The Supreme Court for the State of California has ruled that a retailer cannot ask you for your zip code when you make a purchase using your credit card. Read the case here (PDF). A shopper at Williams-Sonoma bought something with her credit card and was asked by the cashier for her zip code. Thinking that is was necessary to complete the transaction, she gave it to the cashier who promptly entered into the store's computer system.

Providing your zip code during a credit card transaction makes sense from a security standpoint. If a bad guy found, stole, or otherwise had your credit card, he may try to use it. (surprise!) When he presents the card, he may not know where the actual owner lives, so by asking him for the zip code the retailer may foil his attempt to fraudulently use the card. Of course, if he stole your whole wallet or purse, he'll probably have that info, but if he has to look through a purse to get the zip code in front of the cashier, one hopes that the cashier may find that strange.

It is fascinating that with such a legitimate, pro-consumer, anti-fraud purpose for requesting the zip code, why did they find it illegal?

Why was Williams-Sonoma asking for the zip code? As it turns out it was not to confirm the identity of the card holder but to gather information for a database. The company was able to take the zip code and the purchasers name (obtained from the credit card info) and conduct a "reverse search" through some fancy computer program to get the purchasers home address. Once they had the home address they would send catalogs. The company would also sell the person's information to other "partners" or "affiliates" who wanted to send this person catalogs.

Now I get it... security is ok - marketing is not ok... is that it?

Not exactly, the real problem here is that the company "recorded" the information, they kept it, manipulated it, and even sold it. The law in California certainly give businesses the ability to request identifying information when conducting credit card transactions, they just don't let the businesses keep the information.

We have become a society of "data pack-rats". We keep everything, forever because "you never know..." The privacy area of the law is developing in such a way that frowns upon such behavior. Only take what you need, when you need it, and get rid of it when you're done. Of course, that information may be worth something, and in fact it can be worth a whole lot. These competing issues will play out in courtrooms all over America and I, for one, am very happy to hear that.

And since this is a Massachusetts Data Privacy Law Blog, here's how we do it here: M.G.L. ch 93 s. 105: The retailers cannot require you to provide "personal information" unless the credit card issuer requires it to process the transaction. "Personal Information" includes (but not limited to): card holder's address (see Zip Code) and telephone number. Some credit card issuers do require the zip code, but guess what, they don't ask the merchant to keep it.... at least they're not supposed to according to the agreement (PDF) signed with Visa.