By Eric Goldman
In re JetBlue Airways Corp. Privacy Litigation, 79 F. Supp. 2d 299 (E.D.N.Y. August 1, 2005)
I’m late blogging this case, but the case is remarkable enough to warrant some comments even at this late date.
In any case, the plaintiffs sued JetBlue for ECPA, breach of contract, trespass to property and unjust enrichment.
The ECPA claim failed because JetBlue was not a provider of an electronic communications service or remote computing service; instead, it was a customer of those providers. The court’s reasoning would extend to anyone operating a website; simply collecting information from a website doesn’t make the website per se an ECS or RCS.
Trespass to Property
The court converted the trespass to property claim into a trespass to chattels claim. Conceived this way, the data in a PNR isn’t a chattel, so this claim is dubious. However, the court disposes of it for lack of damages. The plaintiffs claimed loss of privacy as the damage, but the court says that this allegation doesn’t diminish the quality or value of the information, nor are the customers deprived of an ability to use their personal information.
This claim failed because JetBlue didn’t derive any benefit from giving the data to Torch. Further, there was no injustice to the customers, as the effort was tied to preventing terrorism.
Breach of Contract
I’m not surprised that the prior three claims failed, as they seemed pretty weak. However, the breach of contract claim seemed much more powerful. JetBlue promised that it wouldn’t disclose personal information to third parties. It broke the promise. What’s to discuss?
In any case, after assuming the existence of the contract, the court dismisses the contract claim for lack of alleged damages. Non-economic losses typically aren’t recoverable in most types of breach of contract actions, so the plaintiffs had to plead some economic losses. Ultimately, the plaintiffs couldn’t do so (at least, not to the court’s satisfaction). The court notes that the customers had no expectation of being compensated for the value of their personal information, either from JetBlue or from Torch. Therefore, the plaintiffs can’t establish the damage element of a breach of contract action, and the claim fails.
Therefore, read literally, this case could stand for the proposition that there may be no effective customer legal recourse against companies that breach their privacy policies. But I’m uncomfortable with the vitality of this conclusion in other cases, so perhaps this result is best explained by its context. A lot of decision-makers made a lot of poor decisions in the wake of 9/11 in the name of “anti-terrorism,” and perhaps we are willing to excuse those excesses accordingly. In contrast, I can imagine that future courts, presented with more venal breaches of privacy policies, will be less charitable.
Many thanks to Matt Goeden for his help preparing this blog post.