Four years ago, the EU’s Article 29 Data Protection Working Party stated that it “considered IP addresses as data relating to an identifiable person” — even though such nuggets of information can only discern a likely geographic location. Indeed, firms like Google and MaxMind routinely use IP addresses to help identify where Internet users are located geographically to create targeted ads and help other companies create such ads. As recently posted on the Hunton & Williams privacy blog, Germany is now separately enforcing this EU position and companies using service providers such as Google and MaxMind cannot themselves escape EU data protection responsibilities by relying on such service providers.
Now, we have California saying that merchants can no longer ask for ZIP Codes during a credit card purchase. As reported in the Los Angeles Times, the California Supreme Court ruled unanimously that retailers may no longer collect ZIP Codes from their credit card customers except for shipping or security reasons. Although the Court did not rely on broad privacy grounds in making its decision — instead ruling that because a ZIP Code was part of a person’s address it was subject to existing state law which precluded merchants from asking for information unrelated to a credit card transaction.
This opinion was in the context of a class action suit and because of this ruling future courts will have discretion to award statutory civil penalties up to a maximum $250 for the first violation and $1,000 for subsequent violations. Food for thought.