Sign Up
Stay current with GH&R Newsletters. Click here to sign up.
E-Commerce News
No Criminal Liability for Privacy Policy Breach; Can-Spam Act Applies Only to False Headers
June 21, 2005
NO CRIMINAL LIABILITY FOR PRIVACY POLICY BREACH
A federal trial court in Texas has recently determined that an airline does on violate the federal Electronic Communications Privacy Act (“ECPA”) when it discloses passenger information to the government and private parties. According to the court, there is no crime, even if the disclosures violate the airline’s own privacy policy. The airline could, however, face civil liability for breach of its contract with the affected passengers.
The court issued its ruling in a consolidated nationwide class action case. In the case, customers of American Airlines (AA) and AMR Corp. sued American Airline's agent, Airline Automation Inc. (AAI) for disclosing confidential passenger information, known as passenger name records (PNRs), to the Transportation Security Administration without the passengers' consent. The lawsuit also alleged that AAI provided the information to four private vendor research companies without the customers' consent, and perhaps without the airline's permission.
Defendant AAI assists AA in maintaining a web site that enables customers to purchase tickets online. In taking reservations and selling tickers, the site collects personally identifiable information, including passengers' names, addresses, telephone numbers, AAdvantage account and flight information, credit/debit card information, emergency contacts, seating and dietary preferences, passport number and country of resident.
Although AA denied that it had released the information to the vendors, it admitted that it had authorized AAI to disclose the information to the TSA. According to AAI, AA authorized the release of the information to the vendors.
AA’s Web site privacy policy stated that the airline did not sell customer information, nor share a customer's e-mail address with third parties, unless required by law, and did not disclose customer information to companies affiliated with the airline, or with unaffiliated third parties, except to fulfill products or service customer requests. The policy stated that the airline did disclose information to countries' tax, security or regulatory authorities, if required by law.
According to the court, there was no ECPA violation because the ECPA concerns unauthorized access or access in excess of authorization--not unauthorized use after a lawful access. The claim was deficient, according to the court, because “[plaintiffs] are relying on a theory of unauthorized disclosure of information, not of access that exceeded what was authorized." Because the disclosure did not violate the ECPA, the court dismissed conspiracy claims that plaintiffs had asserted against the vendors.
The court also found that the breach of the privacy policy did not constitute an ECPA violation because, according to the court, ECPA is a criminal statute, and "the mere breach of a contract normally is not 'unlawful' in a criminal sense."
AA was not so lucky on the plaintiffs’ breach of contract claim. The court allowed that claim to proceed. It noted, "[I]n other words, the laws that American maintains are external to the contract are expressly incorporated into it." On this basis, the plaintiffs were permitted to seek recovery from a jury.
The lesson from this case is that whether or not privacy promises are enforceable under federal criminal law, state contract law may be used to enforce them. The best strategy, as usual, is to do what you promise!
CAN-SPAM ACT APPLIES ONLY TO FALSE HEADERS
According to an Idaho federal court, an e-mail message containing false information in the body of the message does not violate the federal CAN-SPAM Act. That Act only prohibits false information in the e-mail header.
In the case, an Internet service provider, alleged that Real Networks Inc. violated the CAN-SPAM Act because it transmitted numerous e-mail messages through the plaintiff's network whose contents falsely stated that the recipients requested or permitted the defendant to e-mail them.
According to the complaint, the body of the e-mail falsely stated that , "You are receiving this e-mail because you downloaded RealOne, RealPlayer or RealJukebox from Real.com and indicated a preference to receive product news, updates, and special offers from RealNetworks."
But according to the court, even if the allegation is true, the complaint failed to allege a violation of the CAN-SPAM Act. Reading the statute narrowly, the judge found that the Act prohibits materially false or misleading information in a message's "header information"--not in the body of the e-mail itself. It declined to read the CAN-SPAM Act's definition of "header information," to include information contained in the message body.
It’s hard to imagine that Congress intended for the CAN-SPAM ACT to permit false messages, while banning only false headers. If this ruling holds, it may be time for an amendment!
This Newsletter is a periodic publication of Graydon Head & Ritchey LLP and should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general information purposes only, and you are urged to consult your own advisor concerning your situation and any specific legal question you may have.