Court Rules Airline Not Bound By Privacy Policy
An airline’s privacy policy isn’t an enforceable contract and it can use customer data for any purpose, a California court has ruled.
If a company promises it will only use your data for one purpose and it will protect your data, then suffers a data breach because it failed to adequately protect your data, can you sue the company for breach of contract? Maybe not.
On June 19, a federal court in California continued a pattern of cases that hold that, when a company posts things on its website, customers are bound to the terms of the website regardless of whether they read them, but the clever website operator is not bound by the promises it makes. In this particular case, Delta Airlines’ Contract of Carriage—a legally enforcable contract—was the primary agreement between passengers and the airline. The contract provided certain terms concerning the passenger’s personal data, which was essentially, “Throw me the idol, and I’ll throw you the whip.” In other words, if the passenger provides personal data to Delta, the airline will use that data for specific, identified purposes. The contract states:
The passenger recognizes that personal data has been given to carrier for the purposes of making a reservation, obtaining ancillary services, facilitating immigration and entry requirements, and making available such data to government agencies. For these purposes, the passenger authorizes carrier to retain such data and to transmit it to its own offices, other carriers, or the providers of such services, in whatever country they may be located.
Obviously, this means the airline can keep and use the passengers’ personal data for things such as reservations and the other things specified in the contract, and that the passenger specifically authorizes this. Does it mean that the airline can use the data only for those purposes? Nope. That’s not what the contract says. So while you specifically authorize the airline to use your data for the purposes mentioned, the court concluded that this doesn’t mean the airline can’t use it for, well, for any other unmentioned purpose. The California federal court noted that “… the Contract of Carriage itself contains no self-imposed promise from Delta as to how it will handle customer data. Neither does it promise specific procedures of Third-parties (sic) that have access to such data.” So if Delta fails to protect that data and suffers a data breach—well, it never promised it would protect the data. Even worse, the Contract of Carriage doesn’t specifically say that the airline can’t use the data for purposes other than those specified.
For that, you have to refer to the airline’s privacy policy, right? Not so fast, kemosabe.
Sure, the ticket issued pursuant to the Contract of Carriage says “Your privacy is important to us. Please review our Privacy Policy” and the privacy policy posted prominently on the website contains all kinds of promises about how the airline will collect, use and share personal data that you provide them. As Dr. Suess’ elephant Horton would say, “I meant what I said, and I said what I meant. An elephant’s faithful, one hundred percent!”
Except that Delta slipped into its privacy policy the words, “This Privacy Policy is not a contract and does not create any legal rights or obligations.” And to the federal court in California, those words made all the difference. After Delta had a massive data breach, and a class action lawsuit was filed, plaintiffs alleged a breach of promise—breach of contract. Essentially, they said that Delta got the customers’ data by promising it would use it for certain purposes and it would protect the data, and when that promise (um … contract) was broken (um … breached), they suffered losses (um …damages).
But the privacy policy is not a contract. It’s, well, an aspirational document? A goal? A mission statement? A policy. Sometimes a policy is just a policy (“We treat customers like family …”) and sometimes a policy is a contract (“You may return unopened items with a receipt for seven days …”).
Despite the “This is not a contract” language in the policy, it sure looks like a contract to me. Delta is saying, “Give us your data. We will protect it.” You give the company your data in reliance on the promise and it says, “Fooled ya!!”
This isn’t the first time that an airline has successfully gotten out of the terms of an agreement it wrote. When Northwest Airlines turned over to the U.S. government volumes of customer data in abrogation of its privacy policies, the customers sued. In that case, the court ruled that Northwest airlines was not bound by its own privacy policy (which the court described as a “general statement of policy” and not contractual), particularly in cases in which the customers’ whose data was breached could not demonstrate that they “actually read the privacy statement prior to providing Northwest with their personal information …”
So, if you put the right disclaimer in a privacy policy, well, all bets are off. You can do whatever you want. I mean, at least as far as breach of contract is concerned. Of course, usually that leaves you open to claims of fraud, deceptive trade practices and other causes of actions—unless you are an airline and are not generally subject to the jurisdiction of the FTC and are immune from state lawsuits that relate in any way to “terms and conditions” of transportation. Pretty sweet. Under the same rationale as making the privacy policy “not a contract,” I suppose you could also put language in a privacy policy that says that customers are not entitled to rely on any statements of policy that you make in the policy, and maybe even that by reading the policy they agree never to sue for fraud. Why not? It’s worth a shot.
Of course, all of this is occureing at a time when customers are bound by companies’ “Terms of Use” and “Terms of Service” and access and use and trespass to chattels and no “spider” and a host of other website policies, regardless of whether they read them. Sauce. Goose? Sauce. Gander? We will see.
