|
|
Subscribe / Log in / New account

The value of privacy policies

[Posted July 28, 2004 by corbet]

Most serious web sites post a privacy policy describing what the site's owners will do with data collected from and about the site's users. For users who are concerned about the spread of their personal information, a strongly-written privacy policy can be a reassuring feature. A recent court ruling, however, suggests that web privacy policies may not be worth the paper they aren't printed on, at least some of the time.

Northwest Airlines was recently faced with a class-action lawsuit headed by some of its customers, who were upset that the airline had provided passenger name record (PNR) data to the U.S. government after the September 11 attacks. The plaintiffs made several allegations, including the violation of various laws and, crucially, breach of contract as a result of Northwest's failure to live up to its privacy policy.

The policy reads, in part:

When you reserve or purchase travel services through Northwest Airlines nwa.com Reservations, we provide only the relevant information required by the car rental agency, hotel, or other involved third party to ensure the successful fulfillment of your travel arrangements.

There is nothing here about giving PNR data (which includes hotel and car information, along with credit card numbers) to interested governmental agencies. One might well conclude that the privacy policy has been breached.

The court struck down the breach of contract claim, however. The reasoning was:

The privacy statement on Northwest's website did not constitute a unilateral contract. The language used vests discretion in Northwest to determine when the information is "relevant" and which "third parties" might need that information... Moreover, absent an allegation that Plaintiffs actually read the privacy policy, not merely the general allegation that Plaintiffs "relied on" the policy, Plaintiffs have failed to allege an essential element of a contract claim: that the alleged "offer" was accepted by Plaintiffs.

The implications are clear: weasel words in a privacy statement can be used against you. If you ever think you may want to take a site operator to court for the violation of a privacy statement, you will, at a minimum, have to be able to show that you read that statement before the violation occurred. It seems unlikely that many potential plaintiffs in privacy policy cases will be able to make that demonstration. Privacy policies, thus, may not be worth a whole lot - at least, not in countries which lack more general restrictions on the use of personal data.

(For the curious, the full ruling is available in PDF format).

to post comments

Alternative lawsuit

Posted Jul 29, 2004 7:14 UTC (Thu) by pm101 (guest, #3011) [Link]

Would it be possible to resue over false advertising, rather than breach-of-contract?

The value of privacy policies

Posted Jul 29, 2004 14:41 UTC (Thu) by knobunc (guest, #4678) [Link]

Well, that's fine as long as the same holds true for their "Terms of Use".

Somehow, I doubt that a court will let that slide... "Yer Honor, I admit that I scraped the content off the site, but I hadn't read the Terms of Use, so it is okay."

-ben

this make all signed but unread contracts unenforcable

Posted Aug 2, 2004 17:44 UTC (Mon) by ernest (guest, #2355) [Link]

In fact anybody could claim they just didn't read it in the first place, if that's convenient.

I think, though, that that juge overstepped it's bounds by declaring these privacy statement can be overrulled as nobody reads them anyway.

This outcome made everybodies jaws drop by about a meter over at Groklaw.


Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds