Is an Airline’s Privacy Policy a Contract?
In this Orlando contract lawyer blog post we look at a federal court decision that found a company’s privacy policy did not constitute a contract. McGarry v. Delta Air Lines, Case No. CV- 18-9827 (C.D. CA June 18, 2019). The court’s holding is important because Delta Air Lines experienced a data breach in late September and early October 2017 that exposed its customers’ data to the public but the company failed to tell its customers about the data breach until April 5, 2018. When a company publishes a privacy policy and states how they will collect and disseminate your information, should they be held liable if they breach their own privacy policy?
A class of consumers from all over the country filed suit against Delta Air Lines for breach of contract, unjust enrichment, and violation of the Stored Communications Act (SCA) and Computer Fraud and Abuse Act (CFAA). The consumers alleged that Delta breached the provisions of the SCA, the CFAA and the terms of the privacy policy itself, by failing to take proper safeguards to prevent the data breach.
The Airline Deregulation Act of 1978 Preempts Most Claims Involving Airlines
Delta filed a motion to dismiss the consumer’s complaint and in its motion, the company argued that Plaintiff’s breach of contract claims were barred because they were preempted by the federal Airline Deregulation Act (ADA) [Cite]. The ADA was enacted by Congress in 1978 and deregulated the airline industry and converted it from government controlled to a private and free market industry. Federal courts have repeatedly held that claims that are connected to an airline’s core services are prempted by the ADA; however, claims related to an airlines amenities, like in flight beverage and food service and personal service for disabled passengers.
Delta Hired Good Attorneys to Draft the Agreements
The essential problem the proposed class faced was the that Delta drafted all of the documents at issue and Delta clearly appointed a team of good breach of contract attorneys. The contract of carriage did not state anything about how Delta would handle its customers’ data and did not say anything about how it would transfer or protect data it provided to third parties. So Delta could do whatever it wanted with the customer data apparently. The court found that the plaintiffs were essentially seeking to enlarge and amend the terms of the parties’ contract of carriage, which was preempted by the ADA.
The court also held that the Plaintff failed to allege a breach of the terms of the ticket as it simply asked customer to “Please review our Privacy Policy.” The Privacy Policy, as stated above, had no details about how Delta and its affiliates would handle customer data, and it also stated that it was Not a contract: “This Privacy Policy is not a contract and does not create legal rights or obligations.” Despite the bold language, nobody reads the fine print and if they did, why would there be terms and conditions if there is no contract? Or maybe it could be a form of unconscionable contract?
It’s hard to understand this ruling on a practical level. A privacy policy by definition defines how data is kept private, hence the name “privacy policy.” If the policy was that the data was not kept private then that information should have been disclosed so that customers could act to protect themselves. The proposed plaintiffs argued that Delta built a perception that its data protection policies were adequate, which created a false sense of security. The court found that this was insufficient, given the language used in the documents at issue, all drafted by Delta. So the court dismissed the complaint with leave for plaintiffs to amend, which appears to be a fruitless endeavor at this point, leaving Delta customers without a remedy in federal court, which is an unfortunate result.
Consult with an Experienced Orlando Breach of Contract Attorney
Do you have a question for an Orlando contract lawyer? Contact The Spence Law Firm now for your FREE consultation.