One of Ours

Following 9/11, commercial airlines were asked to turn over passenger data they had collected to government agencies. These Passenger Name Records (PNRs) can include everything from a passenger's home address to their meal preferences and credit card numbers. In this particular case, Northwest Airlines turned over PNRs of many of its customers to NASA as part of an effort to study ways to increase airline security. A group of Northwest customers sued the company, pointing out that sharing their personal information with NASA is a direct violation of the privacy policy on Northwest's website. U.S. District Judge Paul Magnuson disagreed, dismissing the case on June 6. Part of the rationale was that

. . . the customer's "personally identifiable information" -- the stuff that the airline agreed to protect -- did not belong to the customer, because the customer "voluntarily provided some information that was included" in the information given to the government, and that when Northwest "compiled and combined" this information with other data it "became Northwest's property." The court concluded "Northwest cannot wrongfully take its own property." This analysis is not limited to airlines. Any company or entity is now free to say anything in order to induce you to part with your personal information (don't worry, it's secure, or we won't sell it), because once you give it up, it "belongs" to them.

Needless to say, this case (PDF) has far-reaching implications for privacy policies, both online and on paper. Further, Judge Magnuson decided that online privacy policies don't constitute a contract between the company and the customer:

The final part of the district judge's opinion threatens to derail a long established body of law regarding the enforceability of language on websites. All companies have them -- you know, the burdensome and oppressive terms on a website that nobody reads (or is capable of reading) that limits the company's liability, or contains grandiose claims of superiority of their vaporware. In this case, the court held that Northwest was not bound by contract to do what it said it would do because there was no evidence that the consumers "actually read the privacy policy."

Essentially, what this means is that all those long-winded fine print agreements you have agreed to may not protect your personal information at all. Without judges who will step up to defend the privacy rights of consumers, it won't matter even if everyone starts reading the fine print thoroughly. By dismissing this case, Judge Magnuson has established that the personal information of online customers is not protected by the Electronic Communications Privacy Act or deceptive trade practices laws. Nor does sharing customers' personal information amount to an invasion of privacy or a breach of contract. With E-Commerce growth showing no signs of ebbing, the question of how confidential customer information is handled online is going to become increasingly urgent. Without any privacy protection at all, you are at the mercy of the company you are doing business with to honor the agreement. If they do not, then according to Judge Magnuson, you have no legal recourse at all.