Court: Retailers Not Bound To Online Promises. Their Shoppers Are
Attorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.
A recent dismissal of a class-action lawsuit against the LinkedIn (NYSE:LNKD) social network raises the question of whether anyone is bound to keep the promises they make on their website at all. If taken at face value, the court's dismissal means that companies are not bound to meet their own promised obligations but their customers are bound to comply with the Terms and Conditions of the website, whether they read them or not.
LinkedIn told its customers: "Of course, maintaining your trust is our top concern, so we adhere to the following principles to protect your privacy: 'All information that you provide will be protected with industry standard protocols and technology.'"
The class-action plaintiffs argued that by failing to use what is called salted encryption (which randomizes the keys to encrypt data), LinkedIn did not—as it promised—use "state of the art" security. This failure, according to the plaintiffs, caused them harm and damage, and breached the contract.
Not so fast, said the federal district court judge.
On March 5, Judge Edward Davilia in San Jose dismissed the class-action lawsuit. Remember that "promise" of security? It's not binding. Not because it was too vague or because "state of the art" doesn't mean much. No, that would be understandable. The court held that the online promise wasn't supported by "consideration." That is, premium subscribers were not paying LinkedIn for security; they were paying for premium services such as InMail (the ability to send E-mail to other LinkedIn subscribers), among others. Because the subscriber wasn't paying for security, there was no binding "contract" to provide security. Lack of consideration.
Of course, what the LinkedIn customers provided LinkedIn was not money for security; it was data for security. I give you my personal information—whether you are LinkedIn, Google (NASDAQ:GOOG), Facebook (NASDAQ:FB) or Barnes & Noble (NYSE:BKS)—and permit you to use it for certain purposes, with the understanding (contractual or otherwise) that you will protect it up to the standards you (or some regulator) have set. The providing of personal information, and the using of the service itself, should provide sufficient consideration to support a contract.
So what's a merchant to do?
Not much. I would still craft privacy policies carefully, with the understanding that consumers will rely on them and with the assumption that I would be bound by them. Promise what you can deliver, and deliver what you promise. Never generalize. Always equivocate. Always.
The San Jose court decision, while a putative victory for website operators, has the potential to undermine the basis for electronic commerce generally. How do you get users of a website to "agree" to anything? Is mere access to a website sufficient consideration to form a contract? For answers to these and other pressing questions, stay tuned.
If you disagree with me, I'll see you in court, buddy. If you agree with me, however, I would love to hear from you.