Well-Crafted PII Capture Policies Remain Important For Retailers

Many retailers will recall the barrage of cases filed in California and Massachusetts from 2011–2013 relating to the collection of consumers’ ZIP codes as part of in-store credit card transactions. The California cases were brought under the Song-Beverly Credit Card Act of 1971 (the “Act”) following the California Supreme Court’s decision in Pineda v. Williams-Sonoma Stores, Inc., 51 Cal. 4th 524 (2011), in which it held that ZIP codes constitute personally identifiable information (PII). Though activity in this area has garnered less attention in recent years, some California plaintiffs continue to file putative class actions alleging that retailers’ ZIP code capture policies and practices violate their rights under the Act. See Doan v. Cort Furniture Rental Corp., No. 30-2017-00904345-XX-XX-CXC (Orange Cty. Sup. Ct.); Le v. LA Furniture, No. BC645110 (Los Angeles Cty. Sup. Ct.); Yeheskel v. Brighton Collectibles, LLC, 56-2016-00489019-CU-BT-VTA (Ventura Cty. Sup. Ct.); Hasselbring v. Room & Board Inc., No. 30-2016-00853813-CU-BT-CXC (Orange Cty. Sup. Ct.).

With this litigation climate in mind, and considering the present-day common practice of requesting customers’ ZIP codes—and email addresses—at the point of sale, retailers with a presence in California should continue to implement safeguards to ensure compliance.

Background and Legal Framework of the Song-Beverly Act

Designed to promote consumer protection, the Act regulates “credit card practices by prescribing procedures for billing, billing errors, dissemination of false credit information, issuance and unauthorized use of credit cards.” Pineda, 51 Cal. 4th at 538–39 (internal quotation marks and citation omitted). The Act is intended to be remedial, and courts construe its terms liberally to achieve the objective of protecting consumers, “which includes addressing ‘the misuse of personal identification information for, inter alia, marketing purposes.’” Pineda, 51 Cal. 4th at 532 (quoting Absher v. AutoZone, Inc., 164 Cal. App. 4th 332, 345 (2008)).

In 1990, the California legislature amended the Act to include protections for PII in cardholder transactions. Specifically, California Civil Code, Section 1747.08 prohibits entities that accept credit cards from requesting PII from a customer at the time of a transaction, and then recording that PII. Cal. Civ. Code § 1747.08(a) (“[N]o person, firm, partnership, association, or corporation that accepts credit cards for the transaction of business shall . . . (2) [r]equest, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide [PII], which the person, firm, partnership, association, or corporation accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise.”).¹

The Act defines PII as “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.” Cal. Civ. Code § 1747.08(b). Significantly, in 2011, the California Supreme Court held that ZIP codes constitute PII for purposes of the Act. See Pineda, 51 Cal. 4th at 534. This decision opened the door for numerous lawsuits against retailers. In addition to asserting claims regarding retailers’ requests for ZIP code information at the point of sale, consumers have also alleged violations of the Act in connection with retailers’ requests for their telephone numbers, driver license numbers and, more recently, email addresses.

The plaintiffs class action bar took notice of Pineda and began investing in this area, seeking to leverage the class action device and the statutory damages provision. The Act provides for civil penalties of up to $250 for a first violation and $1,000 for each subsequent violation with no cap on aggregate damages.²

Guidelines for Compliant PII Requests

While the Act guards against the misuse of consumers’ information, it does not impose an absolute prohibition on requesting PII. What matters is “whether a consumer would perceive the store’s ‘request’ for information as a ‘condition’ of the use of a credit card.” Florez v. Linens ‘N Things, Inc., 108 Cal. App. 4th 447, 451 (2003). Thus, a violation of the Act only occurs where the business requests the PII “under circumstances in which the customer could reasonably understand that the [PII] was required to process the . . . transaction.” Harrold v. Levi Strauss & Co., 236 Cal. App. 4th 1259, 1268 (1st Dist. 2015). A request for the PII is improper if it is structured to appear like a condition of making a credit card purchase.

Importantly, the Act provides a complete defense to a retailer who can show that (i) the violation is the result of a bona fide error; and (ii) the retailer maintains procedures designed to avoid such an error. See Cal. Civ. Code § 1747.08(e). Therefore, retailers who craft policies designed to avoid customers’ perceptions that PII requests are mandatory will have a strong defense against consumer suits for violations of the Act. For example, in Harrold v. Levi Strauss & Co., California’s 1st District Court of Appeals explained that if the ZIP code, e-mail address or other PII is requested following the transaction, a customer could not reasonably believe that the provision of this information was a prerequisite to making a credit card payment. Harrold, 236 Cal. App. 4th at 1268.

The Southern District of California provided helpful guidance in Yeoman v. Ikea U.S.A. West, Inc., No. 11-0701, 2014 WL 7176401 (S.D. Cal. Dec. 4, 2014), vacated and remanded sub nom. Medellin v. IKEA U.S.A. W., Inc., No. 15-55174, 2017 WL 128112 (9th Cir. Jan. 13, 2017) (reversing and remanding on Article III standing grounds under Spokeo), by finding that a policy requiring cashiers to inform customers that they were requesting ZIP codes on a voluntary basis in order to determine where to build new stores did not violate the Act. Because the retailer in Yeoman maintained a clear policy specifically designed to avoid violations of the Act, the plaintiff could not show that it had violated it with respect to each member of the putative class. Yeoman, 2014 WL 7176401, at *6.

Crafting a PII-capture policy that is compliant with the Act remains important and, in an environment where everyday shoppers are aspiring class action plaintiffs, it will reduce litigation risk. To ensure compliance with the Act, retailers should implement practices such as waiting under after a credit card transaction is complete before requesting a customer’s PII, requesting PII at locations other than at the point-of-sale during the shopping experience or disclosing to customers that the provision of PII is not required as a condition of payment.

Regardless of the method, a well-designed procedure will train sales associates to make clear that the disclosure of PII is voluntary and give customers an opportunity to decline.