Retailers In Jeopardy Over Conflicting Zip Code Requirements

A seemingly innocent practice by retailers — requiring the cashier to ask for the consumer's zip code at the point-of-sale register — can now pose a legal risk in the face of conflicting legal requirements in different states.  Indeed, while zip code collection is required in certain transactions in New Jersey, it is explicitly barred for credit card transactions in both Massachusetts and California.

Nearly 20 other states have laws — sometimes conflicting — that require, forbid or otherwise affect the collection of zip codes or similar personal information. Any retailer with a national zip code collection policy must review and possibly revise its practice in light of recent developments in a number of states.

In March of 2013, the highest court in Massachusetts ruled that a consumer's zip code constituted a "personal identification number" under Massachusetts law, which prohibits businesses from requiring any such personal identification information, including a personal identification number, during a credit card transaction. 

The court's decision made it illegal for a business, including a retailer, to collect customers' zip code information as part of a credit card transaction.  The mere collection — not the use, disbursement or further transmission — of the zip code was found to be enough to violate the law.

The Supreme Court of California had reached much the same result in 2011.  In that case, the court found that a business's collection of zip code information from a credit card holder, by itself, violated California's Song–Beverly Credit Card Act.  The case spurred a number of lawsuits targeted at businesses, especially retailers, who were merely collecting zip code information. 

One such lawsuit, filed against Apple Inc. in relation to online transactions, resulted in a June 2013 decision of the California Supreme Court limiting the reach of its prior ruling and finding that online transactions involving electronically downloadable products fell outside the coverage of the Song–Beverly Credit Card Act.

While Massachusetts and California, for example, thus prohibit a business from collecting their customers' zip code data, New Jersey law actually requires the collection of zip code data when the business sells gift cards.  As explained by the highest federal court in New Jersey, as well as in this prior article, New Jersey law requires retailers to collect and maintain zip code information on consumers who purchase gift cards. 

Indeed, this data collection provision was explicitly upheld after a legal challenge and remains operative to this day.  New Jersey also appears to allow for a business to request a zip code, at least orally, for other purchases of goods even when a gift card is not involved.

Given these conflicting rules in New Jersey, which requires zip code collection for gift card purchases, as opposed to California and Massachusetts, which prohibit such data collection for credit card transactions, any retailer with a uniform national sales policy is at risk.

What retailers should do now to steer clear of this hazard:
  • Confirm whether your company already has a policy regarding the collection of zip code data, and if so, whether it is applicable at only the state or national level.
  • Review any such policy to ensure that it complies with each state's law; confirm, for example, that your New Jersey policy requires the collection of a zip code at the point of sale when shoppers purchase a gift card.
  • If your company is engaged in online retailing, be vigilant in looking out for changes or updates to the law controlling whether or not online retailers should or should not collect zip code information.

Please contact the authors for further information regarding these developments.

Steven M. Hecht is a partner with Lowenstein Sandler and Richard A. Bodnar is an associate in firm’s litigation department.
This ad will auto-close in 10 seconds