Tsibouris & Associates Home | Practice Areas | Attorneys | Contact | Publications | Clients | Blog Home

Tuesday, May 18, 2010

District Court holds that Privacy Policy May Form Part of Contract but that Damages are Required for Action in Breach of Contract

By Mehmet Munur

The District Court for the District of New Jersey recently held that a privacy policy when relied on could form part of a contract but that the party alleging breach of contract would have to show damages to survive a motion for summary judgment. The case adds to a long line of cases holding that it is very difficult to recover in a breach of contract claim based on a privacy policy. The case also highlights the difficulty some courts have had in classifying privacy policies as contract or policy.

Pro se Plaintiff and Comcast subscriber filed a lawsuit against TRUSTe, Microsoft, and Cisco Systems for blocking all of Plaintiff’s emails on at least two separate dates. Plaintiff called Comcast the first time and filed a complaint with TRUSTe the second time. Comcast claimed that it had received the blocking information from Cisco’s Ironport service. TRUSTe held against the Plaintiff in his complaint where he argued that Comcast had not sufficiently explained the reasons for blocking his outgoing email. Plaintiff had also filed a complaint against Microsoft for placing Plaintiff on its Frontbridge IP address blacklist on two previous occasions. Microsoft had not licensed Frontbridge through TRUSTe; therefore, TRUSTe did not render a decision on that complaint. Thus, the Plaintiff brought a pro se claim against all parties that included eight causes of action.

The court ended up dismissing the breach of contract claim against all parties. The court summarily dismissed the breach of contract claim against TRUSTe simply because “it is blackletter [sic] law that a gratuity without consideration does not form a contract.” Without the contract, the Plaintiff’s breach of contract claim went nowhere.

In addressing the breach of contract claims against the three remaining parties, the court had to consider whether their privacy policies were enforceable as contracts. Comcast, Cisco, and Microsoft argued that their privacy policies are insufficient to form a contract “because they are not definite and no consideration was given.” In his complaint against Comcast, the Plaintiff pointed to the Comcast Customer Privacy Notice regarding Comcast’s ability to block and filter spam email and the methods involved. The court held that the Notice was a part of the contract and examined other cases in the area that held that privacy policies could form part of a contract.

It is at this point that the court pointed to the divide among some courts on whether privacy policies are part of a contract or not. Specifically, the court compared Dyer v. Northwest Airlines, 334 F. Supp. 2d 1196 (D.N.D. 2004) (airline’s privacy policy posted on its website did not constitute a contract with its customers in the absence of an allegation that passengers read and relied on the policy) and In re Northwest Airlines Privacy Litig., 2004 WL 1278459 (D. Minn. June 6, 2004) (where plaintiffs alleged that they relied on the privacy policy but not that they had actually read it) with Meyer v. Christie, No: 2:07-cv-02230-JWL-DJW (D. Kan. Oct. 24, 2007) (holding that on a motion to dismiss, the court cannot agree with the characterization that the privacy policy is “nothing more than a mere unilateral statement of company policy”) and In Re Jet Blue Airways Corp. Privacy Litig., 379 F. Supp. 2d 299, 325 (E.D.N.Y. 2005) (stating that that In re Northwest rests “on an overly narrow reading of the pleadings” and allowing the breach of contract claim to survive motion for summary judgment). The court sided with Meyer v. Christie and In Re Jet Blue because it was more persuasive. The court may also have been persuaded because it was a motion to dismiss and the Plaintiff was pro se.

Nevertheless, the fact the privacy policy was read, relied on, and thus became a part of the contract did not change the result. The Plaintiff must also show damages in order to succeed in a breach of contract claim. However, the Plaintiff had not pled any loss whatsoever. This result also is not surprising because the cases that the court cited to in its opinion regarding privacy policies as contracts also hold that claimants could not prove damages. Other cases not cited by the court such as In Re American Airlines Privacy Litig., No: 3:04-MD-1627-D, (N.D. Tex. May 25, 2005) (holding that the privacy policy could form a part of the contract but that the claimants have “failed to plead the essential element of damages flowing from the breach”) and Jackson Hewitt v. Pinero, No:2:08-cv-03535-SSV-DEK (E.D. La. Jan. 7, 2009) have come to similar conclusions. In fact, the Plaintiff in Jackson Hewitt sought damages for “fear, panic, anxiety, sleeplessness, nightmares, embarrassment, hassle, anger, lost time, loss of consortium, and other emotional and physical distress.” Even there, the Plaintiff’s breach of contract was dismissed because the Plaintiff did not sustain any legally cognizable loss or damage. Therefore, it is unlikely that damages based solely on the violation of privacy policies can be recovered in a breach of contract action.

The court then went on to dismiss the breach of contract claim against Cisco and Microsoft. There, the Plaintiff was unable to prove that there was a contract between himself and Cisco and Microsoft simply by pointing to their privacy policies. Furthermore, the Plaintiff did not complete the offer, acceptance, consideration triangle of contract formation to show that the privacy policies were a part of his contracts with the two companies. In fact, Microsoft and Cisco did not owe any contractual duties to the Plaintiff, but instead to Comcast, to whom they supplied the blacklist information.

In sum, the court’s holding on the issue of privacy policies are certainly not groundbreaking. However, it adds to the current discussion about role of privacy policies in contract formation.

You may also find Eric Goldman’s comments regarding the application of 47 USC 230 and this case here.

The case is Smith v. Trusted Universal Standards in Electronic Transactions, Inc., 1:09-cv-04567 (D.N.J. May 04, 2010). Note that the Plaintiff accidentally named the TRUSTe (True Ultimate Standards Everywhere Inc.) with Trusted Universal Standards in Electronic Transactions Inc.