Zip Codes Are Private Info, Says Massachusetts Supreme Court

Michael Blann/Photodisc/Thinkstock

Zip codes are considered personal information when it comes to Massachusetts consumer privacy laws, the state Supreme Court ruled last week in a decision that could have national implications for large retail chains.

In Tyler v. Michaels Stores, the court unanimously agreed that “a zip code constitutes personal identification information” and therefore could not be solicited during credit card purchases unless the consumer volunteers to provide it, with the knowledge that it could be used for marketing purposes.

The suit came about when Melissa Tyler brought a class action against Michaels Stores for collecting her zip code as a matter of routine during a credit card transaction, as if the number were required to complete the purchase. The retailer then used her zip and name to figure out her address and send unsolicited junk mail to her house, she alleged, claiming the store’s action was in violation of state law banning the collection of personal information.

The law states that no company “that accepts a credit card for a business transaction shall write, cause to be written or require that a credit card holder write personal identification information, not required by the credit card issuer, on the credit card transaction form. Personal identification information shall include, but shall not be limited to, a credit card holder’s address or telephone number.” Exceptions are made when the purchase needs to be shipped or the address is otherwise relevant to delivery of the product.

The lawsuit had originally been filed in federal court, where judges decided that the plaintiff was not a victim of fraud so she had no grounds to sue. However, in lieu of dismissing the case the court sent it over to the state Supreme Court to decide if zip codes count as personal information under the law, and whether an invasion of privacy through unwanted marketing solicitation was enough to bring a suit in the absence of fraud.

The state court ruled that zip codes do count, and that a breach of privacy in and of itself is grounds for litigation. “We are persuaded that the principal purpose of [the consumer protection law] is to guard consumer privacy in credit card transactions,” the opinion states, “not to protect against credit card identity fraud.”

Zippity Doo Dah

Attorney Cynthia J. Larose

Different states have their own versions of privacy laws, and Massachusetts appears to be only the second after California to explicitly include zip codes as personal information. Nevertheless, the inclusion could be enough for national retailers seeking uniformity to change their policies in stores across the country.

“I think the reality of it is going to be that retailers will need to start rethinking information collection policies and whether or not it’s a good risk to continue to request zip information at checkout,” says Cynthia J. Larose, chair of the Privacy and Security Practice of firm Mintz Levin. “Or they could decide to post some sort of notice at the registers, that zip codes not required and may be used for marketing purposes.”

The Massachusetts statute provides only $25 per person per violation, whereas California plaintiffs can seek as much as $1,000. However, even at $25 a pop, a large class that could comprise of tens of thousands of retail customers could mean significant financial penalties against a company that doesn’t comply with the privacy rule.

“It seems to be clear that the court wanted to emphasize that this particular law is specifically a consumer protection law,” Larose says. “It wanted to make sure consumers are protected from all forms of unwanted marketing and unwanted contact from marketers.”