In the month’s time since the California Supreme Court decided that ZIP codes are personal information, 106 class-action lawsuits have been filed. That’s because the court asserted that the ruling, which reversed a 2008 Court of Appeals decision, would apply retroactively.
As attorney M. Scott Koller, CIPP, of McKennon Schindler wrote in The Privacy Advisor, the decision in Pineda v. Williams-Sonoma followed a class-action lawsuit filed by Jessica Pineda.
“In 2008, Pineda visited a Williams-Sonoma store in California and was asked to provide her ZIP code but was not informed of the purpose for which the data was collected. Later, Williams-Sonoma used the information Pineda provided to conduct a ‘reverse’ lookup and was able to determine Pineda’s mailing address by matching her zip code and name in a third-party database. Williams-Sonoma later stored the information in their own database for direct marketing purposes,” Koller wrote.
Pineda’s suit alleged that such action violates California’s Song-Beverly Credit Card Act of 1971, which states that retailers may not collect and store personally identifiable information from cardholders in credit card transactions.
Williams-Sonoma requested that the court’s interpretation of the act apply only prospectively, as the company was operating under the provisions of the law at the time. But in its 7-0 ruling, the presiding justices wrote, “We are not persuaded. In our view, the statute provides constitutionally adequate notice of proscribed conduct,” adding that the court could identify “no reason that would justify a departure from the usual rule of retrospective application.”
Koller says given the court’s opinion, the flurry of class actions is not surprising.
“The court said, ‘look, if you’d read the statute you’d have known that ZIP codes are personally identifying information,’ so that was pretty much a signal to the plaintiff’s bar and class-action firms out there that it was going to be open season,” Koller said.
Linda Woolley of the Direct Marketing Association (DMA) called the court’s decision and its retroactive liability provision “very troubling.” The DMA, which represents more than 3,400 companies in the U.S. and 48 other nations, disagrees with the court that a ZIP code is personal information.”
“A ZIP code is pretty benign,” she said. “It doesn’t identify somebody individually. You don’t need a ZIP code to mail a letter.”
Woolley said the DMA has received “unbelievable amounts of feedback” from its members well outside of California’s borders.
“This has great implications for what marketers do in terms of data collection,” she said.
David McDowell, a partner at Morrison Foerster, said the court’s decision to apply the ruling retrospectively is an example of the court “not being particularly in touch with the reality of what their decision is going to mean,” resulting in the multitude of class-action suits filed within the last month.
McDowell said the Song-Beverly Act was passed in order to protect consumers from dumpster-diving criminals aiming for carbon copies of credit card slips, which often contained personally identifiable information--such as phone numbers, for example--in addition to the customer’s credit card number.
Twenty years later, fraud protection was built into credit card transactions involving providing personal information; to protect consumers against fraud, gas pumps and retailers, among others, began prompting customers for ZIP codes.
“The world changed pretty dramatically in those 20 years,” McDowell said.
Martin Abrams, executive director of the Center for Information Policy Leadership at Hunton & Williams, says defining what constitutes personal information is the wrong approach.
There is no such thing as personal information vs. non-personal information anymore, not in a highly connected online world, Abrams said. Rather, there is information that is easily linkable to the individual, like a name and address together, or information that requires more work to link, like a ZIP code, Abrams said.
“The answer to this question is not to figure out what is technologically easy to link, because technology will increasingly make things easy to link,” Abrams said. “It’s about taking a different road based on a policy perspective. What do we promise never to link, and what are the sanctions around those promises?”
Ellen Giblin, CIPP, CIPP/C, CIPP/G, an attorney at Littler Mendelson, P.C., said she believes the court’s decision doesn’t extend beyond what’s reasonable in that it simply narrowly defines what constitutes an address. In the future, information collected by the retailer for authentication purposes should be “separate and distinct” to the customer from information collected for marketing purposes.
The Pineda v. Williams-Sonoma case illustrates a growing tension in the U.S., Abrams said, between a freedom to observe and make sense of what we observe—the hallmark of commercial data usage since credit reporting files were first computerized in the late 1960s—and a sense of seclusion that is highly valued in America but is diminishing.
It will be interesting to see what happens next, Koller said, who predicts that courts will likely take the suits’ retroactive nature into account when it comes to establishing compensation.
“I think we’re going to see some limitation in terms of the amount of damages on some of these companies,” he said, adding that the companies were relying on a Party City Corp. v. Superior Court decision in 2008, which said that a ZIP code does not constitute personally identifiable information.
Morrison and Foerster partner D. Reed Freeman, CIPP, said the number of class-action lawsuits indicates a sea change in the U.S.
“These cases leave corporate America with little doubt that the era of the privacy class action, which was largely dormant for the last decade, is back in full force. “