Trio allege in court: You sold our ZIP codes, Apple, now hand over $5m! Apple is being sued by a trio of customers who claim the company sells their personal information in violation of Massachusetts law. The three men have filed a class-action suit in the state alleging that Apple collected their ZIP codes and then flogged that personal information to third parties. In a complaint filed in the …
This. Noone is forcing you to either give it out, or to give out a correct one.
i have been in stores buying some pricey gear, only for the sales drone to ask me for my postcode and suburb as we're finalising the sale. I refused, and the drone complained "but the system wont complete the sale until I enter it in" My response was simple, I put my card away, wallet back in my pocket, and walked out, leaving a few grands worth of stuff just sitting on the sales counter.
Best of all, was their security guard caught up with me outside the store (stopped me by grabbing my arm), and informed me I was required by law (complete bs) to return all of the goods to their relevant shelves. I also informed him that I was required by law to report the unlawful assault he just performed on me. He backed away very quickly.
This all went into an email to their HQ, and wouldnt you know it, next time I went there, different manager, different security guard, different protocols at point of sale.
security. They might be asking to verify the billing address of the credit card. They don't bother asking me, 'cause I have a card stored with my AppleID (a low-limit card) and they can use that... and they have the billing address for it, including the ZIP, necessary in case they ship something to me, so if I use a different card they simply associate that card with the same ZIP. (No, that different card isn't stored. Or at least there haven't been any obvious indications that they store it, anyway.) I have the low-limit card to buy stuff like music and other small items, which won't go past the low limit. Should any of the sprogs get hold of my AppleID and try to charge anything significant on it, they'll run into the limit almost immediately. Should _I_ need to charge anything to my AppleID which would overflow that limit, it's easy for me to change in a different card, make the charge, then change out the card back to the low-limit one. And, no, the changed cards don't seem to be stored. Or at least not so that I've ever seen. And I've looked.
"They might be asking to verify the billing address of the credit card."
Your "defence" would only be valid if the card issuer required Apple to perform the "check"
From the article
" "No person, firm, partnership, corporation or other business entity that accepts a credit card for a business transaction shall write, cause to be written or require that a credit card holder write personal identification information, not required by the credit card issuer, on the credit card transaction form.
"Personal identification information shall include, but shall not be limited to, a credit card holder’s address or telephone number."
That said, I see no proof that apple have been using the information illegally.
What about cash purchases? What if it was purchased as a gift?
The law states don't ask for it and Apples T&C's say they will share it. They can't take Apples word they didn't share it. When I have asked companies, through the correct process, who they bought my details from they never tell you. Which is why I, like many others, now have domains for email and give each company it's own unique address.
"Personal identification information shall include, but shall not be limited to, a credit card holder’s address or telephone number."
One more reason why i suspect that they're simply asking for the ZIP for security reasons is that, for example, every single gas station I've been to in the United States (Florida, Alabama, Georgia, Maryland, Virginia, New York, Indiana, Michigan, Illinois, and, oh... Massachusetts...) which takes credit cards requires you to enter the billing ZIP to verify that that's your card. And the ZIP is, after all, a component of the mailing address.
Now, if the retailers were asking for the ZIP+4, that would be... interesting. ZIP+4 uniquely identifies your exact address. Postal carriers can ignore the street address and use just the ZIP+4 and deliver mail directly to your door. The plain ZIP, now, it merely identifies the general area you live in. A ZIP starting with 334 says that you're in Palm Beach County, Florida. 33401 is central West Palm Beach. There are in excess of 25,000 residents in that ZIP. (Downtown WPB has a lot more commercial buildings than residential ones.) I'm in 33415. There are more than 45,000 residents in that ZIP. (Yes, I just looked it up.) Being identified as being one of 25-45k does not strike me as being particularly well identified. I suspect that the reason why the ZIP is used for security is that it's a lot easier to get five digits than to get people to type in their street address... which, as you point out, is explicitly allowed. And if you have the street address, which is explicitly allowed, you can get the ZIP without significant effort. (Hint: Google Maps.)
They don't ask for the ZIP when you make cash purchases. If something's a gift, then they need two ZIPs: yours, for billing, and the giftee's so they can ship it. Unless it's downloadable, in which case they just need yours for billing and an email address to notify the giftee.
And, oh, while going on about Apple, well... companies like Amazon also require the ZIP, for billing and shipping purposes. If they didn't have a ZIP things might get a trifle messy.
These people are making a mountain out of a molehill.
They get you at best to a neighbourhood, unlike UK post codes that get you a street and range of house numbers. What would this supposed third party do with the detail that a person lives in a neighbourhood? How do they intend to prove that these details were sold, and the only possible source was Apple?
ZIP gets you the general area (West Palm Beach, Geenacres, Wellington, Royal Palm Beach, Riviera Beach, Palm Springs...) but ZIP+4 uniquely identifies your exact address. The USPS ignores the street address information in the address block if there's a ZIP+4, and delivers to the ZIP+4.
Regardless, PII for most legally defined cases include a Mailing Address, because it can be linked to you in some way. It's less about how accurate it is on its own and more to do with the ability to take broad pieces of information and provide an acurate decription of you, your location, or for contact.
The case seems pointless unless the three can prove that Apple:
1) Sold the information
2) If it was collected when not required. I don't know, how one would judge using it for security, even if the CC companies don't require you collect it.
Let the banking interface ask for ZIP code if it is so much needed. The whole point of the "https" based banking website interface is this.
Besides, proving that the ZIP info was sold should not be necessary to infer guilty (not sure of US laws), as the mere mention of probable sharing is enough to show the intention. You cannot snatch money and say you were just thinking of returning it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
