Privacy Advisor

Northern District of California confirms Pineda v. Williams-Sonoma applies retrospectively

September 1, 2012

By Venkat Balasubramani

The Song-Beverly Act is a California statute that prohibits retailers from requesting personal identification information in connection with credit card transactions. In Pineda v. Williams-Sonoma, the California Supreme Court held that the definition of personal information includes a ZIP code; i.e., retailers cannot ask for ZIP codes during credit card transactions. The court in that case held that its decision could be applied retrospectively and rejected Williams Sonoma’s arguments that it would be unfair to apply this decision to conduct before the date of the decision. The question in Dardarian v. OfficeMax North America, Inc., 11-CV-0947-YGR (N.D. Cal.; Jun. 25, 2012), was whether OfficeMax offered any better arguments for why the statute should not be applied retrospectively against it. OfficeMax argued that the California Supreme Court’s decision in Pineda was a departure from previous precedent and that OfficeMax had relied on a lower court decision in Party City v. Superior Court, where a court of appeal held that a ZIP code does not constitute personal information. 

The court says that this is insufficient to escape retrospective application of the statute for several reasons. First, Pineda was a decision from the California Supreme Court, and it did not overrule any existing precedent from the same court. Party City was a lower appellate court decision, and the California Supreme Court did not sanction the lower court’s approach when it denied review. Moreover, the court finds that the Party City opinion was only around for two years before the California Supreme Court granted review in Pineda and announced the contrary rule. OfficeMax was unable to point to a “near-unanimous body of lower-court authorities” that sanctioned its practice of collecting ZIP codes. 

In addition to Party City, OfficeMax pointed to one other case it happened to be involved in to support its argument that it relied on lower court decisions when it collected ZIP codes, Thoms v. OfficeMax. In Thoms v. OfficeMax, the court granted OfficeMax’s demurrer based on the Party City decision. While both Party City and Thoms held that ZIP codes are not personal information--and were effectively overruled in Pineda--the court says that OfficeMax did not start collecting ZIP code information based on these decisions. It had a longstanding policy of collecting ZIP codes and merely continued its practice in light of these two decisions. This isn’t the type of reliance; e.g., a change in behavior, that warrants against retrospective application. 

OfficeMax also argued that Pineda granted review on the question of whether “reverse engineering” someone’s address based on their ZIP code violated the statute and thus Pineda’s decision to address the larger question of whether a ZIP code constituted personal information was a surprise. Although the court ruled on the broader question of whether it was appropriate to collect the ZIP code information, OfficeMax argued that the decision in Pineda was unforeseeable. The court disagreed, noting that as early as when the parties filed their briefs in Pineda, the issue of whether a ZIP code constituted personal information was on everyone’s radar screen and, therefore, there was nothing unforeseeable about the court’s decision in Pineda.

Finally, the court also found that public policy favors retrospective application of the statute. OfficeMax argued that it had ceased the practice of collecting ZIP code information and that it never reverse engineered this information to obtain the addresses of its customers, but the court said that the policy furthered by the statute is to forbid retailers from collecting information that could result in a breach of the customer’s privacy. While the fact that OfficeMax did not reverse-engineer this information may bear on OfficeMax’s culpability, the fact that it collected the information in the first place meant that it engaged in conduct that the statute aimed to prevent. The court also rejected OfficeMax’s argument that retrospective application would undermine the administration of justice by holding it liable for actions it thought were lawful when it engaged in them. The court said that OfficeMax should have taken the conservative route and not have collected this information in the first place.

Pineda was a harsh decision for retailers, and the court’s conclusion in that case was certainly not an obvious one given the language of the statute. Nevertheless, the court in this case did not give OfficeMax a reprieve and said it should be held to this conduct.

The big takeaway from Pineda is that collecting seemingly innocuous bits of information that can be reverse engineered can trigger a privacy violation. For another example of this, see the recent FTC settlement with MySpace, where the agency held that allowing third parties to derive someone’s identity through a unique ID was a privacy violation.

California is not alone in having this type of legislation directed at retailers in place. In a similar example from Massachusetts, “Court: ZIP Code is personal identification info under credit card statute but plaintiff must still allege harm--Tyler v. Michaels Stores,” interestingly, the retailer defeated the plaintiff’s lawsuit, where the court concluded that the collection of information in that case did not result in any harm.

OfficeMax made some reasonable procedural and fairness-based arguments for why it should not be on the hook for its past conduct, but given the prophylactic nature of the statute, the court was not persuaded. This illustrates that when it comes to privacy statutes and regulation, while companies have done fairly well in defending against privacy lawsuits--and numerous lawsuits have been dismissed due to lack of harm--overall, companies may want to exercise caution where a statute that specifically prohibits the collection of certain information is implicated.

Venkat Balasubramani is a cofounder of Focal PLLC, a Seattle-based law firm focusing on media, technology and Internet-related clients. He blogs at Eric Goldman’s Technology & Marketing Law Blog. You can also follow him on Twitter, @VBalasubramani.