Don’t Even Give them Your Zip Code Anymore

Consumers who have asked me whether they should give their zip code at the register have been getting bad advice! I was under the misimpression that zip-level data was only being collected for demographic research purposes (to determine where stores should be located, and advertising directed, on a mass scale) and thus said that no harm came from revealing the zip. No longer. Here’s a summary of data practices at William Sonoma, according to a recent California case (Pineda v. Williams-Sonoma Stores Inc., Cal. Ct. App., 4th Dist., No. D054355). Giving the zip code allows the store to “enhance” the information they already have about your (your name from the credit card) and determine your home address:

Jessica Pineda visited a store in California owned by Williams-Sonoma Stores, Inc. (the Store) and selected an item to purchase. She then went to the cashier to pay for the item with her credit card. The cashier asked for her zip code, but did not tell her the consequences if she declined to provide the information. Believing that she was required to provide her zip code to complete the transaction, Pineda provided the information. The cashier recorded it into the electronic cash register and then completed the transaction. At the end of the transaction, the Store had Pineda’s credit card number, name and zip code recorded in its databases.

After acquiring this information, the Store used customized computer software to perform reverse searches from databases that contain millions of names, e-mail addresses, residential telephone numbers and residential addresses, and are indexed in a manner that resembles a reverse telephone book. The Store’s software then matched Pineda’s now-known name, zip code or other personal information with her previously unknown address, thereby giving the Store access to her name and address.

So, when they ask for your zip code, say no, or to have fun, give them the zip code of the White House: 20500.


Comments

29 responses to “Don’t Even Give them Your Zip Code Anymore”

  1. What’s the harm in my grocery store knowing my address. Some extra coupons in the mail? I get the privacy issue. I’m no fan of all the ways companies are trying to find out stuff about us(google creeps me out the most). But if Ralph’s knows where I live? I’m not gonna lose any sleep.

  2. @T.Walt, the grocery store can resell that information to other database companies. Thus, the data about your purchases in one context can be used in other contexts.

  3. I’ve been using 90210 for several years.

  4. Wow. I always assumed it had to do with credit card verification, like automated payments at the gas station.

  5. @Nathan, I think you’re hitting on an important point: info companies are always saying that they need personal data for security reasons; if they are using security justifications for collecting information later used for marketing, it could be problematic…

  6. Eric Lund

    I can remember when it used to be standard practice to ask for your telephone number when you did a credit card transaction. Of course some merchants passed that number on to telemarketers (this was in the days before widespread Caller ID, let alone the Do Not Call list). People eventually got wise to that. I’ve also had people ask me for my zip code “for verification purposes”, and it sounds like this is a similar scam, at least some of the time.

    The catch is that sometimes the merchant really does need to know your address and zip code. If they are going to deliver or ship something to you, they need to know where you will receive the goods. Online merchants typically ask for your billing address, again for verification purposes (they also ask for a three-digit security code, just to make sure that you have the card in your physical possession), whether or not they are shipping something to you. But now that I think of it, there isn’t much point in knowing the zip code without knowing the address. The name plus the zip code will uniquely specify most people, and many of the exceptions will be parent and child living at the same address.

  7. Ok.. Let me get this straight, you want to “protect” yourself by not giving out your zip code.. Well, I am sure if you live in NY, LA, or some other area with **huge** numbers of people, and **huge** numbers of codes, you might get some place doing that. I have 3 here in this town, I am the only person “in” the town with my name, and thus, all they would need to know is a) what the three local zip codes are, and b) my name. This bit of silly advice is pretty useless for me.

    You want a *real* privacy issue. Some right wing loony site, recently babbling about the evils of Halloween, flat out states in their registration that a) they will delete stuff they don’t like, like sane arguments, one has to assume, but that they track who, when, and what every single person posts (presumably even the deleted ones) and that while they promise not to use the information (Oh, sure.. I believe that..), they won’t give a shit if someone hacks their site and steals all the data. Sounds to me like a set up for, “Oh, my! We got hacked! But I am sure the right wing Christian group Army of 12 Morons didn’t do it, even though they just firebombed your house!”, or some similar “accidental” coincidence between their data collection and some group of domestic religious terrorists…

  8. Sari Everna

    My dad told me that when he got asked for a postal code he knew they didn’t need, he’d give them the postal code of the place he worked. He worked at the mental hospital. 😉

  9. On behalf of all the cashiers out there, one favor please-don’t lecture or get upset with us when we ask you for your zip code or phone number or for donations. Our bosses tell us what we have to ask, we don’t like it any more than you do, so take it easy on us okay?

  10. Matt Penfold

    @Nathan, I think you’re hitting on an important point: info companies are always saying that they need personal data for security reasons; if they are using security justifications for collecting information later used for marketing, it could be problematic…

    Are there laws in the US that prevent data collected for one purpose being used for another ? Or preventing companies from passing on data to other companies within the same group, or to third parties ?

  11. @Matt, in some contexts, yes. But the key here is that it would weaken their argument before regulatory bodies if security were being used as a pretext for marketing uses, and in some contexts, if for instance they said it was for security but really it was only for marketing, it could be a deceptive practice.

  12. Whenever I am asked for my zip code I tell them 12345 (Schenectady, NY) and phone number is (911)555-1212.

  13. Try zipcode 20505. It is the zip code all CIA FOIA requests go to.

  14. Mike McKee

    Wanna really blow them away? Use cash the next time.

  15. Calli Arcale

    I give out fictious zip codes. Kagehi, if you want to screw with their automated lookup system, give out a zip code that is not near your house. I generally pick one that sounds plausible but isn’t my own. Sometimes I’ve used the zip code of the city where I attended college.

    I used to give out a fictitious street address as well, but few merchants ask for that anymore. I picked a real street, but increased the street number to where it would be in the middle of a river and/or wildlife sanctuary. 😛 Phone number is always made up unless I think there’s a legitimate reason for them to call me.

  16. Sometimes to humor myself, I like to give a unique fake name. That way if the name turns up in my mail, etc, I know the source.

    Also, I “live” at 123 East Main Street.

  17. Sometimes it’s fun to be Canadian. My fake postal code is H0H 0H0, the North Pole.

  18. I usually respond with a cheery “No, thank you!” Sometimes it takes a few seconds to sink in but it gets the point across, is non-confrontational, and occasionally amuses the clerk.

  19. I always just assumed they wanted to know where customers came from in order to decide where to put future locations.

  20. This is interesting. Not that I don’t believe you, but I have had incidents (when my zipcode changed without my address changing, without my knowledge!) in which I gave the incorrect zipcode and it caused problems. The credit card machine “bleepblorped” and the clerk was unable to run my card until I figured out the correct zipcode. Your thoughts on this?

  21. If I think there might be a legitimate reason for them to want my zip code, I ask why they’re asking. (If they can’t tell me, they don’t need it for anything that benefits me.) If not, I give them either the code for the summer program I was in thirty years ago, or 02134, either of which I can recite off the top of my head.

  22. 20510 and 20515 are the zips of the Senate and House.

    I wonder what the zipcode is of the J. Edgar Hoover Building (FBI), or Langley (CIA)?

    I wonder what is the zipcode of the Federal Trade Commission?

  23. I always tell them “that won’t be necessary” and when she persists, I say politely “that won’t be necessary for this transaction.”

  24. chancelikely

    I’m evil, so I’ve given out 10048 as my zip code since late 2001.

  25. “The credit card machine “bleepblorped” and the clerk was unable to run my card until I figured out the correct zipcode.”

    Some gas pumps require that you give your zip code in order to pay with a credit card. If you don’t give a zip that matches your card’s billing address, it’s rejected.

  26. Rick Blurken

    Dont give anything out. Its bad enough we are giving them our money. Its none fo their business. Just say No.

  27. What “personal information” are you worried they are using to “enhance” the record? Generally speaking, the only types of information a company like Sonoma can append for marketing purposes are demographics, area-level data (e.g., census block level information), other publicly available info (e.g., deeds), and “lifestyle” propensity models (likelihood to be interested in boating, for example). Sometimes, if the retailer is a member of a cooperative database with other retailers, they can append purchase data from the other retailers in the co-op. It’s also legal to use ZIP+4 level credit profiles, though individual level credit data is restricted from this use by the GLB Act. And at the end of the day, they’re using this information to (hopefully) offer you something you are more likely to buy/like instead of something you think is shit.

  28. Though I am not a liberal, I’ve been giving an inner city zip code so that they would build more centrally located stores and help with jobs in the inner city.

    It hasn’t worked, but it was worth a try.

  29. El Guerrero del Interfaz

    Confusing…

    Here in Spain lots of big shops began asking for the zip code about a year ago. However they do it even if you pay in cash and don’t give any ID. As a matter of fact when I used a card, which I don’t do very often, they never asked for the zip.

    In any case, I’m not a privacy freak. Anyway, the point that Chris makes, the reselling of their database to others, can be defeated by a strong personal data protection law like the LOPD (Ley Orgánica de Protección de Datos) we have here in Spain. I never had to make a complain to the government agency in charge of enforcing that law because just wielding it as a menace is enough to get obliterated from any private database. It worked very well for me.