Judge tosses online privacy case

Decision in airline case suggests privacy policies aren't worth the pixels they're published with, critics say.

Paul Festa Staff Writer, CNET News.com
Paul Festa
covers browser development and Web standards.
Paul Festa
3 min read
The dismissal of lawsuits brought against Northwest Airlines has online privacy advocates renewing calls for federal privacy legislation.

In a decision dated June 6, U.S. District Court Judge Paul Magnuson ruled that seven consolidated class action lawsuits against Northwest had no merit--in part because the privacy policy posted on the airline's Web site was unenforceable unless plaintiffs claimed to have read it. The plaintiffs had contended that the airline, in giving passenger information to the government in the wake of the Sept. 11, 2001, terrorist attacks, violated laws and its own privacy policy.

"Although Northwest had a privacy policy for information included on the Web site, plaintiffs do not contend that they actually read the privacy policy prior to providing Northwest with their personal information," Magnuson noted. "Thus, plaintiffs' expectation of privacy was low."

Privacy advocates assailed that part of the decision, saying it rendered Web site privacy policies all but unenforceable.

"I don't think it's relevant whether or not they actually read the privacy policy first," said Lee Tien, senior staff attorney for the Electronic Frontier Foundation (EFF) in San Francisco. "Think of all the 'fine print' we run into every day--warranties and the like. Rather than focus on what the plaintiffs actually read, we should focus on what Northwest said it would do."

"The rationale the court uses calls into question the assurances of any policy posted on any Web site," said David Sobel, general counsel for the Electronic Privacy Information Center (EPIC) in Washington, D.C.

Northwest shared passenger information with the National Aeronautical and Space Administration (NASA) for its research into improving airline security following the terrorist attacks of Sept. 11, 2001.

According to the plaintiffs, Northwest violated its privacy policy, the Electronic Communications Privacy Act, the Fair Credit Reporting Act and Minnesota's Deceptive Trade Practices Act by giving NASA passenger name records, which include not only passengers' name but also their flight numbers, credit card information, hotel and car rental reservations, and names of traveling companions.

The EFF's Tien and other privacy advocates said the decision illustrated the inadequacy of U.S. privacy law.

"This decision is precisely why so many advocates call for consumers to be given a right to sue for privacy breaches," said Ray Everett-Church, chief privacy officer for the ePrivacy Group. "This decision tells companies that promises they make in privacy policies can be ignored because the people who are harmed have little legal basis for complaining."

EPIC's Sobel agreed, saying the decision undermined marketers' claims that industry is capable of regulating itself when it comes to consumers' privacy.

"The online industry has always made the argument that there's no need for legislation protecting online privacy, that through privacy policies and self-regulation they're able to give people the protections they need," Sobel said. "This decision really underscores the fact that there appears to be no enforceable protection in place."

Church said the decision would not prevent the Federal Trade Commission from acting against the airline or a Web site vendor that violated its posted privacy policy. Last week, the FTC promised that at least one such action was coming down the pike.

Attorneys for the plaintiffs, asked whether they planned to appeal, did not return calls.