« CDT Report on Adware Advertising | Main | Yahoo Loses 230 Defense for its Dating Site--Anthony v. Yahoo »
March 23, 2006
NY Enforcement Actions for Reselling Emails in Breach of Privacy Policy
By Eric Goldman
Gratis Internet runs several websites that promise free stuff (like free iPods) in exchange for consumers signing up for subscription trials. The trials are initially free but then convert to paid subscriptions. The idea is that many consumers will either like the subscriptions or be duped into keeping the subscriptions against their will. For an example of how even very intelligent people can be trapped by these free trials, see my colleague Christine's story (and the update).
Along the way, Gratis made a variety of privacy promises to consumers. Of specific relevance here, Gratis promised that it would never resell the consumers' email addresses. However, as it turns out, Gratis allegedly may have done precisely that.
If so, this should be a fairly straightforward legal problem. The false privacy policy should constitute unfair/deceptive trade practices and false advertising, and both the government and consumers should have causes of action (although, see In re JetBlue about possible limits in the consumers' cause of action). In this case, Spitzer announced today that his office is going after Gratis for violation of New York's consumer protection laws. This makes sense.
More interesting to me is Spitzer's action against Datran Media, one of the buyers of email addresses from Gratis. Last week, Spitzer's office announced a settlement with Datran that included a $1.1 million check.
Note that Datran didn't breach the privacy policy directly; it allegedly purchased and used tainted email addresses. Ordinarily, there's no such thing as contributory contract breach, but we might think of this as analogous to receiving stolen property. Perhaps with the requisite level of Datran's scienter, they should in fact bear responsibility for buying and using "hot goods." If the scienter standard is high enough, then it's hard to quibble with the action.
But I think there's a more fundamental lesson to learn. This case reinforces that it's very hard to legitimately buy/sell email addresses. At minimum, I think buyers need to do thorough diligence of the email addresses' origins, and it's hard to find legitimate email addresses that were completely acquired without restriction on transfer or resale. Then, under CAN-SPAM, the email addresses have to be filtered out for any opt-outs that the buyer has received in the past. And then, it's hard to get bulk emails through the email service providers/IAPs, especially if the sender can't claim some type of relationship with or authorization from the recipients.
All told, I just don't understand how legitimate companies think that email addresses can be flipped like commodities. The practice may never have been legitimate, but I see it as a completely dead practice today.
UPDATE: Dan Solove weighs in on the case. I generally agree with Dan's analysis, except that I think we need to know more about Datran's scienter. This result is defensible only if the scienter level was high enough.
UPDATE 2: Chris Hoofnagle calls the case "one of the biggest cases for consumer privacy ever."
Posted by Eric at March 23, 2006 01:31 PM | Derivative Liability , Licensing/Contracts , Marketing , Privacy/Security , Spam
Comments
Would be interested on your take on the ethics of Jigsaw http://www.jigsaw.com/ where users of the site are encouraged via rewards systems to upload business card data which can then be accessed by members - for sales and no doubt email solicitations. The company's business models have come in for some severe criticism
http://www.techcrunch.com/2006/03/23/jigsaw-is-a-really-really-bad-idea/
Posted by: ccoc ![[TypeKey Profile Page]](http://blog.ericgoldman.org/nav-commenters.gif)
at March 24, 2006 05:05 PM
"Note that Datran didn't breach the privacy policy directly; it allegedly purchased and used tainted email addresses. Ordinarily, there's no such thing as contributory contract breach, but we might think of this as analogous to receiving stolen property. Perhaps with the requisite level of Datran's scienter, they should in fact bear responsibility for buying and using "hot goods." If the scienter standard is high enough, then it's hard to quibble with the action."
I find this point particularly interesting because in the lawsuit filed against Gratis Spitzer states that Gratis falsely represented to each (Datran, JDR, and Jumpstart) that it has received its users' permission to share the data. PP 31 of verified petition. So did Datran settle because they were concerned that they would be held responsible for the privacy guarantee in GRatis' privacy policies even though in the agreement they had with Gratis, Gratis "warranted that the data being shared consisted of records of persons who have supplied Affirmative Consent (as defined in the Can-Spam Act of 2003) to receive third party commercial em-mail advertising messages?" In the investigations that preceded the Datran settlement the Attorney general found that "Notwithstanding this deceptive statement in their agreement, Datran apparently knew about, or discovered, the restrictions on the data, prior to accepting it. For this and related practices, Datran entered into a voluntary Assurance of Discontinuance with the Attorney General..."
So what if Datran had not known? Would they be responsible for investigating the privacy policy themselves? What if they privacy policy had changed after the agreement was made and Gratis did not notify Datran?
Thoughts?
Posted by: kim at March 27, 2006 02:31 PM
ccoc, great Q. I'll need to think about the business model more. Mostly, I wonder if submitters provide accurate information, or if they submit bogus information just for the cash.
Kim, great observation. If Datran lacked scienter, then they got completely screwed. This would not be the first time that Spitzer's office has pushed the limits of the law. On the other hand, if they figured out that the email addresses were tainted (despite the prior representations) but proceeded anyway, then Datran made, at minimum, a bad choice. But then again, I think they made a bad choice thinking they could buy email addresses off the street.
Eric.
Posted by: Eric at March 27, 2006 06:30 PM