How much of your personal information should a merchant be allowed to collect?

What information does a merchant have a right to gather from you when you pay with a credit card? Should a merchant be barred from obtaining your zip code on the grounds that it is personally identifiable information (PII)?

In California, these questions have been at the forefront of a recent series of court cases. And, the implications go far beyond the borders of the most populous state: Companies that are not physically located in California, but which do business with California residents over the Internet, could also be impacted.

Zip codes considered personal information

California’s Song-Beverly Credit Card Act of 1971 is a pro-consumer, state law that, among other things, limits a retailer’s collection and use of PII. In February 2011, the California Supreme Court ruled in the landmark case Pineda v. Williams Sonoma that under Song-Beverly, a zip code by itself constitutes PII and merchants are therefore barred from obtaining that data.

In the case, a Williams Sonoma store requested and recorded the plaintiff’s zip code and later used reverse search software to obtain the plaintiff’s complete address. This information was not only used by Williams Sonoma for targeted marketing efforts, but was also sold to other business for their own marketing purposes.

Lawsuits abound against companies collecting private information

The ruling opened the door to many other class action suits, because any business that collects PII in California is subject to the Song-Beverly restrictions. In fact, more than 100 other cases have been filed against a variety of firms, including oil companies, chain retailers, big box home improvement centers, electronics stores and office supply companies.

Subsequent cases involving Song-Beverly have refined the limits of how the law can be applied. In the March 2012 case of Sterk v. Redbox, the court held that the Pineda ruling only applied to “pen and paper” transactions that took place in person on store premises, leaving open the permissibility for an online retailer to collect PII.

In another March 2012 case, Flores v. Chevron, a lawsuit was brought to stop the gasoline giant from collecting zip code information when a customer pays at the pump with a credit card. In this case the court ruled that Chevron’s information collection was for the purpose of credit card fraud prevention, making it a special situation the court viewed as outside the intent of Song-Beverly.

In all three cases, a conflict exists between consumers’ privacy rights and merchants’ right to utilize PII for business purposes that involve marketing or fraud prevention. Ultimately, businesses gather all sorts of PII about their customers, whether online or face-to-face in a retail store.  As such, businesses are responsible for maintaining the confidentiality of that information.

Cyber crime endangers both businesses and their customers

A company deliberately selling customers’ PII without permission is certainly one way privacy can be violated. But another breach of privacy, unintentional on the part of the business holding the PII, frequently comes at the hands of cyber criminals, who release PII routinely.

To protect against these criminals, companies can buy Internet insurance, also known as cyber liability insurance, to minimize the costs of unexpected breaches of data networks.

Such Internet insurance can defend the business in lawsuits brought by consumers whose PII is stolen. It can also pay a portion of regulatory fines and the cost of notifications that various laws require companies to send to consumers in this situation – a cost that can be extremely burdensome without proper coverage.

INSUREtrust offers expertise in Internet insurance

We at INSUREtrust have been cyber liability insurance experts for over 15 years, and can help businesses determine their obligations under Song-Beverly and other regulations.

Internet insurance doesn’t have to be expensive, but it is money well spent. The premium cost for a cyber insurance policy can be as little as a few thousand dollars for a $1 million policy limit.

Over the past ten years, INSUREtrust has written more than $100 million in premiums and paid more than $30 million in claims. Insurers are looking for business and we can find competitive pricing and terms for any risk.