What is the legal significance of a website’s privacy policy?
That question lingers when reviewing such policies for legal compliance and for consistency with a company’s actual practices. Problem is, lawsuits involving claims of breaches of privacy policies have failed even in cases of clear and egregious violations by the service provider, where there was an absence of a showing of actual damages.
Eric Goldman cites a number of cases in his blog, including a prominent class action in 2005 against Jet Blue Airlines for voluntarily turning over passenger names to a government contractor, in clear violation of the airline’s stated privacy policy. Policies commonly permit the service provider to disclose information in response to a government demand. Yet, Jet Blue won dismissal despite any such disclosure right in its policy.
Or put another way, breach of the privacy policy itself – even an egregious breach – may not be enough to sustain a legal claim.
Goldman and other commentators have written about a January 2009 case involving the Jackson Hewitt accounting firm. Here, a Jackson Hewitt customer’s tax return (along with those of many other Jackson Hewitt clients) was left in a public dumpster, and then found by a local television station.
The taxpayer plaintiff went to great lengths to demonstrate emotional distress and potential economic damages from the clearly inappropriate (and privacy policy breaching) actions of the accounting firm. Nonetheless, she lost her case because she was unable to meet the court’s criteria for specific monetary damages.
Goldman’s colleague Ethan Ackerman notes that “a heightened risk of future loss or steps taken to mitigate that loss weren’t enough under Louisiana law for a negligence or breach of contract claim”.
This toothless privacy state of affairs would seem to extend the argument of many new media and privacy law practitioners: no one reads privacy policies anyway, so they’re worth the attention of neither companies nor their customers. Goldman is less cynical:
In general, I think these opinions have often reached a sensible and pragmatic result that a privacy invasion may lead to no tangible losses, so damage awards may overcompensate the victim or overdeter the defendant.
But he is being literal than serious, since he is at least correct that there may be no tangible losses. This assumes privacy (and personal information) is a personal property right to be regulated by property law rules like those governing theft of or damage to tangible personal property – i.e. someone steals your car. Just as much, the rights sought to be vindicated in the Jet Blue, Jackson Hewitt and similar cases were contract rights, arising from claims of breach of privacy policies (which are contracts). In that narrow sense, the absence of damages should be determinative in litigation, as it generally is a material element to a breach of contract action in the first place.
That gets to the heart of the public policy problem with privacy policies as simple contracts subject to damage awards for breach, and Goldman recognizes this:
However, providing no damages awards – especially when a company breaches its self-selected promises – may under-deter and reward companies for overpromising and underdelivering. This case [i.e. Jet Blue] seems especially odd because the complaint contained allegations of specific tangible harm. Maybe we don’t believe the allegations, but normally they ought to be heard.
More to be said on this subject shortly.
Add Comment