Can Businesses Legally Request Customer ZIP Codes?
Navigate the complex state-by-state rules on collecting ZIP codes during credit card transactions to protect your business from lawsuits.
Requesting a customer’s ZIP code during a credit card transaction seems innocuous, but it can trigger significant legal risks depending on the state. While some jurisdictions view ZIP codes as harmless geographic data, others classify them as protected personal information, prohibiting their collection at the point of sale to safeguard consumer privacy.
Understanding the Privacy Concerns with ZIP Codes
ZIP codes, while publicly available in many contexts, become problematic when linked to a customer’s name and credit card details. Retailers often collect them to verify transactions, prevent fraud, or build marketing databases. However, combining a ZIP code with a name allows businesses to cross-reference public records or databases to obtain full addresses, enabling targeted advertising, data sales, or unwanted solicitations. This practice raises alarms under consumer protection statutes designed to limit unnecessary data gathering during purchases.
Consumer advocates argue that such collection invades privacy without benefiting the transaction itself, as credit card processors already provide address verification services (AVS). Courts in restrictive states have echoed this, emphasizing that only information printed on the card—like the number, expiration date, and name—should suffice for most sales.
State-by-State Breakdown of ZIP Code Regulations
Laws vary widely across the U.S., with about 15 states and the District of Columbia imposing restrictions on collecting personal identification information (PII) during credit card transactions. These statutes typically ban requesting or recording details like addresses, phone numbers, or—in some interpretations—ZIP codes.
| State/District | Key Law | ZIP Code Status | Notable Cases/Rulings |
|---|---|---|---|
| California | Song-Beverly Credit Card Act (Civ. Code § 1747.08) | Prohibited as PII | Pineda v. Williams-Sonoma (2011): Supreme Court ruled ZIP codes are personal identification info |
| Massachusetts | Mass. Gen. Laws ch. 93, § 105 | Prohibited | Tyler v. Michaels Stores (2011): ZIP codes banned at POS |
| District of Columbia | Consumer Identification Info Act (D.C. Code § 28-3904) | Not an “address” | Hancock v. Urban Outfitters: Federal court allowed collection |
| New Jersey | Truth in Consumer Contract Act (N.J.S.A. 56:11-17) | Potentially restricted | Harmon Stores case: Court allowed privacy claims to proceed |
| Other States (e.g., NY, CT) | Various POS laws | Often prohibited if deemed PII | Similar to CA model |
The Future of AI: Preventing a Big Tech Monopoly >
This table highlights the patchwork nature of regulations. California sets the strictest precedent, influencing neighboring states, while D.C. offers retailers more leeway.
California’s Pioneering Ban: The Song-Beverly Act Explained
California’s Song-Beverly Credit Card Act of 1971, amended in 1990, prohibits businesses from soliciting or recording PII beyond what’s on the card during credit card sales. The statute explicitly lists addresses and phone numbers as PII but leaves room for interpretation. In 2011, the California Supreme Court in Pineda v. Williams-Sonoma Stores unanimously held that ZIP codes qualify as PII. The court reasoned that ZIP codes concern the cardholder and enable address derivation, undermining the law’s protective intent against marketing misuse.
Penalties are steep: up to $250 for the first violation and $1,000 thereafter, often pursued via class actions. Post-Pineda, retailers like Walmart and Victoria’s Secret faced waves of lawsuits. Exceptions exist for shipping needs, gas station security pumps, or voluntary disclosures where customers know the data’s marketing use—but even these are risky without clear opt-in language.
Contrasting Rulings: D.C. and Other Jurisdictions
Not all states follow California’s lead. In the District of Columbia, a federal court in Hancock v. Urban Outfitters dismissed claims, ruling that a ZIP code alone does not constitute an “address” under the local Consumer Identification Information Act. The court noted the statute’s narrow focus on full addresses or phone numbers recorded on the credit card transaction form, not separate POS systems. This distinction protected retailers who segregated ZIP data from swipe records.
Massachusetts mirrors California, with its Supreme Court in Tyler v. Michaels Stores banning ZIP collection as PII. New Jersey’s courts have entertained similar claims under consumer contract laws, creating uncertainty for East Coast merchants. States like New York and Connecticut have adopted broad prohibitions akin to California’s, affecting multi-state operations.
Exceptions and Legitimate Uses for ZIP Codes
- Shipping and Delivery: ZIP codes are permissible when required for mailing products, as they complete the transaction.
- Fraud Prevention at Pumps: Gas stations may request them for automated card readers, per carve-outs in some laws.
- Driver’s License Verification: Businesses can ask to see a license for ID but cannot record its details unless shipping involved.
- Voluntary Collection: If clearly stated as optional and not required for purchase, some courts may allow it—but disclosure must be explicit.
- Online Transactions: E-commerce faces fewer restrictions, as no in-person POS occurs.
These exceptions underscore that context matters. Retailers must train staff to avoid coercive requests, like implying a ZIP code is mandatory.
Risks and Consequences of Non-Compliance
Violations invite class-action lawsuits, with plaintiffs’ attorneys targeting high-volume retailers. California’s Pineda decision sparked litigation frenzies, costing businesses millions in settlements. Beyond fines, reputational damage and operational changes—like reprogramming registers—add burdens. Multi-state sellers risk injunctions or varying compliance mandates.
Federal law offers no uniform protection; the Fair Credit Reporting Act (FCRA) regulates credit checks but not POS data grabs. Emerging privacy laws like CCPA amplify risks by deeming ZIP codes plus identifiers as “personal information.”
Best Practices for Retailers in a Fragmented Legal Landscape
To minimize exposure:
- Audit State Laws: Use geolocation tools or charts to enforce rules by store location.
- Update POS Systems: Disable ZIP prompts on card readers; use separate loyalty programs for marketing data.
- Train Employees: Script responses: “ZIP code not required for this purchase.”
- Implement Opt-Ins: For email sign-ups, secure explicit consent post-transaction.
- Monitor Litigation: Track cases via legal alerts; consult counsel for interstate ops.
Alternatives like third-party fraud tools or AVS bypass ZIP needs entirely.
The Business Case: Marketing vs. Legal Compliance
While ZIP codes fuel customer profiling, the ROI pales against lawsuit costs. Modern analytics leverage transaction data without geolocation. Privacy-focused strategies—like contextual advertising—build trust and loyalty more effectively.
Frequently Asked Questions (FAQs)
Is it illegal everywhere to ask for a ZIP code with credit cards?
No, only in specific states like California and Massachusetts. Check local laws for your operations.
What if the customer volunteers their ZIP code?
Recording it still risks violation if the law bans it outright; better to decline.
Can I collect ZIP codes for loyalty programs?
Yes, if separated from the transaction and with consent, but not as a purchase condition.
How do online stores handle this?
E-commerce ZIP requests for shipping are generally fine; no POS bans apply.
What penalties apply in California?
Up to $250 first offense, $1,000 subsequent, plus attorney fees in class actions.
Future Trends in POS Data Collection
With GDPR influences and state privacy acts proliferating, expect tighter rules. Courts may expand “PII” definitions, while tech like tokenization reduces fraud needs. Retailers should prioritize compliance tech and legal reviews.
References
- Businesses Cannot Request and Record Consumers’ ZIP Codes — Rimon Law. 2011-02-23. https://www.rimonlaw.com/businesses-cannot-request-and-record-consumers-zip-codes/
- Federal Court Rules That Zip Code Alone is Not an Address Under D.C. Credit Card Transaction Law — Vorys. Accessed 2026. https://www.vorys.com/publication-I-Client-Alert-I-Federal-Court-Rules-That-Zip-Code-Alone-is-Not-an-Address-Under-D-C-Credit-Card-Transaction-Law
- ZIP Code Collection – An Invasion of Privacy? — OlenderFeldman LLP. Accessed 2026. https://olenderfeldman.com/zip-code-collection-an-invasion-of-privacy/
- Collecting Personal Information during Checkout — Privacy World (Covington). 2024-09. https://www.privacyworld.blog/2024/09/collecting-personal-information-during-checkout-balancing-consumer-rights-with-business-marketing/
- ZIP Codes Don’t Mean Zip for eCommerce Sellers — Avalara. Accessed 2026. https://www.avalara.com/us/en/learn/whitepapers/zip-codes-dont-mean-zip-for-ecommerce-sellers.html
Read full bio of Sneha Tete





