Court: Retailers Not Bound To Online Promises. Their Shoppers Are

Attorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

A recent dismissal of a class-action lawsuit against the LinkedIn (NYSE:LNKD) social network raises the question of whether anyone is bound to keep the promises they make on their website at all. If taken at face value, the court's dismissal means that companies are not bound to meet their own promised obligations but their customers are bound to comply with the Terms and Conditions of the website, whether they read them or not.

When LinkedIn premium customers Katie Szpyrka and Khalilah Wright learned that the website operator had been hacked, and that 6.5 million stolen LinkedIn passwords had been posted on the Internet (together with the user's e-mail address), they went to sue LinkedIn for failing to provide adequate security and appropriate encryption for these passwords. Because users frequently use the same passwords for multiple accounts, stealing their LinkedIn passwords and E-mail addresses might expose a host of other accounts to compromise. Szpyrka and Wright (well, their lawyers, at least) sued for damages, asserting—among other things—that LinkedIn's privacy policy was breached. The privacy policy, they argued, was a binding contract, and by failing to protect the passwords adequately, LinkedIn breached that contract.

LinkedIn told its customers: "Of course, maintaining your trust is our top concern, so we adhere to the following principles to protect your privacy: 'All information that you provide will be protected with industry standard protocols and technology.'"

The "Security" section of the Privacy Policy stated: "In order to help secure your personal information, access to your data on LinkedIn is password-protected, and sensitive data (such as credit-card information) is protected by SSL encryption when it is exchanged between your Web browser and the LinkedIn website. To protect any data you store on our servers, LinkedIn also regularly audits its system for possible vulnerabilities and attacks, and we use a tier-one secured-access datacenter. However, since the Internet is not a 100 percent secure environment, we cannot ensure or warrant the security of any information you transmit to LinkedIn. There is no guarantee that information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards. It is your responsibility to protect the security of your login information. Please note that E-mails, instant messaging, and similar means of communication with other Users of LinkedIn are not encrypted, and we strongly advise you not to communicate any confidential information through these means."

The class-action plaintiffs argued that by failing to use what is called salted encryption (which randomizes the keys to encrypt data), LinkedIn did not—as it promised—use "state of the art" security. This failure, according to the plaintiffs, caused them harm and damage, and breached the contract.

Not so fast, said the federal district court judge.

On March 5, Judge Edward Davilia in San Jose dismissed the class-action lawsuit. Remember that "promise" of security? It's not binding. Not because it was too vague or because "state of the art" doesn't mean much. No, that would be understandable. The court held that the online promise wasn't supported by "consideration." That is, premium subscribers were not paying LinkedIn for security; they were paying for premium services such as InMail (the ability to send E-mail to other LinkedIn subscribers), among others. Because the subscriber wasn't paying for security, there was no binding "contract" to provide security. Lack of consideration.

But the court went further. LinkedIn wasn't bound to its promise because, as the court noted, "Plaintiffs do not even allege that they actually read the alleged misrepresentation—the Privacy Policy—which would be necessary to support a claim of misrepresentation." How can you be deceived by a privacy policy you didn't even read? The court found that, to be enforceable, the "contract"—that is, the privacy policy—would have to have been read by the plaintiff, who would have had to understand it, rely on it and provide the company with "consideration" in return for the promises in the policy. Oh, and the court finally dismissed the class action because, in the judge's opinion, the plaintiffs suffered no real economic harm from the breach.

This is a strange (but not unprecedented) way of looking at online contracts. Think about it. The consumer is bound by the terms of contracts, privacy policies, terms of use, terms of service, end-user license agreements, copyright notices or other online (or offline) contracts, whether they have read them or not. That 4-page microtype rental car agreement where you allow the rental agency to track your movements and charge you a non-refundable $500 fine if you travel into Mexico? Enforceable, even if you never read it, because you had the opportunity to read it.Several years ago, a man who bought flowers for his girlfriend over the phone from 1-800-FLOWERS (NASDAQ:FLWS) was bound by the online privacy policy (which he claims he never read or knew about) when he sued the florist—for sending a confirmation letter to his wife—and tried to do so in Texas, rather than New York, as the policy stated. The court concluded that it didn't matter whether he read the policy, he was bound by its terms.

Similarly, when Northwest Airlines (now part of Delta Airlines) was sued for violations of its own privacy policy—by giving the government wholesale access to its database when its policy said it wouldn't do that—the court held that Northwest was not bound to follow its own privacy policy because "general statements of policy are not contractual" and because there was no evidence the consumers "read or relied on" that policy in deciding to book travel with Northwest.

So that may now be the state of the law. A privacy policy, with all of the waivers and disclaimers that benefit the merchant, is binding on consumers, whether they have read the policy or not. If the policy mandates arbitration, the consumer must arbitrate. If it says consumers have to sue in New York and not Texas, then it's off to the Big Apple. It's a binding contract.

But if, on the other hand, the merchant fails to comply with the terms of the privacy policy, then it appears the consumer would have to show (1) consideration for the promise; (2) knowledge of and reliance on the promise; (3) breach of the promise; and (4) actual pecuniary damages resulting from the breach of promise. That's under a "breach of contract" theory.

For fraud or deceptive trade practices, however, it is likely that plaintiffs would likewise have to show they read the policy, relied upon it, were deceived or defrauded by the policy and suffered some damages. A company that logged who had accessed the privacy policy could defeat claims of "reliance" by simply showing that the consumer never visited or read the policy. Even if the consumer did read the policy, a merchant or other company could claim lack of consideration for the privacy and security promises.

Of course, what the LinkedIn customers provided LinkedIn was not money for security; it was data for security. I give you my personal information—whether you are LinkedIn, Google (NASDAQ:GOOG), Facebook (NASDAQ:FB) or Barnes & Noble (NYSE:BKS)—and permit you to use it for certain purposes, with the understanding (contractual or otherwise) that you will protect it up to the standards you (or some regulator) have set. The providing of personal information, and the using of the service itself, should provide sufficient consideration to support a contract.

If a privacy policy is not an enforceable contract, then what is it? Just a statement of an aspirational goal? A limitation on liability? The U.S. Federal Trade Commission has consistently taken the position that a company's failure either to provide reasonable security or to fail to provide the level of security or privacy protection promised in a privacy policy constitutes either an unfair or a deceptive trade practice, for which fines or other remedies may be available.

So what's a merchant to do?

Not much. I would still craft privacy policies carefully, with the understanding that consumers will rely on them and with the assumption that I would be bound by them. Promise what you can deliver, and deliver what you promise. Never generalize. Always equivocate. Always.

The San Jose court decision, while a putative victory for website operators, has the potential to undermine the basis for electronic commerce generally. How do you get users of a website to "agree" to anything? Is mere access to a website sufficient consideration to form a contract? For answers to these and other pressing questions, stay tuned.

If you disagree with me, I'll see you in court, buddy. If you agree with me, however, I would love to hear from you.