Data privacy and Chapter 93A’s injury requirement

Tyler v. Michaels Stores, Inc., a recent decision by the Massachusetts Supreme Judicial Court, has already generated a significant amount of attention, mostly as a result of the SJC’s broad construction of G.L.c. 93, §105(a), the consumer privacy statute governing credit card transactions.

Among other things, the court in Tyler held that zip codes are “personal identification information” subject to §105(a)’s prohibition against a merchant’s recording such information absent any requirement on the part of the credit card issuer. See Tyler v. Michaels Stores, Inc., 464 Mass. 492, 506 (2013).

The ruling is noteworthy, however, not only for its contribution to an ever-evolving state and nationwide discourse on privacy and data protection, but also for its clarification of what many believed to be a series of prior inconsistent decisions concerning the type of “injury” a consumer must allege to pursue a Chapter 93A claim.

‘Tyler’ facts

The consumer plaintiff in Tyler filed an action in U.S. District Court on behalf of herself and a putative class of Michaels customers. The complaint alleged that Michaels Stores’ policy of recording customers’ names, credit card numbers and zip codes in connection with credit card purchases ran afoul of G.L.c. 93, §105(a), a violation of which constitutes an “unfair and deceptive trade practice” under Chapter 93A.

The plaintiff also claimed that Michaels used the information to find her address and telephone number and then sent her unwanted marketing materials. Id., at 500.

The statutory provision at issue, G.L.c. 93, §105(a), provides that “no person, firm, partnership, corporation or other business entity that accepts a credit card for a business transaction shall write, cause to be written or require that a credit card holder write personal identification information, not required by the credit card issuer, on the credit card transaction form.”

According to the District Court, the statute was intended solely to prevent identity fraud and not, as the plaintiff contended, to protect consumer privacy, such that the plaintiff failed to show that she suffered a legally cognizable injury.

However, at the plaintiff’s request, and in light of the novel nature of the issues, the District Court certified three questions for decision by the SJC as permitted by SJC Rule 1:03.

1. “Under [G.L.c.] 93, [§]105(a), may a [zip code] be ‘personal identification information’ because a [zip code] could be necessary to the credit card issuer to identify the card holder in order to complete the transaction?”

2. “Under [G.L.c.] 93, [§]105(a), may a plaintiff bring an action for this privacy right violation absent identity fraud?”

3. “Under [G.L.c.] 93, [§]105(a), may the words ‘credit card transaction form’ refer equally to an electronic or paper transaction form?”

As to the first certified question, the SJC was persuaded by the statute’s “expansive and general terms” and “non-exhaustive” definitional language that a zip code can be said to “constitute[] personal identification information” for purposes of the statute’s application. Tyler, at 496.

Alternatively, the SJC concluded that “when combined with the consumer’s name,” the consumer’s zip code provides retailers with sufficient information to locate, via publicly available databases, the precise information expressly identified by the statute as “personal identification information”: the consumer’s address and telephone number. Id., at 500.

As to the second certified question, the SJC broadly interpreted the statutory language to hold that it was designed not only to protect against credit card identity fraud, but also to safeguard consumer privacy, including to protect consumers using credit cards from receiving unwanted marketing materials from retailers with access to their identifying information. Because §105(d) provides that a violation of §105(a) constitutes an unfair and deceptive trade practice as defined by Chapter 93A, the plaintiff sought relief under 93A. In answering the second question, the SJC accepted the District Court’s “invitation to expand on its answer” and consider the plaintiff’s privacy claim in terms of whether she satisfied Section 9 of Chapter 93A’s “injury” requirement, the parameters of which have proved vexing to courts and attorneys alike over the years. Id., at 501.

Finally, as to the third question, the SJC responded affirmatively, reasoning that “to construe §105(a) as inapplicable to electronic credit card transactions would render the statute essentially obsolete in a world in which paper credit card transactions are a rapidly vanishing event.” Id. Furthermore, a contrary construction would “allow merchants to avoid the statute’s prohibition against collecting personal identification information simply by using electronic means to capture and reflect an electronic credit card transaction.” Id., at 506.

SJC’s 93A analysis

While the privacy protection aspect of the court’s decision has received the most attention, perhaps more important is that in answering the second certified question, the SJC took the opportunity to clarify a jumble of caselaw interpreting Section 9 of Chapter 93A’s “injury” requirement, which provides in relevant part that:

“Any person … who has been injured by another person’s use or employment of any method … declared to be unlawful by section two or any rule or regulation issued thereunder … may bring an action in the superior court … for damages and such equitable relief, including an injunction … .”  G.L.c. 93A, §9.

As most lawyers and their clients know, Chapter 93A has developed over time into a powerful litigation tool for consumers to redress unfair and deceptive business practices. The primary power of the statute derives from the fact that a violation requires the misbehaving business to pay the wronged consumer his attorneys’ fees plus potentially double or triple damages for particularly egregious misconduct.

Over the years, the SJC has grappled with the question of whether evidence of an underlying statutory violation that constitutes an unfair and deceptive practice is sufficient, by itself, to satisfy the injury requirement set forth in Section 9, or whether the consumer must plead and prove that she suffered some additional injury or harm distinct from the statutory violation.

In Leardi v. Brown, 394 Mass. 151(1985), the SJC held that “under certain circumstances where there has been an invasion of a legally protected interest, but no harm for which actual damages can be awarded, we conclude that the statute provides for the recovery of minimum damages in the amount of $25.” Leardi, at 160.

Put differently, the requisite “actual or threatened injury… may exist solely by virtue of statutes creating legal rights,” where the Legislature has exercised its “prerogative” to create a right, “the invasion of which, without more, constitutes an injury.” Leardi, at 160.

In Aspinall v. Phillip Morris Cos., 442 Mass. 381 (2004), the SJC relied on Leardi for the proposition that “purchase of a deceptively advertised product may in certain circumstances be alone sufficient to meet the injury requirement of G.L. c. 93A, § 9.” Aspinall, at 404.

The Aspinall court emphasized the distinction between proof of “actual damages” and the plaintiffs’ ability to show that “they have been injured by the defendants’ allegedly unlawful conduct,” and ultimately concluded that the plaintiffs, upon proving that defendants’ advertising practices were deceptive, would be entitled to “statutory damages, without regard to whether [they] were successful in establishing that consumers were overcharged for the deceptively advertised cigarettes.” Aspinall, at 402.

In contrast to Leardi and Aspinall, the SJC in Hershenow v. Enterprise Rent-A-Car Company of Boston, 445 Mass. 790, 800 (2006), held that Leardi had not in fact “eliminate[ed] the required causal connection between the deceptive act and an adverse consequence or loss.”

As such, after Hershenow, the SJC appeared to recognize that some conduct may amount to a per se violation of Chapter 93A but nevertheless not be actionable if the violation in question caused no discrete harm to the plaintiff.

In Tyler, the plaintiff relied on Leardi to argue that the violation of the statute prohibiting the improper use of her zip code “directly equates with an injury under [Section 9 of Chapter 93A], and therefore, a complaint alleging a violation of § 105(a), without more, satisfies the injury requirement of [Section 9 of Chapter 93A],” entitling her to damages. Tyler, at 501.

In response, the SJC acknowledged that Leardi and its progeny created considerable confusion and clarified that to the extent that Leardi can be read “to signify that ‘invasion’ of a consumer plaintiff’s established legal right in a manner that qualifies as an unfair or deceptive act under G.L.c. 93A, § 2, automatically entitles the plaintiff to at least nominal damages (and attorney’s fees), we do not follow the Leardi decision.” Id., at 502.

Rather, the SJC concluded that “a plaintiff bringing an action for damages under [Section 9 of Chapter 93A] must allege and ultimately prove that she has, as a result, suffered a distinct injury or harm that arises from the claimed unfair or deceptive act itself.” Id., at 501, citing Rhodes v. AIG Domestic Claims, Inc., 461 Mass. 486 (2012); Cassavant v. Norwegian Cruise Line, Ltd., 460 Mass. 500 (2011); Hershenow, at 799.

The SJC explained, by way of example, that if “Michaels obtained a customer’s zip code … and never used the information for any purposes thereafter, a consumer would not have a cause of action for damages under G.L. c. 93A, § 9, even though Michaels’ request for and saving of the zip code information may be a violation of § 105(a) and thereby qualified as an unfair or deceptive act.” Tyler, at 502.

Conclusion

With Tyler, the SJC appears to have put to rest at least for now the question of whether plaintiffs pursuing 93A claims need plead and prove a distinct injury causally connected to the alleged statutorily proscribed unfair or deceptive act.

However, the SJC may have limited the impact of its “injury” analysis in applying its reasoning to the facts in Tyler. Specifically, the SJC described the two types of injury or harm that might, in theory, be caused by a retailer’s violation of §105(a) and thereby establish a 93A violation: (1) the actual receipt by a consumer of unwanted marketing materials as a result of the merchant’s unlawful collection of the consumer’s personal identification information; (2) and the merchant’s sale of a customer’s personal identification information or the data obtained from that information to a third party. Id., at 503.

According to the court, both types of conduct “represent[] an invasion of the consumer’s personal privacy causing injury or harm worth more than a penny,” thereby entitling the plaintiff to the minimum statutory damage award under Chapter 93A of $25 per violation plus attorneys’ fees.

Given how intangible the hypothetical injuries are, and the narrow distinction between a violation of §105(a) and the resulting loss to the plaintiff in such instances, some may wonder how far the court has actually come from Leardi’s “invasion of a legally protected interest” standard.

Jonathan I. Handler is a partner at Day Pitney in Boston where he practices complex commercial litigation. Emily A. Zandy is an associate in the commercial litigation department.