Privacy & Information Security Law Blog

On January 6, 2012, the United States District Court for the District of Massachusetts granted Michaels Stores, Inc.’s (“Michaels”) a motion to dismiss against a customer-plaintiff who alleged that Michaels’ in-store information collection practices violated Massachusetts law. Although the court ruled in Michaels’ favor, it found that customer ZIP codes do constitute personal information under Massachusetts state law when collected in the context of a credit card transaction. The plaintiff’s class action complaint alleged that “Michaels illegally requested customers’ ZIP codes when processing their credit card transactions in violation of” Massachusetts General Laws Chapter 93, Section 105(a) (“Section 105(a)”). Specifically, Section 105(a) states that “[n]o person, firm, partnership, corporation or other business entity that accepts a credit card for a business transaction shall write, cause to be written or require that a credit card holder write personal identification information, not required by the credit card issuer, on the credit card transaction form.”

As we reported in October 2011, New Jersey courts also addressed this issue and provided conflicting rulings as to whether ZIP codes are considered personal information. We also previously reported on the California decision in Pineda v. Williams-Sonoma Stores, Inc., in which California Supreme Court held that ZIP codes are “personal identification information” under California’s Song-Beverly Credit Card Act.

According to the Massachusetts court, a ZIP code constitutes personal identification information in a credit card transaction because, “[t]he ZIP code may be used (in conjunction with other data) to identify a specific individual...[i]n this way, the input of a ZIP code during a credit card transaction is the equivalent to the input of a Personal Identification Number...in a debit card transaction.” The court explicitly distinguished its reasoning from that of the California Supreme Court in Pineda, noting that the legislative history of Section 105(a) indicates that it was intended to be narrower in scope than the California law because Massachusetts legislature was concerned about preventing fraud, not about merchants attempting to locate their customers addresses.

The district court also held that Michaels’ practice of entering the plaintiff’s ZIP code, combined with her credit card number and name, into an electronic card terminal, violated Section 105(a)’s prohibition on “[writing] personal identification information...on the credit card transaction form.”

Although the court found that the plaintiff had sufficiently alleged a cause of action under Section 105(a), it ultimately dismissed her complaint in its entirety because she failed to demonstrate a causal connection between Michaels’ “deceptive act” and any cognizable injury.