Sign Up
Stay current with GH&R Newsletters. Click here to sign up.
E-Commerce News
Emotional Harm Is Actionable Under the Privacy Act; Non-Spam Filtering Allowed in Good-Faith
July 8, 2008
Emotional Harm Is Actionable Under the Privacy ActAccording to a federal trial court in Washington, D.C., embarrassment, inconvenience, and mental distress constitute sufficient damages to support a data-breach claim under the 1974 Federal Privacy Act.
The data breach claim arose when a group of Transportation Security Administration (TSA) employees alleged that TSA lost a hard drive containing their personal information, violating the Privacy Act and causing them emotional harm and embarrassment. They claimed they were entitled to monetary relief.
In its defense, TSA moved to dismiss all claims, arguing the employees lacked standing and that their Privacy Act claims lacked merit, for want of sufficient damages. The court denied TSA’s motion.
The Privacy Act governs the collection, maintenance, and dissemination of personal information by federal governmental agencies. The Privacy Act requires that federal agencies maintain security and confidentiality of information sufficient to protect individuals (whose information is maintained) against substantial harm, embarrassment, inconvenience, or unfairness.
To bring claims under the Privacy Act, plaintiffs must have sufficient facts to allege: (1) that the defendants acted willfully or intentionally; (2) that the plaintiffs were adversely affected; and (3) that the plaintiffs suffered actual damages.
The TSA employees claimed that TSA knew about the security weaknesses in its system and its failure to fix the weaknesses constituted "acting willfully or intentionally." The employees claimed that their embarrassment and mental distress was a sufficient "adverse effect."
There is little guidance about what constitutes "actual damages." Although the Supreme Court requires plaintiffs to prove "actual damages" to succeed on an alleged Privacy Act violation, it has never defined "actual damages."
Here, the trial court found that the emotional damages, although non-pecuniary, qualified as "actual damages" because nowhere does the Privacy Act state that financial loss is a prerequisite. This determination, combined with the court’s finding that the employees’ alleged injury already occurred (and did not hinge on a third party’s misuse of the data), prompted the judge to approve the employees’ standing.
The D.C. district court’s decision to approve emotional harm as actual damages follows the recent trend to allow Privacy Act claims seeking compensatory damages to proceed. As with any trend, it will be interesting to see just how long it lasts and how broadly courts will construe "actual damages."
Non-Spam Filtering Allowed in Good-Faith
Internet service providers that block e-mails suspected to be "spam" qualify for immunity under § 230 of the Communications Decency Act if they filter the messages in good-faith.
An e-mail marketer brought the case against Comcast. The marketer alleged Comcast’s filtering and blocking its bulk e-mails violated the First Amendment as well as the Computer Fraud and Abuse Act. It also argued that its messages were not "spam" and were blocked in bad faith.
The CAN-SPAM Act (CAN-SPAM) lists the criteria for an e-mail to avoid qualifying as "spam." The marketer argued that because its e-mails complied with the "non-spam" criteria of the CAN-SPAM Act (including accuracy of the header and clear opt-out features), Comcast was liable for blocking it.
The immunity provisions of the Communications Decency Act (CDA) apply to Internet service providers in blocking certain material. These "good Samaritan" provisions protect providers and users of internet service from liability for restricting any material "the provider or users consider to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable."
In its defense, Comcast argued the marketer’s e-mails were "objectionable," so the filtering was protected under the CDA’s immunity provisions. Conversely, the marketer argued CDA immunity provisions did not cover Comcast because the blocked e-mails complied with CAN-SPAM.
The judge sided with Comcast, dismissing the action. The court looked with favor on a 2007 decision in which held that a subjective determination of "objectionable material" is permissive if it is made in good faith. In this case, the court found Comcast’s subjective determination justified and in "good faith." Based on the sheer volume and negative clogging effects, the marketer’s bulk e-mails were "objectionable," regardless of whether they were technically "spam" according to CAN-SPAM.
Therefore, the court found the marketer’s CAN-SPAM compliance argument irrelevant and its "bad-faith" argument inadequately pled. The court explained that the purpose of the CAN-SPAM Act was not to create more litigation concerning "spam" or "non-spam." Absent a showing of bad-faith, an ISP who has already qualified for immunity will not be liable for filtering "objectionable" non-spam e-mails. The court found no "bad-faith" in Comcast’s filtering process.
Even if an e-mail complies with CAN-SPAM, if blocked in "good-faith," the CDA immunity provisions apply. The court found that to hold otherwise would render the CDA meaningless.
This Newsletter is a periodic publication of Graydon Head & Ritchey LLP and should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general information purposes only, and you are urged to consult your own advisor concerning your situation and any specific legal question you may have.