By Douglas H. Meal, David T. Cohen, and Lisa L. Rachlin, Ropes & Gray LLP
Retailers, like all businesses, constantly seek to learn more about their customers in order to serve them better. In Tyler v. Michaels Stores, however, the Massachusetts Supreme Judicial Court recently ruled that a simple step taken by many retailers to help achieve this goal – collecting the ZIP codes of their customers at the point of sale – can in some circumstances violate Massachusetts’ consumer protection statute.
The decision may encourage litigation against retailers both in Massachusetts and other states, many of which have similar laws. Accordingly, all retailers who collect ZIP codes or other information about their customers at the point of sale should assess their data collection practices and potential liability exposure in light of the Tyler decision.
Section 105(a) of Massachusetts General Laws chapter 93 prohibits businesses from writing “personal identification information” (“PII”) on credit card transaction forms when not required by the credit card issuer, subject to certain exceptions. In May 2011, Melissa Tyler filed suit against Michaels Stores, Inc. (“Michaels”) on behalf of herself and a putative class of Michaels customers in the federal District Court of Massachusetts, alleging that Michaels’ electronic recording of customer ZIP codes violated § 105(a), which thereby permitted her to assert a claim under the Massachusetts Unfair Trade Practices Act, G.L. c. 93A, § 2.
Michaels filed a motion to dismiss Tyler’s complaint. The District Court agreed with Tyler that ZIP codes constituted PII under § 105(a) and that Michaels’ electronic terminal contained “credit card transaction forms” within the meaning of the statute. The court ultimately determined, however, that Tyler had not alleged a cognizable injury sufficient to state a claim under the Massachusetts Unfair Trade Practices Act, and therefore granted Michaels’ motion to dismiss Tyler’s complaint.
Tyler then filed a motion to certify three questions regarding the proper interpretation of the state privacy statute to the Supreme Judicial Court of Massachusetts (“SJC”), which serves as the ultimate authority for interpreting the meaning of Massachusetts law. The three questions certified were:
1. Whether a ZIP code constitutes PII under the privacy statute;
2. Whether a plaintiff could bring an action under the privacy statute without showing identity fraud; and
3. Whether the privacy statute’s reference to a “credit card transaction form” could apply either to an electronic or a paper transaction form.
The Massachusetts high court, in a unanimous opinion, ruled on all three questions in favor of Tyler. On the first question, the court determined that a ZIP code constitutes PII under the state statute because, when combined with the consumer’s name, the ZIP code provides the merchant with enough information to identify through publicly available databases the consumer’s address or telephone number — the very information § 105(a) expressly identifies as PII.
On the second question, the court concluded that a plaintiff could sustain an action under the statute without showing identity fraud because, after examining the legislative history and statutory text, the court decided that the principal purpose of the statute was to guard consumer privacy, not protect against identity theft. Finally, based on its reading of the statutory text, the court held that the term “credit card transaction form” applied to both electronic and paper forms.
Notably, in ruling that Tyler could sustain an action under the privacy statute absent identity fraud, the SJC expanded its analysis and considered what injury or loss must be alleged in order to state a claim under the Massachusetts Unfair Trade Practices Act. The court observed that the receipt of unwanted marketing materials or the sale of customer data to third parties could suffice to state a cognizable injury. Tyler may now return to federal court and attempt to proceed with her case, assisted by the SJC’s authoritative interpretation of Massachusetts law.
The implications of the SJC’s interpretation of Massachusetts statutory law in Tyler’s favor extend well beyond the Tyler case. The decision is reminiscent of a 2011 opinion by the Supreme Court of California, Pineda v. Williams-Sonoma Stores, Inc., holding that ZIP codes can qualify as PII under the California Song-Beverly Credit Card Act. The Pineda ruling led to a wave of consumer class action lawsuits regarding the ZIP code collection practices of California retailers, although Pineda has since been narrowed so as not to apply to online purchases in which the product is downloaded electronically, under the rationale that certain safeguards against fraud, such as visually inspecting the credit card, are not available to online merchants. As in the wake of the Pineda ruling in California, increased consumer privacy litigation should be expected in Massachusetts. Indeed, plaintiffs’ lawyers have already begun to file such lawsuits in recent weeks.
Retailers operating in Massachusetts should review their current data collection and use policies regarding ZIP codes and other types of information, as well as assess their potential liability exposure for practices to date, in light of the Tyler decision. Retailers in other states should do so as well. As a number of other states have statutes limiting the type of information retailers can collect from customers (including Delaware, Georgia, Kansas, Louisiana, Maryland, Minnesota, Nevada, New Jersey, New York, Ohio, Oregon, Pennsylvania, Rhode Island, Texas, Wisconsin, and the District of Columbia), the Tyler opinion may encourage lawsuits or government investigations not only against businesses operating in Massachusetts, but also those operating in other jurisdictions.
The legal risk is particularly acute because regulators and plaintiffs’ lawyers were becoming increasingly aggressive in the data privacy area even before Tyler. In short, Tyler has added fuel to an already significant fire, making it crucial that all retailers take steps to protect themselves from unwanted legal scrutiny.
Douglas H. Meal is a partner, and David T. Cohen and Lisa L. Rachlin are associates, at Ropes & Gray LLP. Meal and Rachlin practice in the firm’s Boston office, while Cohen practices in its Washington, D.C., office.