From CNN this surprising story:
California's high court ruled Thursday that retailers don't have the right to ask customers for their ZIP code while completing credit card transactions, saying that doing so violates a cardholders’ right to protect his or her personal information.
Many retailers in California and nationwide now ask people to give their ZIP code, punching in that information and recording it. Yet California Supreme Court's seven justices unanimously determined that this practice goes too far.
The ruling, penned by Justice Carlos Moreno, overrules earlier decisions by trial and appeals courts in California. It points to a 1971 state law that prohibits businesses from asking credit cardholders for “personal identification information” that could be used to track them down.
While a ZIP code isn't a full address, the court's judgment states that asking for it — and piecing that 5-digit number together with other information, like a cardholder's name — “would permit retailers to obtain indirectly what they are clearly prohibited from obtaining directly, (therefore) ‘end-running'” the intent of California state laws.
“The legislature intended to provide robust consumer protections by prohibiting retailers from soliciting and recording information about the cardholder that is unnecessary to the credit card transaction,” the decision states. “We hold that personal identification information … includes the cardholder's ZIP code.”
Bill Dombrowski, president of the California Retailers Association, said it is “ironic” that a practice aimed partly at protecting consumers from fraud is being taken away.
“We think it's a terrible decision because it dramatically expands what personal information is, by including a ZIP code as part of an address,” Dombrowski said. “We are surprised by it.”
The court decision applies only in California, though it reflects a practice that is increasingly common elsewhere. It does not specify how or if all businesses that take credit cards, such as gas stations, would be affected — though it does state that its objection is not over a retailer seeing a person's ZIP code, but rather recording and using it for marketing purposes.
The discussion began with a June 2008 class-action lawsuit filed initially by Jessica Pineda against home retailer Williams-Sonoma.
In her suit, Pineda claimed that a cashier had asked for her ZIP code during a purchase — information that was recorded and later used, along with her name, to figure out her home address. Williams-Sonoma did this tapping a database that it uses to market products to customers and sell its compiled consumer information to other businesses.
Pineda contended the practice of asking for ZIP codes violates a person's right to privacy, made illegal use of her personal information and gave a retailer, like Williams-Sonoma, an unfair competitive advantage.
Williams-Sonoma claimed that a ZIP code doesn't constitute “personal identification information,” as stated in the 1971 state law.
The state supreme court ruling, only addressing the “identification information” issue, determined that a ZIP code should be protected, since the law specifically mentions protecting a cardholder's address. The court concluded requesting a ZIP code is not much different than asking for a phone number or home address.
It is not illegal in California for a retailer to see a person's ZIP code or address, the ruling notes: For instance, one can request a customer's driver's license to verify his or her identity. What makes it wrong is when a business records that information, according to the ruling, especially when the practice is “unnecessary to the sales transaction.”
In reversing the Court of Appeals judgment, the supreme court remanded the case back to a lower court to order specific changes and policies “consistent with this decision.”
The important thing here is that the Court understood a very nuanced technical point: although the ZIP is not in itself personally identifying, when used with other information such as name, the ZIP becomes personally identifying. Understanding the privacy implications of such information combinations is key. I think there is much wisdom in the Court recognizing that this is a defining issue.
In terms of industry reaction, the notion that recording our ZIP protects us is totally ludicrous and shows to what extent we are in need of stronger privacy-protecting identity solutions like U-Prove. The logic of the California Retailers Association is pathetically convoluted – will someone please give these people a consultant for Christmas?
My thanks to Craig Wittenberg for the heads up on this story. He saw it as a sign that minimal disclosure laws already exist in the US…
That's an interesting idea. One way or the other, it is extremely important to get harmonization on this kind of question across business jurisdictions. Looking at cases like this one, I have a feeling harmonization might possibly take “quite a while” to achieve…