By Mac Nadel, Mac.Nadel@marsh.com
A new privacy ruling from California’s highest court could have substantial implications for retailers.On February 10, 2011, the California Supreme Court held in Pineda v. Williams-Sonoma that the practice of asking credit card customers for ZIP codes constituted a violation of state consumer privacy statutes. The court said that doing so could trigger civil penalties of up to $1,000 per request. Many retailers in California routinely requested ZIP codes in credit-card transactions, meaning the potential penalties could be substantial.
California Civil Code section 1747, known as the Song Beverly Credit Card Act, prohibits a retailer from requesting “personal information” as part of a credit card transaction. Retailers that have asked for ZIP codes argued that they were not personal information. Plaintiffs alleged that the retailers were cross-referencing customers’ ZIP codes and other credit-card information against existing databases to identify home addresses. Plaintiffs argued that these customer names and addresses were then used to compile mailing lists that were used for marketing or sold to third parties. Lower courts agreed with the retailers, but the California Supreme Court found that the ability to combine the ZIP code with other information made the code personal information within the meaning of the statute.
Within the first 10 days after the decision was issued, law firms filed close to 40 separate class action lawsuits against various retailers, seeking a variety of common law remedies for breach of privacy, attorney fees, and the full statutory civil penalty of $1,000 for each of the alleged violations. The situation continues to evolve.
- Additional suits have been filed.
- Retailers not yet named are being added as “Doe” defendants to the existing lawsuits.
- A California Appellate Court recently found that the Act’s provisions applied to business use of personal credit cards, potentially expanding the class.
Claims against other types of transactions also are being pursued. For example, claims have been made against retailers with gas station operations that required entry of a ZIP code to validate a credit-card used at a self service pump, arguing that this constitutes a violation of the Act.
Under these facts, insurers are likely to raise some objections to claims presented under standard commercial general liability policies. The ultimate outcome of these coverage disputes will depend on various state laws, but the objections are likely to include some of the following:
With respect to claims for damages arising out of bodily injury and property damage, insurers are likely to argue:
- The claims do not allege bodily injury, or property damage as those terms are defined in the policy.
- The plaintiffs are seeking injunctive relief and behavioral remedies, which are not “damages."
- The plaintiffs are seeking fines and penalties, which are not “damages.”
General liability coverage also extends only to damage arising out of an “occurrence,” defined in part as an accident or something unintended. CGL policies generally exclude damage “expected or intended from the standpoint of the insured.” The question whether “unintended,” or “expected and intended” means unintended actions or unintended harm, and whether this is measured objectively or subjectively can vary by state. The fact that lower courts in California had approved the practice of asking for ZIP codes should be helpful.
Standard CGL policies also provide coverage for violations of privacy, typically defined as “oral or written publication, in any manner, that violates a person’s right of privacy.”
Privacy is largely defined by state law, either constitutionally or by common law. In general it can consist of a right of seclusion -- the right to be left alone, or a right to prevent disclosure of personal information -- the right to secrecy, or both. States may vary as to how or whether the right is protected, and some states may allow one type, but not the other.
Given this, some insurers may argue that under these facts the allegations do not fall within the policy’s coverage for violations of breach of privacy. For example, in a state where the right of privacy means only a right of seclusion, an insurer might argue that the allegations that defendants requested ZIP codes would not constitute a violation of privacy. Insurers may also argue that the alleged requests do not constitute “publication.”
Insurers also may deny coverage arguing privacy claims fall under the common CGL exclusion for damages relating to unsolicited facsimiles or spam.
A typical exclusion of this type states:
Personal and advertising injury arising directly or indirectly out of any action or omission that violates or is alleged to violate any statute or regulation that prohibits or limits the sending, transmitting, communicating or distribution of material or information.
This exclusionary language has been the subject of discussion in the so-called “fax blast” claims, dealing with unsolicited fax advertising, and the FACTA claims, dealing with alleged violation of a federal statute that prohibits listing of credit card numbers on customer receipts.
Arguments advanced in these claims suggest that some insurers may argue that the exclusion language is broad enough to encompass allegations of improper use of ZIP codes. Although there are reasonable arguments against the position, it is one that insurers may choose to make.
Despite these potential obstacles coverage may be available. If your company finds itself facing one of the ZIP code claims, it is important to consult with your insurance advisors and counsel. Careful review of the facts and allegations of the complaint and the language of the policy may support a successful argument for coverage. It is also important to notify your insurer promptly. Failure to submit prompt notice of a claim or lawsuit may provide the insurer with additional grounds to contest coverage.
Mac Nadel is the retail/wholesale, food & beverage industry practice leader for Marsh Inc. Nadel can be reached at Mac.Nadel@marsh.com or 203-278-3112.