In Tyler v. Michaels Stores, announced yesterday, the SJC answered three certified questions from the US District Court regarding consumer privacy in credit card transactions. The court held:
1. Under MGL c.93, § 105(a), a zip code is "personal identification information." "This is so because... a consumer's zip code, when combined with the consumer's name, provides the merchant with enough information to identify through publicly available databases the consumer's address or telephone number, the very information § 105 (a ) expressly identifies as personal identification information. In other words, to conclude in those circumstances that zip codes are not "personal identification information" under the statute would render hollow the statute's explicit prohibition on the collection of customer addresses and telephone numbers, and undermine the statutory purpose of consumer protection."
2. "[A] plaintiff may bring an action for a violation of § 105 (a) without alleging a claim of identity fraud." To clarify, the court went on to explain that while a violation of § 105 (a) constitutes an unfair and deceptive practice, "a plaintiff bringing an action for damages under c. 93A, § 9, must allege and ultimately prove that she has, as a result, suffered a distinct injury or harm that arises from the claimed unfair or deceptive act itself... Returning to § 105 (a), there appear to be at least two types of injury or harm that might in theory be caused by a merchant's violation of the statute: the actual receipt by a consumer of unwanted marketing materials as a result of the merchant's unlawful collection of the consumer's personal identification information; and the merchant's sale of a customer's personal identification information or the data obtained from that information to a third party."
3. "[W]e interpret 'credit card transaction form' to apply to transactions involving both electronic and paper forms."