The California Supreme Court held today in Pineda v. Williams Sonoma that a zip code is personal information, meaning that California retailers who ask for it when you pay with a credit card violate the State's Song-Beverly Act of 1971. That law prohibits retailers from:
Request[ing]...the cardholder to write any personal identification information upon the credit card transaction form or otherwise...Request[ing]...the cardholder to provide personal identification information, which the person, firm, partnership, association, or corporation accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise...[Using] in any credit card transaction, a credit card form which contains preprinted spaces specifically designated for filling in any personal identification information of the cardholder.
Now, before you conclude that this is all silly, consider what Williams-Sonoma was doing--it was asking consumers for their zip code without telling them that it, "subsequently used customized computer software to perform reverse searches from databases...resembling a reverse telephone book. The software matched plaintiff's name and ZIP code with plaintiff‟s previously undisclosed address, giving defendant the information, which it now maintains in its own database. Defendant uses its database to market products to customers and may also sell the information it has compiled to other businesses." So, if you pay with a credit card and give the retailer your zip code, they can figure out your home address and send you catalogs. (To easily opt out of catalogs, check out Catalog Choice).
A prohibition on this practice is big news for privacy and competition--
And things may get even more interesting, because although one court has held that Song-Beverly does not apply to online transactions (Saulic v. Symantec Corp., 596 F.Supp.2d 1323 (C.D.Cal. Jan 05, 2009)), that decision is weakened by the reasoning of Pineda. The Saulic court focused upon the absence of the word "internet" in the relevant portion of Song-Beverly, which was added in 1990. It also was concerned that fraud problems that are intensified by distance selling require collection of personal information. The Pineda court, however, correctly recognizes that Song-Beverly is remedial, and should be interpreted broadly. It includes an exception for shipping, so your online purchases can be delivered.
What about fraud? Song-Beverly does allow a requirement for "positive identification," "provided that none of the information contained thereon is written or recorded on the credit card transaction form or otherwise." One could imagine a system where sellers of digital goods require consumers to provide addresses, but then delete them as soon as they are verified, which is possible with standard address verification systems. I don't think it is a stretch to revisit Saulic and make it possible for consumers to buy digital goods online without having their addresses reused for marketing and other purposes.
Update: Pineda and the Law of the Jungle.