Advertisement
Front, Kernel, Security, Distributions, Development. See your byline here on LWN.net.
Weekly Edition
Return to the Security page
| |||||||||||||
|
| |||||||||||||
The value of privacy policies
Most serious web sites post a privacy policy describing what the site's
owners will do with data collected from and about the site's users. For
users who are concerned about the spread of their personal information, a
strongly-written privacy policy can be a reassuring feature. A recent
court ruling, however, suggests that web privacy policies may not be worth
the paper they aren't printed on, at least some of the time.
Northwest Airlines was recently faced with a class-action lawsuit headed by some of its customers, who were upset that the airline had provided passenger name record (PNR) data to the U.S. government after the September 11 attacks. The plaintiffs made several allegations, including the violation of various laws and, crucially, breach of contract as a result of Northwest's failure to live up to its privacy policy. The policy reads, in part:
When you reserve or purchase travel services through Northwest
Airlines nwa.com Reservations, we provide only the relevant
information required by the car rental agency, hotel, or other
involved third party to ensure the successful fulfillment of your
travel arrangements.
There is nothing here about giving PNR data (which includes hotel and car information, along with credit card numbers) to interested governmental agencies. One might well conclude that the privacy policy has been breached. The court struck down the breach of contract claim, however. The reasoning was:
The privacy statement on Northwest's website did not constitute a
unilateral contract. The language used vests discretion in
Northwest to determine when the information is "relevant" and which
"third parties" might need that information... Moreover, absent an
allegation that Plaintiffs actually read the privacy policy, not
merely the general allegation that Plaintiffs "relied on" the
policy, Plaintiffs have failed to allege an essential element of a
contract claim: that the alleged "offer" was accepted by
Plaintiffs.
The implications are clear: weasel words in a privacy statement can be used against you. If you ever think you may want to take a site operator to court for the violation of a privacy statement, you will, at a minimum, have to be able to show that you read that statement before the violation occurred. It seems unlikely that many potential plaintiffs in privacy policy cases will be able to make that demonstration. Privacy policies, thus, may not be worth a whole lot - at least, not in countries which lack more general restrictions on the use of personal data. (For the curious, the full ruling is available in PDF format). (Log in to post comments)
Alternative lawsuit Posted Jul 29, 2004 7:14 UTC (Thu) by pm101 (guest, #3011) [Link] Would it be possible to resue over false advertising, rather than breach-of-contract?
The value of privacy policies Posted Jul 29, 2004 14:41 UTC (Thu) by knobunc (subscriber, #4678) [Link] Well, that's fine as long as the same holds true for their "Terms of Use".Somehow, I doubt that a court will let that slide... "Yer Honor, I admit that I scraped the content off the site, but I hadn't read the Terms of Use, so it is okay." -ben
this make all signed but unread contracts unenforcable Posted Aug 2, 2004 17:44 UTC (Mon) by ernest (subscriber, #2355) [Link] In fact anybody could claim they just didn't read it in the first place, if that's convenient.
I think, though, that that juge overstepped it's bounds by declaring these privacy statement can be overrulled as nobody reads them anyway.
This outcome made everybodies jaws drop by about a meter over at Groklaw.
|
|
||||||||||||