Pineda and the Law of the Jungle

By Chris Hoofnagle

Posted on March 8, 2011

A fair amount of misinformation has been generated surrounding the California Supreme Court's recent opinion in Pineda v. Williams Sonoma, 51 Cal.4th 524, 2011 WL 446921. In Pineda, the Court held that a zip code could qualify as personal information under the State's Song-Beverly Act. This means that companies that collect the zip code at the register when accepting plastic may be violating Song-Beverly.

Of course, a flood of suits have been filed concerning the practice of collecting zip codes. I don't think those cases are interesting. What's interesting is how critics have reacted to Pineda itself. They have created specious narratives about the case, Song-Beverly, and the practice of collecting zip codes. Pineda questions the closely held values of the data industry, and the reaction to the case shows just how threatening data companies find privacy law. An article in Tuesday's Privacy Advisor illustrates this in three ways--

1) A representative of the Direct Marketing Association was quoted as saying, "A zip code is pretty benign," she said. "It doesn’t identify somebody individually..." This is often the first reaction to Pineda--how can a zip code be "personal information?" Critics ask, "why does this matter?" Well, reading the case helps answer these questions. The store collected consumers' names from credit card swipes, requested the zip code, and then:
Defendant subsequently used customized computer software to perform reverse searches from databases that contain millions of names, e-mail addresses, telephone numbers, and street addresses, and that are indexed in a manner resembling a reverse telephone book. The software matched plaintiff's name and ZIP code with plaintiff's previously undisclosed address, giving defendant the information, which it now maintains in its own database. Defendant uses its database to market products to customers and may also sell the information it has compiled to other businesses.
In other words, the store found it inconvenient to ask consumers their home address, so they decided to trick them into providing it. In fact, manipulating the consumer is an explicit goal of reverse zip code lookup services. Acxiom touts a InfoBase® Data for Shopper Recognition product, which enables companies to identify the home address of the consumer while avoiding, "losing customers who feel that you’re invading their privacy." (emphasis added.)

Not everyone wants to be added to a marketing list just because they bought a pot at Williams Sonoma. But feelings don’t matter in this world. What matters is whether it is technically possible to get the data. Thus, Williams Sonoma didn’t have to extend their customers the common courtesy of asking whether they wanted catalogs. Instead, the store used technical means to route around giving the consumer a choice.

2) In the same article, a lawyer's comments were summarized to say, "...the Song-Beverly Act was passed in order to protect consumers from dumpster-diving criminals aiming for carbon copies of credit card slips, which often contained personally identifiable information--such as phone numbers, for example--in addition to the customer’s credit card number."

This argument is a red herring. Of course, much of Song-Beverly has to do with security. But the section at issue in Pineda was not about security, it was about privacy. It was passed to stop the very practice that Williams Sonoma was engaged in—requesting information about credit card users and adding it to marketing databases. In Florez v. Linens 'N Things, Inc., 108 Cal.App.4th 447 (Cal.App. 4 Dist.,2003), the California Court of Appeals recognized that the legislature sought:
' protect the personal privacy of consumers who use credit cards to purchase goods or services by prohibiting retailers from requiring consumers to provide addresses, telephone numbers and other personal information that is unnecessary to complete the transaction and that the retailer does not need.' In essence, the original enactment (Stats.1990, ch. 999, § 1 [A.B. No. 2920] ) was a response to two principal privacy concerns. '[F]irst, that with increased use of computer technology, very specific and personal information about a consumer's spending habits was being made available to anyone willing to pay for it; and second, that acts of harassment and violence were being committed by store clerks who obtained customers' phone numbers and addresses.'
3) And finally, the big picture is painted by Marty Abrams--a picture that one should pay attention to, because it demonstrates the worldview of the data industry.
...The Pineda v. Williams-Sonoma case illustrates a growing tension in the U.S., Abrams said, between a freedom to observe and make sense of what we observe—the hallmark of commercial data usage since credit reporting files were first computerized in the late 1960s—and a sense of seclusion that is highly valued in America but is diminishing.
Note that Abrams used the passive voice in stating that seclusion is diminishing. The data industry itself is causing this tension! It is not a natural or necessary consequence of modernity. It is a business imperative that places a higher value on its "freedom to observe" than your interest in being let alone.

Data companies are so upset about Pineda because it interferes with a closely held value: that data companies should never be restrained from information collection. Under their worldview, data regulations should focus upon the use of information only. Dig a little deeper and you'll find that they also think that all business uses of data are legitimate. So what they really think is that they should never be restrained from collecting data, nor should they be restrained from using it for any purpose they consider legitimate.

I object to Abrams' argument because it is a form of technological determinism and it ignores the moral force of law. It rejects the idea that we as a society can come to an agreement about the bounds of commercial behavior. In fact, it reflects precisely what Ashkan Soltani and I have tried to expose, through works such as our Flash Cookies and Privacy paper, which demonstrated that when consumers started deleting cookies, advertising firms simply routed around their expressed privacy preferences.

There is a range of commercial actors that have no respect whatsoever for consumer preferences. If their preferences are different than yours, they will find a way to get around them. They are imposing the law of the jungle upon our society. Privacy law is one of the few tools we have to civilize them.