California rules zip codes are personal information


June 11, 2013 by Brian Ghidinelli

Photo by Planent on FlickrCalifornia's supreme court recently settled Pineda v. Williams-Sonoma Stores, Inc., establishing that zip codes are considered personally identifiable information and may not be collected by merchants as a precondition to a credit card transaction.

At first blush, this sounds like just about every credit card transaction you've made in the past five years however the intent of the law is to prevent merchants from taking a name and zip code and reverse engineering it into a home address for marketing purposes. This is what actually happened to the plaintiff when she shopped at Williams-Sonoma.

The court unanimously determined that the practice violated the Song-Beverly Credit Card Act of 1971 and new legislation was added to the California Civil Code 1747.08. We received a customer inquiry as to whether or not we are subject to this legislation as a California company. The civil code lists just five exceptions to when personally identifiable information may be collected:

(c) Subdivision (a) does not apply in the following instances:

  1. If the credit card is being used as a deposit to secure
    in the event of default, loss, damage, or other similar

  2. Cash advance transactions.

  3. If the person, firm, partnership, association, or corporation
    accepting the credit card is contractually obligated to provide
    personal identification information in order to complete the credit
    card transaction or is obligated to collect and record the personal
    identification information by federal law or regulation.

  4. If personal identification information is required for a
    special purpose incidental but related to the individual credit card
    transaction, including, but not limited to, information relating to
    shipping, delivery, servicing

    , or installation of the purchased
    merchandise, or for special orders.

The first highlighted clause is related to our deferred payment process which, like a hotel guaranty, holds your card on file until a predetermined date or delivery.

The second highlighted clause allows most Mail-Order/Telephone-Order (MOTO) and E-commerce merchants to continue the process of requiring the zip code (and address) in order to perform an Address Verification Service (AVS) match which helps protect the cardholder from fraud in a card not present situation like over the Internet or phone.

Here at, we won't accept a transaction that does not match both address and zip code in order to provide the highest level of security for our users. It may at times be frustrating when a cardholder is absolutely sure their address and zip are correct, and it may require providing some additional personal information, but it's a whole lot better than dealing with a stolen credit card.

I know because my credit card was skimmed in South Africa and then used to rack up about $16,000 of fraudulent charges (including two separate purchases at a KFC for more than $400 - did you know you could even spend $400 at a KFC?!) While we did not need to pay for the goods or fried chicken, it was still a massive hassle.

In this case, an ounce of prevention is worth a pound of cure.

Subscribe to Blog Updates

Subscribe by RSS

Follow MSR

Like us on Facebook Connect with us on LinkedIn Follow us on Twitter

Recent Posts