Collecting a Customer's Zip Code Leads to Privacy Lawsuit

Plaintiff Lauren Miller filed a class action lawsuit against Free People (a subsidiary of Urban Outfitters) on March 26, 2014 in a state court in Massachusetts alleging that Free People uses the zip codes provided to the company by its customers during an in-store transaction to track them down and mail them unsolicited advertisements (i.e., "junk mail"). Ms. Miller alleges that she made a purchase at a Free People in Massachusetts and then subsequently received
unsolicited advertisements in the mail. On Monday, May 6, 2014, the case was removed to federal court based on diversity of citizenship and an alleged amount in controversy in excess of $5 million.

[Jump to Take-a-Ways]

According to the Complaint, the Plaintiff seeks damages for invasion of privacy and violation of Massachusetts Chapter 93, § 105(a), which forbids the collection and recording of personal identification information in credit card transactions:
Section 105 (a). No person, firm, partnership, corporation or other business entity that accepts a credit card for a business transaction shall write, cause to be written or require that a credit card holder write personal identification information, not required by the credit card issuer, on the credit card transaction form. Personal identification information shall include, but shall not be limited to, a credit card holder's address or telephone number.
Further, Section 105(d) makes it any violation of Section 105 "an unfair and deceptive trade practice" under Massachusetts law.

According to the Complaint, Free People does not use the zip code information for any "legitimate purposes," but only uses the "information for its own marketing and promotional purposes." Specifically, "possession of the consumer's zip code information, together with the customer's name, enables Free People to identify the customer's address and/or telephone number through the use of commercially available databases." Plaintiff alleges that the company uses the information to send customers "junk mail" and "also has the ability to sell the ZIP code information it collects . . . and the addresses and other information it then obtains, to third parties for a profit or to use the information for other marketing and promotional purposes."

The Complaint further alleges that:
Plaintiff and Class members have suffered an injury as a result of Free People's unlawful conduct by receiving unsolicited marketing and promotional materials, or "junk mail," from Free People. Plaintiff and Class members have also suffered an injury as a result of Free People's misappropriation of their zip codes and other personal identification information for use in its marketing and promotional efforts and other improper and unlawful purposes, from which Free People earns a profit and obtains other benefits. Plaintiff and Class members' personal identification information has commercial value, which is demonstrated by, among other things, the profit or other economic benefit Free People obtains, and has obtained from the use of that information.

Plaintiff's and Class members' damages as a result of this unlawful conduct include the invasion or breach of their privacy from the collection of their personal identification information and the profit or other economic benefit obtained by Free People from the use of that information.
According to a declaration filed by a company official last week, Free People's stores in Massachusetts have collected customers' zip codes from more than 71,000 transactions since March 2010. Ms. Miller is seeking at least $25 for each violation as well as "double or treble damages, disgorgement of Free People's profits derived from its unlawful activities, injunctive
relief, attorneys' fees and other reasonable costs." As such, the proposed class action can be quite costly for the company.


Consumers are becoming increasingly savvy about how their information is used and are beginning to recognize that, as stated in the Complaint, "
personal identification information has commercial value." Companies that collect consumer information, whether in face-to-face transactions or online, must carefully assess (1) how the consumer information is being used by the company, and (2) whether they have any necessary permissions from consumers.

Companies with online stores should carefully review their Privacy Policies because, in addition to concerns related to privacy based class actions, there are concerns related to FTC investigations and enforcement actions. The FTC routinely relies on the online Privacy Policies when there are concerns related to a data breach or the misuse of consumer information. See for example our post related to the FTC action against Accretive Health and
the FTC action against Goldenshores Technologies, LLC (and its founder individually) as well as our recent presentation on the Wyndam Worldwide litigation at an Online Tech webinar (a copy of the presentation is available on our Publications and Presentations page).

The case is Lauren Miller et al. v. Free People LLC et al., case number 1:14-cv-12018, in the U.S. District Court for the District of Massachusetts. The Complaint is available here. (PDF)

Posted by Tatiana Melnik May 7, 2014.

November 2021

Blog Home  

Newest Blog Entries
7/23/15 Hospital Settles with OCR for $ 218,400 Over Cloud-Based File Sharing

6/8/15 Two California Privacy Bills to Watch in 2015

3/28/15 When Looking at Security, Consider Every Device

3/9/15 Alabama Board of Optometry Makes Final a Rule on Telemedicine

1/25/15 Indiana Court of Appeals Upholds $1.44 Million Jury Verdict Against Walgreen Co. in a Privacy Breach Case; Denies Rehearing

12/9/14 Malware Leads to a $150,000 OCR Settlement with a Behavioral Health Provider

11/30/14 Can a Board of Medicine Use the State’s Prescription Drug Database in Investigating Physician Actions?

11/29/14 Under the Florida Telemedicine Rule, Can a Physical be Conducted by Telemedicine?

11/19/14 Wearables and the Challenge for Consumer Device Makers

10/28/14 A Few Telemedicine Resources

10/27/14 FCC: The Newest Regulator to Throw its Hat into the Data Privacy and Security Ring

Blog Archives
April 2014 (6)
February 2014 (4)
May 2014 (6)
November 2014 (3)
July 2014 (1)
June 2015 (1)
November 2013 (3)
September 2014 (1)
December 2014 (1)
January 2015 (1)
June 2014 (3)
December 2013 (5)
March 2015 (2)
October 2013 (9)
July 2015 (1)
October 2014 (2)
March 2014 (3)
August 2014 (4)
January 2014 (4)

Blog Labels
Dental (1)
FCC (1)
Financial Services (1)
Mobile Apps (2)
Medical Marijuana (1)
Employment (1)
FAQ (6)
Meaningful Use (4)
EHR (2)
Privacy Litigation (3)
Identity Theft (1)
Security (1)
Healthcare Fraud (1)
Marketing (1)
BYOD (2)
Social Media (2)
Mobile Apps FDA (2)
Data Breach (10)
Big Data (3)
Healthcare Competition (1)
Privacy (4)
Telemedicine (7)