A recent decision by Massachusetts’ highest court, Tyler v. Michaels Stores, should cause retailers operating in Massachusetts to carefully review their policies on information collection during credit card transactions. The Court interpreted key provisions of the Massachusetts’ consumer privacy statute limiting what “personal identification information” may be collected during a credit card transaction, and concluded, among other things, that a consumer’s ZIP code is “personal identification information” under that statute — which means retailers that collect ZIP codes during credit card transactions may be violating Massachusetts law.
The relevant statute — MGL Ch. 93, § 105(a) (“Section 105(a)”) — prohibits merchants that accept credit cards from writing personal identification information on a credit card transaction form, unless it is either required by the credit card issuer or requested by the business because it is necessary for shipping, delivery, installation or warranty purposes and is provided voluntarily by the consumer. While the statute does not define “personal identification information,” it cites a card holder’s address and telephone number as two specific examples of personal identification information that may not be included on a credit card transaction form. Violations of Section 105(a) are deemed to be an unfair or deceptive business practice under Massachusetts law, and the statute provides that claims may be brought under the Massachusetts consumer protection statute — Chapter 93A — to enforce Section 105.
In 2011, Plaintiff Melissa Tyler brought a class action complaint against Michaels Stores, Inc., a retail arts and crafts chain, in federal district court in Massachusetts. The plaintiff alleged that Michaels regularly asked customers to provide their ZIP codes when making credit card purchases on the store’s computerized check-out registers, and that she and other credit card users at Michaels provided their ZIP codes under the mistaken impression that the ZIP code was required to complete the credit card transaction. The plaintiff further alleged that Michaels later used ZIP codes in combination with other publicly available databases to locate customers’ addresses and telephone numbers in order to send them unsolicited and unwanted marketing materials.
After initially dismissing the plaintiff’s complaint for failure to allege a cognizable injury, the federal court certified the following three questions to the Massachusetts Supreme Judicial Court:
(1) Is a zip code “personal identification information” under Section 105(a)?
(2) Can a plaintiff sue for a privacy right violation under Section 105(a) absent identity fraud?
(3) Does the term “credit card transaction form” in Section 105(a) refer equally to an electronic or a paper transaction form?
Under Section 105(a), ZIP Codes Are PII
In a unanimous opinion, the Court addressed each question. First, the Court concluded that a consumer’s ZIP code constitutes “personal identification information” under Section 105(a). Because a ZIP code in combination with a consumer’s name may allow a merchant to find that consumer’s address and telephone number (which Section 105(a) explicitly identifies as personal identification information), the Court said that any contrary conclusion would render the statute “hollow” and undermine the statute’s purpose of consumer protection.
Second, the Court concluded that an allegation of identity fraud is not a prerequisite to a Section 105(a) claim. Looking to the legislative history of Section 105(a), the Court found that it was intended not only to prevent identity theft, but primarily to safeguard consumer privacy, and that nothing in the statute specifically requires that an individual suffer identify fraud to bring a claim.
Third, the Court interpreted the phrase “credit card transaction form” referenced in Section 105(a) to include electronic as well as paper transaction forms. The Court found nothing in the statute limiting its applicability to paper forms, and that to read it so narrowly would undermine the statute’s purpose and render it “essentially obsolete” in a world where paper transactions are rapidly vanishing.
Under Chapter 93A, Injury Must Be Alleged
The Court also addressed the issue of what injury must be alleged to state a Section 105(a)-related claim under the Massachusetts consumer protection statute, Chapter 93A. The Court concluded that “a plaintiff bringing an action for damages under [Chapter 93A] must allege and ultimately prove that she has, as a result, suffered a distinct injury or harm that arises from the claimed unfair or deceptive act itself.” Therefore, while a violation of Section 105(a), in and of itself, is not sufficient to maintain suit under Chapter 93A, the Court suggested at least two types of “distinct injury or harm” that could give rise to a cognizable 93A claim: (i) actual receipt by a consumer of unwanted marketing materials (which was alleged by the plaintiff here); and (ii) a merchant selling a customer’s personal identification information — or the data obtained from that information — to a third party.
Implications for Retailers
As a result of Michaels Stores, retailers should carefully review the types of information they collect during credit card transactions. While, given the case’s facts, such review should include whether ZIP codes are collected, retailers should also assess whether other information they currently collect might be considered personal identification information under Section 105(a) using the Court’s test: Does such information, when combined with a customer’s name, allow the retailer to determine the customer’s address and/or phone number?
This is not just a Massachusetts issue. Courts in other jurisdictions are looking more closely at information collected during credit card transactions. In February 2011, the California Supreme Court ruled that ZIP codes qualify as personal identification information under a California consumer protection statute that is similar to Section 105(a).1
Given these trends, retailers must monitor evolving legal standards to keep their data collection policies in compliance and to avoid liability.
 Pineda v. Williams-Sonoma, 51 Cal. 4th 524 (Cal. 2011).