This is page 2 of:

Court: Retailers Not Bound To Online Promises. Their Shoppers Are

March 14th, 2013

Several years ago, a man who bought flowers for his girlfriend over the phone from 1-800-FLOWERS (NASDAQ:FLWS) was bound by the online privacy policy (which he claims he never read or knew about) when he sued the florist—for sending a confirmation letter to his wife—and tried to do so in Texas, rather than New York, as the policy stated. The court concluded that it didn’t matter whether he read the policy, he was bound by its terms.

Similarly, when Northwest Airlines (now part of Delta Airlines) was sued for violations of its own privacy policy—by giving the government wholesale access to its database when its policy said it wouldn’t do that—the court held that Northwest was not bound to follow its own privacy policy because “general statements of policy are not contractual” and because there was no evidence the consumers “read or relied on” that policy in deciding to book travel with Northwest.

So that may now be the state of the law. A privacy policy, with all of the waivers and disclaimers that benefit the merchant, is binding on consumers, whether they have read the policy or not. If the policy mandates arbitration, the consumer must arbitrate. If it says consumers have to sue in New York and not Texas, then it’s off to the Big Apple. It’s a binding contract.

But if, on the other hand, the merchant fails to comply with the terms of the privacy policy, then it appears the consumer would have to show (1) consideration for the promise; (2) knowledge of and reliance on the promise; (3) breach of the promise; and (4) actual pecuniary damages resulting from the breach of promise. That’s under a “breach of contract” theory.

For fraud or deceptive trade practices, however, it is likely that plaintiffs would likewise have to show they read the policy, relied upon it, were deceived or defrauded by the policy and suffered some damages. A company that logged who had accessed the privacy policy could defeat claims of “reliance” by simply showing that the consumer never visited or read the policy. Even if the consumer did read the policy, a merchant or other company could claim lack of consideration for the privacy and security promises.

Of course, what the LinkedIn customers provided LinkedIn was not money for security; it was data for security. I give you my personal information—whether you are LinkedIn, Google (NASDAQ:GOOG), Facebook (NASDAQ:FB) or Barnes & Noble (NYSE:BKS)—and permit you to use it for certain purposes, with the understanding (contractual or otherwise) that you will protect it up to the standards you (or some regulator) have set. The providing of personal information, and the using of the service itself, should provide sufficient consideration to support a contract.

If a privacy policy is not an enforceable contract, then what is it? Just a statement of an aspirational goal? A limitation on liability? The U.S. Federal Trade Commission has consistently taken the position that a company’s failure either to provide reasonable security or to fail to provide the level of security or privacy protection promised in a privacy policy constitutes either an unfair or a deceptive trade practice, for which fines or other remedies may be available.

So what’s a merchant to do?

Not much. I would still craft privacy policies carefully, with the understanding that consumers will rely on them and with the assumption that I would be bound by them. Promise what you can deliver, and deliver what you promise. Never generalize. Always equivocate. Always.

The San Jose court decision, while a putative victory for website operators, has the potential to undermine the basis for electronic commerce generally. How do you get users of a website to “agree” to anything? Is mere access to a website sufficient consideration to form a contract? For answers to these and other pressing questions, stay tuned.

If you disagree with me, I’ll see you in court, buddy. If you agree with me, however, I would love to hear from you.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.