Evan Schuman's StorefrontBacktalk

Several years ago, a man who bought flowers for his girlfriend over the phone from 1-800-FLOWERS (NASDAQ:FLWS) was bound by the online privacy policy (which he claims he never read or knew about) when he sued the florist—for sending a confirmation letter to his wife—and tried to do so in Texas, rather than New York, as the policy stated. The court concluded that it didn’t matter whether he read the policy, he was bound by its terms.

Similarly, when Northwest Airlines (now part of Delta Airlines) was sued for violations of its own privacy policy—by giving the government wholesale access to its database when its policy said it wouldn’t do that—the court held that Northwest was not bound to follow its own privacy policy because “general statements of policy are not contractual” and because there was no evidence the consumers “read or relied on” that policy in deciding to book travel with Northwest.

So that may now be the state of the law. A privacy policy, with all of the waivers and disclaimers that benefit the merchant, is binding on consumers, whether they have read the policy or not. If the policy mandates arbitration, the consumer must arbitrate. If it says consumers have to sue in New York and not Texas, then it’s off to the Big Apple. It’s a binding contract.

But if, on the other hand, the merchant fails to comply with the terms of the privacy policy, then it appears the consumer would have to show (1) consideration for the promise; (2) knowledge of and reliance on the promise; (3) breach of the promise; and (4) actual pecuniary damages resulting from the breach of promise. That’s under a “breach of contract” theory.

For fraud or deceptive trade practices, however, it is likely that plaintiffs would likewise have to show they read the policy, relied upon it, were deceived or defrauded by the policy and suffered some damages. A company that logged who had accessed the privacy policy could defeat claims of “reliance” by simply showing that the consumer never visited or read the policy. Even if the consumer did read the policy, a merchant or other company could claim lack of consideration for the privacy and security promises.

Of course, what the LinkedIn customers provided LinkedIn was not money for security; it was data for security. I give you my personal information—whether you are LinkedIn, Google (NASDAQ:GOOG), Facebook (NASDAQ:FB) or Barnes & Noble (NYSE:BKS)—and permit you to use it for certain purposes, with the understanding (contractual or otherwise) that you will protect it up to the standards you (or some regulator) have set. The providing of personal information, and the using of the service itself, should provide sufficient consideration to support a contract.

If a privacy policy is not an enforceable contract, then what is it? Just a statement of an aspirational goal? A limitation on liability? The U.S. Federal Trade Commission has consistently taken the position that a company’s failure either to provide reasonable security or to fail to provide the level of security or privacy protection promised in a privacy policy constitutes either an unfair or a deceptive trade practice, for which fines or other remedies may be available.

So what’s a merchant to do?

Not much. I would still craft privacy policies carefully, with the understanding that consumers will rely on them and with the assumption that I would be bound by them. Promise what you can deliver, and deliver what you promise. Never generalize. Always equivocate. Always.

The San Jose court decision, while a putative victory for website operators, has the potential to undermine the basis for electronic commerce generally. How do you get users of a website to “agree” to anything? Is mere access to a website sufficient consideration to form a contract? For answers to these and other pressing questions, stay tuned.

If you disagree with me, I’ll see you in court, buddy. If you agree with me, however, I would love to hear from you.