Privacy advocates assailed that part of the decision, saying it rendered Web site privacy policies all but unenforceable.
"The rationale the court uses calls into question the assurances of any policy posted on any Web site," said David Sobel, general counsel for the Electronic Privacy Information Center (EPIC) in Washington, D.C.
Northwest shared passenger information with the National Aeronautical and Space Administration (NASA) for its research into improving airline security following the terrorist attacks of Sept. 11, 2001.
The EFF's Tien and other privacy advocates said the decision illustrated the inadequacy of U.S. privacy law.
"This decision is precisely why so many advocates call for consumers to be given a right to sue for privacy breaches," said Ray Everett-Church, chief privacy officer for the ePrivacy Group. "This decision tells companies that promises they make in privacy policies can be ignored because the people who are harmed have little legal basis for complaining."
EPIC's Sobel agreed, saying the decision undermined marketers' claims that industry is capable of regulating itself when it comes to consumers' privacy.
"The online industry has always made the argument that there's no need for legislation protecting online privacy, that through privacy policies and self-regulation they're able to give people the protections they need," Sobel said. "This decision really underscores the fact that there appears to be no enforceable protection in place."
Attorneys for the plaintiffs, asked whether they planned to appeal, did not return calls.