This post was written by Joshua Marker.

Catalog and retail marketing in California just got a little bit trickier. No longer can retailers require that a customer provide a ZIP code to complete a credit card transaction, and this may impede the ability of many retailers to generate in-store marketing leads. On February 10, 2011, the California Supreme Court held that the Song-Beverly Credit Card Act (“the Act”) covers key components of an individual’s address as ‘personal identification information’ in a credit card transaction.

In that case, Pineda v. Williams-Sonoma Stores, Inc., No. S178241, Williams-Sonoma’s practice of collecting individual’s ZIP codes when completing a credit card transaction was at issue. Williams-Sonoma collected these ZIP codes for credit card verification purposes and developed a retail marketing lead list from its in-store transactions. The California Supreme Court found that this practice violated Section 1747.08(a)(2) of the Act, as ZIP codes are ‘personal identification information’ covered by the Act, and the collection of that information was thus prohibited.

Section 1747.08 of the Act prohibits a business from requiring a cardholder to provide ‘personal identification information’ in order to complete a credit card transaction. The Act defines ‘personal identification information’ as “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.” Pineda alleged that Williams-Sonoma had collected her ZIP code as part of a credit card transaction, and used this information to obtain her complete address, and added her information to their database.

The California Supreme Court ruled that ‘personal identification information’ under the Act must include components of a cardholder’s address. If it did not, a business could request a ZIP code and find the address through a reverse search, as Williams-Sonoma was allegedly doing. This “would render the statute’s protections hollow.” The term ‘address’ must be construed to cover the components of a cardholder’s address, and not just the complete address. Otherwise a retailer would be permitted “to obtain indirectly what they are clearly prohibited from obtaining directly.”

With fines of up to $1,000 for each violation and the potential for class action litigation as a result of this statute, the Act carries potentially steep penalties. As a result, it may be time to review of your company’s in-store information collection practices and bring them in line with this new ruling.