California Merchants Who Ask for Customer ZIP Codes

In a victory for privacy rights advocates, the California Supreme Court ruled in 2011 that California merchants cannot ask customers for their ZIP code during a credit card transaction. Specifically, the Court in Pineda v. Williams-Sonoma Stores, Inc. said that asking for a zip code in the course of an in-person purchase violates the California Song-Beverly Credit Card Act (Read the full decision on the California Courts website at

The Song-Beverly Act prohibits merchants from asking customers for personally identifiable information (PII) in connection with a credit card transaction. PII includes the customer's address and telephone number. The Court found that the legislature intended to ban collection of all parts of a customer's address, which includes the ZIP code. Merchants that violate the law will face up to a $250 penalty for the first violation and up to $1,000 for each subsequent violation.

The Pineda case did not differentiate between online transactions and in-person purchases at a physical store. Collecting PII during an online transaction was bound to become the subject of the next challenge, which came along in early 2012. In Jason Salmonson v. Microsoft Corporation, et al. (United States District Court,C.D. California, 2012 WL 77217), a federal district court judge in the Central District of California was asked to rule on whether collecting phone numbers, addresses, and Zip codes from online buyers violated the Act. The judge focused on the Act's intent--to prevent unnecessary collection of personal data--and ruled that in the online areana, such collections did not break the law:

"The purpose of the Act appears to be to protect consumer privacy in the course of a retail transaction, and [the California Assembly Committee on Finance and Insurance] analysis suggests the Act was specifically passed with a brick-and-mortar merchant environment in mind. While the use of computer technology is mentioned, the language does not suggest the Legislature considered online transactions or the perils of misappropriation of consumer credit information in an online environment where there is no ability to confirm the identity of the customer. Neither the language of the Act nor its legislative history suggests the Act includes online transactions."