The Case Of The Walmart Drunk: Big Data, Big Duties, Big Headaches

Attorney Mark D. Rasch is the former head of the U.S. Justice Department's computer crime unit and today is a lawyer in Bethesda, Md., specializing in privacy and security law.

Walmart (NYSE:WMT) was very recently sued by a woman involved in a car accident. The driver of the car that hit her wasn’t a Walmart employee, it wasn’t a Walmart vehicle, and it didn’t happen in a Walmart parking lot. Rather, the victim alleged that the driver had recently been in a Walmart and had been kicked out for being drunk. The victim alleged that Walmart, knowing that its customer was both drunk and driving, had a duty to prevent the customer from driving, or to report that person to the police. The court considering the case refused Walmart’s efforts to have the case dismissed on summary judgment, finding that there was at least enough evidence of "negligence" to allow the case to go forward.

In English common law, the courts and legislatures established what are called "dramshop" acts, laws that imposed a duty on innkeepers and tavern owners for the acts of drunk customers. These laws continue today, either by statute or case law, and impose duties upon certain organizations (typically bars and restaurants) as well as imposing liability for the acts of the people they get drunk. Although these laws may not apply by their terms to Walmart (nobody alleges that Walmart served the patron alcohol.), the idea is that the merchant is in a position to know about the potential harm (possible drunk driver) and has the ability to control or regulate the conduct (in the case of the bar, to stop serving; in Walmart’s case, to call the police) has a duty to act "responsibly" and prevent the harm. At least that is the plaintiff’s claim in the Walmart case.

Here’s where technology makes things messy. Once the drunk is tossed out of the Walmart, there’s a good argument that Walmart’s duty to third parties ends. After all, Walmart doesn’t know who the drunk is, how he got to Walmart, whether or not he owns a car, or how he left the store–on foot, by bus, by taxi or by private car. Walmart could argue that it had no duty to prevent the guy from driving because it had no way of knowing that the guy was driving, right? Um… Not so fast, kemosabe.

You see, Walmart has installed and routinely monitors parking lot cameras. These may or may not be equipped with software that captures license plates, and they may or may not integrate with a CRM database. Their software could track customers en route to the store, and could track them inside the store as well. It could also track them on the way out of the store. So let’s just say hypothetically that the cameras capture our drunk driver parking in the lot and walking (a straight line) into the store. Then the inside cameras capture our drunk man moseying to the liquor section, and buying a few pints (or even removing his own flask and taking a few dozen swigs).

Then our customer staggers out, or is tossed out. Assuming Walmart monitors or has the ability to monitor its cameras, a jury could find that Walmart, as an entity, "knew" that the guy it tossed was drunk, and also that it "knew" that he drove there, and "knew" that he was driving out. Couple that with the ability to control the drunk (a debatable point), and voila! Instant liability. Maybe. But here's where things get maddening.The point here is that stores that collect data–any data–may be deemed to "know" what is in that data. And once you "know" something, this may create a duty to act on what you "know." Have facial recognition software linked to a CRM database? Great to know your customer. Unless that customer is a registered sex offender trolling the store. Now you "know" that John Smith, who happens to be a registered sex offender, is in the children’s shoes area. You may even "know" (because it’s on the Internet, right?) that John Smith is an offender. Duty to act? Who knows. But the collection and aggregation of data for business purposes may imply a duty to use that data for other purposes as well.

In 2004, Kroger was sued by a customer for failing to notify her about a recall of tainted meat. The customer alleged that Kroger had her contact information in its CRM database, and when it learned that the meat she had bought (and it had a record that she bought it) may have been tainted by mad cow disease, it had a duty to search its CRM database and notify customers of the recall. Kroger countered by alleging that its CRM database was not nearly sophisticated enough to do this–and that by the time the company looked up the names and addresses of all purchasers who bought the potentially tainted beef, the consumers would have already consumed the product and the damage would have been done.

Fast forward to 2013. CRM databases are much more powerful and much more accessible. Customers register their cellphone and other contact information. Customers receive SMS and other alerts from merchants about sales, specials and other information. Big data allows merchants not only to know past customer behavior, but also to predict future behavior. Location-aware applications may allow merchants to know where a customer is, where they have been, and where they are heading.

The collection and use of this information for business purposes will undoubtedly create a duty to use the same information for other purposes as well. Product recalls are just the start. Just as Target was collecting information on consumers such that the company was able to determine that customers were likely to be pregnant (and target ads on that basis), such information may impose a duty not to sell (or maybe just not to target for sale) alcohol or certain over-the-counter drugs to those people. I can imagine Target being targeted for litigation for fetal alcohol syndrome saying, "You targeted me for alcohol sales when you knew I was pregnant." Acting like a nanny over your customers creates a duty to act like a nanny.

You know all that great CRM and other customer data you are collecting? Names, addresses, email addresses, video and facial recognition, cellphone records and the like? It’s all great for making money. It also may create new duties and new liabilities galore. And all of this may keep lawyers in business for many years to come.

In addition to the duty to act on the data (or patterns of data) you are collecting, entities that collect data also have a duty to responsibly store, protect and limit access to that data. So the bottom line is to collect what you need, use it responsibly, and then get rid of it. And be careful what you collect–it may come back to haunt you.

If you disagree with me, I'll see you in court, buddy. If you agree with me, however, I would love to hear from you.