Collecting Zip Codes a Privacy Violation?

On March 11, 2013, Massachusetts’ high court ruled that consumers whose ZIP codes are retained by retailers in the state are able to sue for a violation of state privacy law. This decision was announced by the Massachusetts Supreme Judicial Court and paves the way for a possible class action against Michaels Stores. The court ruled in response to certified questions by a federal judge considering the consumer law suit.


According to the suit, Michaels used ZIP code information to look up customers’ phone numbers and addresses in order to send them marketing materials. State law prohibits companies from requesting personal information from customers, unless it is necessary for shipping, or if it is required under the credit card agreement.

A customer filed a class-action lawsuit against Michaels in 2011, after cashiers asked for her ZIP code at the Everett store. The plaintiff, Melissa Tyler, began receiving unsolicited phone and mail pitches from the Irving, Texas-based Michaels.

“Data mining is one of the more pernicious practices in which retailers engage, and retailers like Michaels use whatever means necessary to collect customer data so that they can better market their wares,” wrote Tyler’s attorney, Greg Blankenship, in the complaint.

Although the law does not mention XIP codes specifically, the Supreme Judicial Court ruled that a ZIP code can be considered “personal identification information” under the law, and a plaintiff may sue for a violation of the statute absent identity fraud.

In the ruling, the court also said that the Legislature’s intent when updating the law in 1991 was to protect credit card users from becoming recipients of unwanted solicitations from merchants. Michaels Stores’ attorneys argued that the law was intended to prevent identity theft.

Massachusetts General Law, Section 105(a) provides:

“No person, firm, partnership, corporation or other business entity that accepts a credit card for a business transaction shall write, cause to be written or require that a credit card holder write personal identification information, not required by the credit card issuer, on the credit card transaction form. Personal information shall include, but shall not be limited to, a credit card holder’s address or telephone number.”

The court ruled that Tyler was entitled to minimum damages of $25 for violation of privacy. The collection of ZIP codes was ultimately deemed to be an unfair trade practice, under the state’s Unfair Trade Practices Act, which provides damages of $25 per class member, to be tripled if the defendant’s conduct is egregious. The suit seeks to triple the damages, based on Michaels’ alleged deception in collecting ZIP codes under the pretext of needing to verify the cardholder’s identity.

According to Deirdre Cummings, the legislative director for the consumer group MassPIRG, “It’s a good, strong finding for consumers. It’s right on the mark.”

ZIP Codes in California

In a similar case last year, the California Supreme Court ruled that Williams-Sonoma had violated state law by asking customers for their zip codes at the checkout counter. The decision was the first to find the collection of ZIP codes illegal under California’s Song-Beverly Credit Card Act of 1971, which prohibits retailers from recording customers’ personal identification information (PII) during credit card transactions and imposes a $1,000 fine per violation.

The decision set of a series of complaints against retailers in California, with over 150 lawsuits filed against department store chains, including Wal-Mart, Target and Bed Bath & Beyond.

California’s Supreme Court decision to argue that a consumer’s zip code constitutes PII that’s off limits to merchants was actually cited in the Massachusetts case. “Like crows collecting shiny bits of silver to line their nests, retailers like Michaels use whatever means necessary to collect customer data so that they can better market their wares,” wrote Blankenship.


This article looks at class action law suits in Massachusetts and California. Plaintiffs’ lawyers sued retailers for collecting customer ZIP codes at the checkout counter. This was first deemed illegal under California’s Song-Beverly Credit Card Act of 1971. Massachusetts has a similar consumer protection statute that prevents store clerks from writing down customers’ personal identification information not required by the credit card issuer.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/United States (CIPP/US), a privacy professional should be comfortable with topics related to this post, including:

  • State privacy laws – marketing laws (V.B.)
  • State privacy laws – data security laws (V.D.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>