When Does a Privacy Policy Breach Support a Breach of Contract Claim? In re JetBlue
By Eric Goldman
In re JetBlue Airways Corp. Privacy Litigation, 79 F. Supp. 2d 299 (E.D.N.Y. August 1, 2005)
I’m late blogging this case, but the case is remarkable enough to warrant some comments even at this late date.
As part of the post-9/11 anti-terrorism efforts, the TSA requested that JetBlue turn over its passenger name records (PNRs) to the Department of Defense for various data mining/analysis. Based on the request, JetBlue gave over 5,000,000 PNRs to a DoD contractor (Torch). This data handoff unambiguously violated JetBlue’s declared privacy policy, which said that JetBlue would not share personal information with any third parties. This privacy policy might be mooted by a law mandating disclosure, but my understanding is that JetBlue turned over the data voluntarily (i.e., it was not legally compelled to give Torch the data, although it may have felt strongly encouraged).
A quick drafting digression: It was a significant drafting error for JetBlue’s privacy policy not to contemplate disclosing PNRs to the government. For years, privacy policies have included exclusions that permitted voluntary disclosure of data to the government. If JetBlue’s privacy policy had contained such a statement, I believe this lawsuit would have been trivially easy to resolve.
In any case, the plaintiffs sued JetBlue for ECPA, breach of contract, trespass to property and unjust enrichment.
ECPA
The ECPA claim failed because JetBlue was not a provider of an electronic communications service or remote computing service; instead, it was a customer of those providers. The court’s reasoning would extend to anyone operating a website; simply collecting information from a website doesn’t make the website per se an ECS or RCS.
Trespass to Property
The court converted the trespass to property claim into a trespass to chattels claim. Conceived this way, the data in a PNR isn’t a chattel, so this claim is dubious. However, the court disposes of it for lack of damages. The plaintiffs claimed loss of privacy as the damage, but the court says that this allegation doesn’t diminish the quality or value of the information, nor are the customers deprived of an ability to use their personal information.
Unjust Enrichment
This claim failed because JetBlue didn’t derive any benefit from giving the data to Torch. Further, there was no injustice to the customers, as the effort was tied to preventing terrorism.
Breach of Contract
I’m not surprised that the prior three claims failed, as they seemed pretty weak. However, the breach of contract claim seemed much more powerful. JetBlue promised that it wouldn’t disclose personal information to third parties. It broke the promise. What’s to discuss?
The court first assumes that the website privacy policy was a validly formed contract, even though (a) it was presented as a non-mandatory hyperlink from the home page, and (b) the plaintiffs did not allege that any of them actually read the policy. This assumption runs directly contrary to two other related cases (In re Northwest Airlines Corps., 2004 U.S. Dist. LEXIS 10580, 2004 WL 1278459 and Dyer v. Northwest Airlines Corps., 334 F. Supp. 2d 1196).
I think the court is correct that the failure to allege that the plaintiffs read the contract is immaterial. I’m working on the assumption that JetBlue’s failure to present the privacy policy as a mandatory non-leaky clickthrough prevents JetBlue from enforcing the contract terms against its customers. However, the court sidestepped the more complex question of whether the customers could treat the privacy policy as a one-way binding commitment against JetBlue. I think, like any marketing collateral, is binding on the marketer as a marketing representation, but it would have been nice if the court had acknowledged these nuances.
In any case, after assuming the existence of the contract, the court dismisses the contract claim for lack of alleged damages. Non-economic losses typically aren’t recoverable in most types of breach of contract actions, so the plaintiffs had to plead some economic losses. Ultimately, the plaintiffs couldn’t do so (at least, not to the court’s satisfaction). The court notes that the customers had no expectation of being compensated for the value of their personal information, either from JetBlue or from Torch. Therefore, the plaintiffs can’t establish the damage element of a breach of contract action, and the claim fails.
The court’s legal analysis is right, so far as it goes, but the result is clearly unsettling and (I think) discordant with other privacy lawsuits. Read most literally, this holding would mean that plaintiffs rarely can establish a breach of contract claim for a privacy policy violation, because those privacy breaches rarely create economic losses to plaintiffs. Of course, other legal doctrines might apply to privacy breaches—such as the FTC Act or other consumer protection laws—but I find it hard to believe that a privacy policy breach is (effectively) categorically immune from a privately-enforced breach of contract action.
Maybe plaintiffs can avoid this result with different pleadings—such as promissory estoppel (which the plaintiffs could have alleged, because they claimed they made reservations with JetBlue “in reliance on express promises made by JetBlue in the company’s privacy policy”) or a fraudulent inducement claim. However, promissory estoppel may not result in meaningful damages, and JetBlue may not have had the requisite scienter to commit fraud.
Therefore, read literally, this case could stand for the proposition that there may be no effective customer legal recourse against companies that breach their privacy policies. But I’m uncomfortable with the vitality of this conclusion in other cases, so perhaps this result is best explained by its context. A lot of decision-makers made a lot of poor decisions in the wake of 9/11 in the name of “anti-terrorism,” and perhaps we are willing to excuse those excesses accordingly. In contrast, I can imagine that future courts, presented with more venal breaches of privacy policies, will be less charitable.
Many thanks to Matt Goeden for his help preparing this blog post.