One of the more active areas of privacy-related litigation concerns Zone Improvement Plan codes, or “ZIP codes,” in use since 1963. Plaintiffs’ lawyers have filed a spate of actions alleging that merchants which ask customers to provide their ZIP codes when paying with a credit card violate state statutes designed to protect personal identification information. So far these lawsuits have been concentrated in California and Massachusetts where favorable precedent exists, but in June of this year the first such putative class action was filed in the District of Columbia against retailers Urban Outfitters, Inc. and Anthropologie, Inc. This test case could expand substantially privacy class action exposure for merchants in the District of Columbia. More broadly, the case has important implications for whether ZIP code litigation will spread to other jurisdictions with similar laws or is already near its high water mark
In their complaint, plaintiffs Whitney Hancock and Jamie White (“Plaintiffs”) allege that they each bought various items from Urban Outfitters and Anthropologie (collectively “Defendants”) using a credit card. During each purchase, Plaintiffs claim, the cashier swiped the card using a “credit-card-swipe machine” and then asked for a ZIP code. They provided their ZIP codes, which the cashier entered into the “point-of-sale register, not into the credit-card swipe machine.” Plaintiffs further allege that Defendants ask for and collect ZIP codes so they can obtain a customer’s address for their own commercial benefit. Plaintiffs cite an article from Forbes.com that explains that a retailer can use programs to match a customer’s ZIP code and name to a consumer database that provides a corresponding address. Plaintiffs, however, do not specifically allege that they received direct mailings or other marketing materials after they gave Defendants their ZIP codes.
Plaintiffs assert that Defendants’ conduct is “unlawful” under the District of Columbia Consumer Protection Act and § 47-3153 of the District of Columbia Code. This section provides that except for the shipment, delivery, installation, or special order of goods, “no person shall, as a condition of accepting a credit card as payment for a sale of goods or services, request or record the address or telephone number of a credit card holder on the credit card transaction form.” The statute gives persons “aggrieved” by violation of § 47-3153 a cause of action to recover statutory damages and obtain injunctive relief, attorneys’ fees, and costs. Pursuant to that provision, Plaintiffs ask the court to award $500 to each member of the putative class, along with attorneys’ fees and costs, and enjoin Defendants from requesting and collecting ZIP codes when a customer elects to pay with a credit card.
Defendants have filed a motion to dismiss the complaint pursuant to Federal Rules 12(b)(6) and 12(b)(1), asserting that Plaintiffs have failed to state a claim and have failed to adequately plead “injury in fact.”
The success of Plaintiffs’ claim depends on the court finding that, with respect to their transactions, a ZIP code falls within the ambit of an “address or telephone number.” While Defendants argue that the limited, plain meaning of the statute forecloses this interpretation, Plaintiffs respond that the statute is remedial in nature and cannot be construed so narrowly as to render its proscriptions meaningless.
Given the complete dearth of case law interpreting § 47-3153, Plaintiffs not surprisingly direct the court’s attention to favorable decisions in California and Massachusetts. In Pineda v. Williams-Sonoma Stores, Inc., the California Supreme Court held that “personal identification information,” which the applicable law defines as “including, but not limited to, the cardholder’s address and telephone number,” encompassed a cardholder’s ZIP code as well. The Court interpreted the word “address” to include the “components” of the address, not just the complete address. To hold otherwise, the court said, “would render the statute’s protections hollow,” since a business could ask for a customer’s street, city, and ZIP code, as long as it did not also ask for a house number. In Tyler v. Michaels Stores, the Massachusetts Supreme Judicial Court reached a similar conclusion about a similarly-worded statute. The Court determined that a ZIP code could qualify as “personal identification information,” because as alleged in the complaint, a ZIP code, when combined with the consumer’s name, gives the retailer enough information to identify the consumer’s address or telephone number. To find that ZIP codes do not qualify as personal identification information “would render hollow the statute’s explicit prohibition on the collection of customer addresses and telephone numbers,” the Court stated.
Plaintiffs in Hancock drafted their complaint with these cases in mind and make similar arguments in their briefing. As in Pineda, they explicitly allege that a “consumer’s ZIP code is part of his/her address.” And as in Tyler, they assert that with a customer name and ZIP code Defendants can ascertain a customer’s full address. Unfortunately for Defendants, the California Supreme Court’s recent decision in Apple, Inc. v. Superior Court, which narrowed Pineda and held that the state statute does not cover online purchases downloaded electronically, appears inapplicable to their brick-and-mortar operations.
But there are differences between the District of Columbia statute and the laws at issue in Pineda and Tyler, which Defendants emphasize distinguish these cases beyond jurisdictional difference. For example, whereas the California and Massachusetts statutes state that the definition of personal identification information includes but is “not limited to” the cardholder’s address and telephone number, § 47-3153 contains no such open-ended language. A retailer is only prohibited from requesting or recording “the address or telephone number” of a cardholder. Not surprisingly, Plaintiffs respond that a narrow, literal reading of § 47-3153 would eviscerate the statute just as much as the restrictive interpretations rejected in Pineda and Tyler, decisions that did not necessarily rely on the “not limited to” language to find that ZIP codes fell within the purview of the statutes.
If Plaintiffs are able to persuade the court that ZIP codes constitute consumer identification information under § 47-3153, which retailers cannot request or record in conjunction with a credit card transaction, there is still the question of injury. As Defendants point out Plaintiffs must still establish Article III standing to prosecute their action in federal court. They must allege an injury in fact that is concrete and actual or imminent, not conjectural or hypothetical, and fairly traceable to Defendants’ conduct. Moreover, only persons “aggrieved” by violations of § 47-3153 can maintain a cause of action under the District of Columbia’s law.
In the complaint, Plaintiffs cite three reasons why they are “aggrieved” by Defendants’ conduct: (1) Defendants asked for their ZIP codes when they paid for their purchases with a credit card; (2) Defendants’ storage of their identification information puts them “at risk of identity fraud”; and (3) Defendants invaded their statutorily protected privacy interest in their addresses. Unlike the plaintiff in Tyler, Plaintiffs do not claim that Defendants actually used their names and ZIP codes to obtain their addresses or send them unsolicited marketing materials. Whether these three allegations are sufficient to satisfy Article III standing and establish that Plaintiffs are “aggrieved” and can bring suit is another critical question. In this respect, Hancock resembles many other privacy cases in which the question whether plaintiff has suffered a cognizable harm is contested from the outset.
Hancock is the first suit of its kind in the District of Columbia and the first case to test the meaning of the District’s consumer identification information statute. How the case proceeds has important implications for the spread of class action litigation beyond California and Massachusetts. Other states — Kansas, New Jersey, and Rhode Island, to name a few — also have statutes that limit the type of information merchants can gather from consumers. Hancock may shed light on whether differences in statutory language are sufficient to derail class actions and whether the absence of any allegation that plaintiffs received unwanted marketing materials after divulging their ZIP codes undermines their claims. More immediately, retailers that operate in the District of Columbia should review their policies regarding collection and use of customer ZIP codes and assess their potential litigation exposure.