Massachusetts Supreme Judicial Court Issues Broad Ruling on Point-of-Sale Data Collection
In a recent decision, the Supreme Judicial Court of Massachusetts (“SJC”) broadly interpreted a statute that governs the personal information that may be collected by a merchant during a credit card transaction. The decision, Tyler v. Michaels Stores, Inc., SJC-1145 (Mass. March 11, 2013), was issued in response to three questions that had been certified to the SJC by a federal district judge in Boston, in connection with a lawsuit alleging violation of Mass. Gen. Laws, ch. 93, §105(a), the Massachusetts analogue to California’s Song-Beverly Act.
Section 105(a) provides that “[n]o business entity that accepts a credit card for a business transaction shall write, cause to be written or require that a credit card holder write personal identification information, not required by the credit card issuer, on the credit card transaction form.” “Personal identification information,” in turn, “shall include, but shall not be limited to, a credit card holder’s address or telephone number.” Violations of Section 105(a) are treated as “unfair and deceptive trade practices” under Mass. Gen. Laws. ch. 93A, §§ 2, 9, which provides “injured” persons a private right of action against any entity that commits an unfair or deceptive trade practice.
The plaintiff in Tyler alleged that Michaels Stores violated §105(a) by requesting her ZIP code during a credit card transaction at one Michaels Stores retail location. The district court agreed that the plaintiff had sufficiently pled a violation of that statute, but nonetheless dismissed the complaint because she had failed to allege a cognizable injury stemming from the violation, which is required to bring an action under Massachusetts’s unfair and deceptive trade practices statute. The court explained that the purpose of §105(a) was to prevent identify fraud, and suggested a plaintiff would need to allege that fraud had occurred because of the alleged violation of §105(a).
Following dismissal, the plaintiff asked that the district court certify three questions to the SJC: (1) whether a ZIP code could be “personal identification information” within the meaning of § 105(a); (2) whether a plaintiff may bring a lawsuit for a violation of §105(a) without showing identity fraud; and (3) whether the words “credit card transaction form” refer equally to electronic and paper transaction forms.
Much of the trade press discussing the SJC’s decision has focused on the rather unremarkable holding that ZIP codes are “personal identification information.” The statutory definition of PII is very broad, and the district court already had concluded it was broad enough to cover ZIP codes. (The California Supreme Court reached this same conclusion interpreting a very similar statute in Pineda v. Williams-Sonoma, decided in late 2011.) The SJC also agreed with the district court that “credit card transaction forms” could be construed to mean an in-store electronic form (e.g., a keypress form at the register), which apparently is what Michaels Stores used to record the plaintiff’s ZIP code in this case.
More notable is the point on which the SJC disagreed with the district court. While the district court held that a plaintiff would have to demonstrate a tangible economic injury in order to maintain a suit for violation of §105, the SJC took a broader view:
When a merchant acquires personal identification information in violation of § 105 (a ) and uses the information for its own business purposes, whether by sending the customer unwanted marketing materials or by selling the information for a profit, the merchant has caused the consumer an injury that is distinct from the statutory violation itself and cognizable under G.L. c. 93A, § 9.
The case now returns to the district court for further proceedings.