CA Supreme Court Sides with Consumers - Zip Codes ARE Private

I'll be honest with you...this is a gratifying victory. I say that not only because its rare that corporate interests lose much of anything anymore, and it can be even more rare when consumer privacy is actually protected, but because we (Consumer Federation of California) were actively engaged in this case.

First,  let's get to just what the heck I'm talking about. The case in question is Pineda v. Williams-Sonoma Stores Inc, and it involved the retailer’s practice of gathering California consumers’ zip codes when they use their credit cards. This retailer was charged with violating California’s credit card privacy law, which specifically prohibits retailers from gathering and retaining personally identifiable information – including the consumer’s address - from a customer using a credit card.

Consumers sued Williams Sonoma, alleging that the retailer retained the consumer’s name and zip code, and supplied this information to data aggregation brokers. The data aggregators reconstructed the consumer’s complete residential address, by searching their data bases of billions of bits of information they collect on all Americans. The retailer then used the comprehensive consumer contact information for marketing purposes, without the customer’s consent.

A lower court ruled that since thousands of people share the same zip code, it is not a unique consumer identifier. Therefore, this court ruled, the retailer had not violated California privacy law. The case was appealed to the State Supreme Court.

Consumer Federation of California and Privacy Rights Clearinghouse filed a friend of the court brief, urging the Supreme Court to overturn the lower court ruling.

Yesterday, the Supreme Court agreed with us, ruling that zip codes are indeed personal identifiers. The Supreme Court found that California law prohibits retailers from retaining this information from customers making purchases with credit cards. The Supreme Court reinstated the suit against Williams Sonoma.

Now, before I get to some of the Sacramento Bee article about the case and ruling, I want to be sure we're all clear on what we're talking about here.

As part of the transaction process, this housewares retailer requested Pineda’s zip code. Unbeknownst to Pineda, Williams-Sonoma used a process called “reverse appending” to find out her mailing address. The retail giant then sent Pineda catalogs and used the information it had collected for other business purposes.

Reverse appending is an industry practice that looks up a person’s name, mailing address, phone number and other personal information using very limited data, such as a zip code or email address. Reverse appending is done without the consumer’s knowledge or permission.

In other words, and in laymen terms, a ZIP code can be a powerful tool that retailers use to specifically identify their customers and obtain their home addresses under false pretenses. This private information is then stockpiled by the retailer – without the consumers’ knowledge - in massive databases which are used to market their products as well as sell that information to third party data brokers and other retailers so they can target you too.

Collecting and maintaining consumers’ personal identification information is a practice that can put the physical safety of consumers at risk and jeopardize consumers’ financial security due to identify theft and credit card fraud. It was in response to this danger and threat that the Legislature enacted an amendment to the Song Beverly Credit Card Act in 1990 to protect privacy rights guaranteed to consumers by Article 1, Section 1 of the California Constitution.

But retailers have been bypassing this law using advances in database technology that essentially can turn a name plus a zip code into a full address. See, retailers then argue that they WEREN'T in the wrong because a zip code isn't a personal identifier - yet that's EXACTLY WHAT THEY WERE USING THEM FOR!!

It's astounding they even had the temerity to argue this, when the original law was passed specifically to STOP retailers from compiling this information under false pretenses and violating consumer privacy while increasing the likelihood of identity theft and fraud - in addition to getting more unwanted mailings and phone calls.

The court did not address the practice of some retailers, who request consumer zip codes for the limited legitimate purpose of assuring that the credit card is not stolen. This is most common at gas stations or other situations where there is no sales clerk present - but in these instances the zip code data is not retained by the retailer.

As Beth Givens, founder of Privacy Rights Clearinghouse, a consumer education and advocacy group said, "The ruling is significant because it confirms that the definition of PII includes part of a person’s address; the zip code. In ruling in favor of the plaintiff, the Justices acknowledge advances in technology, in which the use of databases can turn a name plus a zip code into a full address.” 

All in all, this is an important victory for common sense will prevent big retail chains from turning a credit card into another avenue for violating our financial privacy.

To read what the Sacramento Bee had to say, click here.

And, if you want to delve into the dark side, read Forbes magazines passionate OPPOSITION to this common sense protection.