The [Non]enforceability of Privacy Promises–Pinero v. Jackson Hewitt

A recent court case reiterates that privacy policies aren’t the be-all, end-all panacea for protecting online privacy.

By Ethan Ackerman

One of the main arguments against a federal online privacy law has been that website privacy policies were a self-regulatory solution that was more than sufficient, permitted more flexibility, and bound parties as surely as any federal law. Real-life court cases continue to suggest the contrary.

From mid-90s FTC staff decisions to “encourage self-regulation” to the 1998 formalization of a Clinton administration e-commerce policy framework to the extension of this policy through both terms of the G.W. Bush Administration, “self-regulation” of online privacy has been the policy of the executive branch of the federal government. Similarly, “self-regulation” has been the primary card played (the 10 of spades?) against Congressional attempts to pass federal online privacy regulation, successful in stalling any legislation on the issue since at least the 106th Congress. Online industry lobby groups still emphasize that “self-regulation” is the only needed enforcement, and online privacy advocates cite self-regulation’s failures for the ‘decade of disappointment’ in internet privacy.

Meanwhile, outside of the policy debates, online activity has exploded, along with the collection and use of personal information online. Putting aside the real challenge of discovering unacceptable uses, sometimes that collection and use (or misuse) is egregious enough that someone sues over it. As the recent case of Pinero v. Jackson Hewitt Tax Service shows yet again, actual monetary damages matter more than egregiousness.

Ms. Pinero discovered that a Jackson Hewitt Tax Service licensee that prepared her taxes had breached its privacy policy when a local news station contacted her and provided her with her prior year tax returns, discovered in a public dumpster along with the returns of more than 100 other Jackson Hewitt clients.

Mindful of the increasing body of cases that have refused to find damages in the mere breach of protective statutes, violations of privacy policies or unlawful disclosures of personal records, Ms. Pinero’s attorneys alleged specific factual emotional, physical, and economic damages in their suit. Those damages weren’t good enough under the applicable state law, according to U.S. District Judge Sarah Vance. Specifically, the judge found that the plaintiff suffered no direct pecuniary damage from the breach – a heightened risk of future loss or steps taken to mitigate that loss weren’t enough under Louisiana law for a negligence or breach of contract claim.

Above and beyond my brief summary, the opinion is worth a read in greater detail. The judge’s detailed discussion of the pleadings reveals much work on this case. The pleading drafters clearly went to great effort to avoid precisely this outcome, claiming damages of several types with a great deal of specificity and carefully formulating claims under a variety of different statutes and causes of action, including a Consumer Protection Act and database breach statute claim. Judge Vance addresses each claim and the surrounding caselaw in good detail as well, providing scant room for a reversal on appeal by leaving every issue addressed.

The takeaway? As Eric has worried in the past, there may be no effective customer legal recourse against companies that breach their privacy policies.

[Eric’s comment: we’ve seen a long list of situations where plaintiffs suffered some privacy invasion but were unable to obtain any legal recourse. Ethan links to the JetBlue case (which remains remarkable to me to this day), and we’ve blogged on others as well (see, e.g., the Acxiom and Key cases). In general, I think these opinions have often reached a sensible and pragmatic result that a privacy invasion may lead to no tangible losses, so damage awards may overcompensate the victim or overdeter the defendant. However, providing no damages awards–especially when a company breaches its self-selected promises–may under-deter and reward companies for overpromising and underdelivering. This case seems especially odd because the complaint contained allegations of specific tangible harm. Maybe we don’t believe the allegations, but normally they ought to be heard.

At the same time, I fear the policy-makers may overreact to this situation by creating statutory damages. Those solve one problem (the courts’ balking at plaintiffs that have no obvious damage) but create another, (IMO) much bigger problem of motivating plaintiffs and their lawyers engage in litigation frenzies with low-merit lawsuits. We’ve seen a lot of wasted motion in the spam context from people chasing statutory damages, and I shudder to think about the tax on our economy if we ever created a statutory damage for generalized privacy violations.]