NY Enforcement Actions for Reselling Emails in Breach of Privacy Policy

By Eric Goldman

Gratis Internet runs several websites that promise free stuff (like free iPods) in exchange for consumers signing up for subscription trials. The trials are initially free but then convert to paid subscriptions. The idea is that many consumers will either like the subscriptions or be duped into keeping the subscriptions against their will. For an example of how even very intelligent people can be trapped by these free trials, see my colleague Christine’s story (and the update).

Along the way, Gratis made a variety of privacy promises to consumers. Of specific relevance here, Gratis promised that it would never resell the consumers’ email addresses. However, as it turns out, Gratis allegedly may have done precisely that.

If so, this should be a fairly straightforward legal problem. The false privacy policy should constitute unfair/deceptive trade practices and false advertising, and both the government and consumers should have causes of action (although, see In re JetBlue about possible limits in the consumers’ cause of action). In this case, Spitzer announced today that his office is going after Gratis for violation of New York’s consumer protection laws. This makes sense.

More interesting to me is Spitzer’s action against Datran Media, one of the buyers of email addresses from Gratis. Last week, Spitzer’s office announced a settlement with Datran that included a $1.1 million check.

Note that Datran didn’t breach the privacy policy directly; it allegedly purchased and used tainted email addresses. Ordinarily, there’s no such thing as contributory contract breach, but we might think of this as analogous to receiving stolen property. Perhaps with the requisite level of Datran’s scienter, they should in fact bear responsibility for buying and using “hot goods.” If the scienter standard is high enough, then it’s hard to quibble with the action.

But I think there’s a more fundamental lesson to learn. This case reinforces that it’s very hard to legitimately buy/sell email addresses. At minimum, I think buyers need to do thorough diligence of the email addresses’ origins, and it’s hard to find legitimate email addresses that were completely acquired without restriction on transfer or resale. Then, under CAN-SPAM, the email addresses have to be filtered out for any opt-outs that the buyer has received in the past. And then, it’s hard to get bulk emails through the email service providers/IAPs, especially if the sender can’t claim some type of relationship with or authorization from the recipients.

All told, I just don’t understand how legitimate companies think that email addresses can be flipped like commodities. The practice may never have been legitimate, but I see it as a completely dead practice today.

UPDATE: Dan Solove weighs in on the case. I generally agree with Dan’s analysis, except that I think we need to know more about Datran’s scienter. This result is defensible only if the scienter level was high enough.

UPDATE 2: Chris Hoofnagle calls the case “one of the biggest cases for consumer privacy ever.”