.

[viii]2014 U.S. Dist. Lexis 33324, C.A. No. 13-939 (BAH) (March 14, 2014).

How can we help you?

Contact us by phone 800.274.3978 or
submit your questions, comments, or proposal requests.

Receive Risk Bulletin by Email


Cybersecurity Rapid Assessment®

Complete our Cybersecurity Rapid Assessment form to be contacted about receiving our "quick-hit" evaluation of your organization’s overall security risk.