You are here

California Stiffens Credit Card Privacy Laws

Published February 23, 2011

SAN FRANCISCO, CA (BRAIN)—Bike shops in California should be wary of asking a customer for their ZIP code when processing a credit card transaction as that may cost them up to $1,000 per transaction, plus attorney’s fees and other liabilities.

The Supreme Court of California issued a decision on Feb. 10, in Pineda v. Williams-Sonoma Stores, holding that a consumer’s ZIP code constitutes “personal identification information” under the Song-Beverly Credit Card Act of 1971, and that requesting or recording a consumer’s ZIP code or other personal data during face-to-face credit card purchase transactions in California will subject retailers to potential litigation.

“This is something a lot of retailers need to know about,” said Paul Rosenlund of Duane Morris LLP, a law firm with four offices in California, which recently represented a major bicycle retailer in settling a class action lawsuit under this law. “This affects virtually everybody selling anything in California.”

Rosenlund has represented bicycle manufacturers and several larger bike shops in legal matters involving consumer law claims, product liability and CPSC compliance.

Rosenlund said the same plaintiff’s attorneys who handled the Williams-Sonoma case filed the recent suit against the bike shop, which he declined to name.

“It was a retailer that had a routine policy of gathering information from its customers and asking them if it was acceptable to get this information because they wanted to send them materials on sales and special deals,” Rosenlund said. “Up until now, courts had been holding that simply asking for a customer’s ZIP code and nothing more didn’t violate the law. With the new decision, that is no longer legal for credit card transactions.”

Retailers often request ZIP codes, addresses, phone numbers, email addresses or other information from customers to gather statistical data about where their customers come from and to develop mailing lists. But in California, this practice is unlawful when a customer pays with a credit card; it doesn’t apply with other forms of payment such as a debit card, gift card or cash. It also doesn’t apply to credit card transactions over the phone, Internet or mailorder.

Rosenlund said credit card privacy suits typically are not covered by a retailer’s insurance because they do not involve bodily injury, and they can pose a risk to any business that accepts credit cards.

“A small number of law firms has been suing retailers up and down the state for several years under this statute, but the plaintiffs hit a home run with this new ruling, and the incidence of litigation could increase dramatically,” Rosenlund said.

While cases end up settling for a lot less than $1,000 per transaction, Rosenlund said the bigger cost for retailers comes from attorney’s fees, which is common with class action lawsuits. “But if you count the number of transactions that even a small or mid-size retailer processes in any given time, the potential numbers can get huge,” he said.

Large chain retailers are the most likely target for these lawsuits, but there is no exemption for small businesses. Rosenlund said new class action complaints were recently filed against Macy’s, Target, The Gap, Toys R Us, Trader Joe’s and TJ Maxx in San Francisco.

—Lynette Carpiet

Join the Conversation