A federal court in California handed Delta Air Lines a win this year by dismissing a putative class action arising from an alleged data breach. The court ruled that Delta’s publicly posted Privacy Policy was not a contract and, therefore, placed no enforceable obligation on the airline to keep its customers’ data secure.
The complaint filed by the plaintiff, on behalf of the class, asserted claims for relief based on breach of contract, unjust enrichment, bailment and violation of both the Stored Communications Act (SCA) and the Computer Fraud and Abuse Act (CFAA) after the airline suffered a data breach in September 2017 but waited to inform customers until April 2018. The plaintiff made these allegations in reliance of what she called an “integrated contract,” which included Delta’s Privacy Policy, the Contract of Carriage and the ticket issued to customers.
U.S. District Judge Michael W. Fitzgerald, in granting Delta’s motion to dismiss, agreed with Delta’s argument that the Airline Deregulation Act (ADA) preempted the plaintiff’s breach of contract claims and further stated that it was unclear on which “contract” the plaintiff had based her claim. The court was unmoved by the plaintiff’s argument that data breaches are a basic and foreseeable risk that obligate companies such as Delta to protect customer data and concluded that the plaintiff’s reliance on an “integrated contract” was unfounded.
As an initial matter, the court determined that the Contract of Carriage itself contains no self-imposed promise from Delta as to how it will handle customer data, nor does it promise what specific procedures third-party vendors of tickets that have access to such data will undertake. The contract specifically states:
The passenger recognizes that personal data has been given to carrier for the purposes of making a reservation, obtaining ancillary services, facilitating immigration and entry requirements, and making available such data to government agencies. For these purposes, the passenger authorizes carrier to retain such data and to transmit it to its own offices, other carriers, or the providers of such services, in whatever country they may be located.
The language of the contract, according to the court, makes it clear that while customers specifically permit Delta to use customer data for the aforementioned purposes, there is nothing in the contract that precludes Delta from using customer data for any other unmentioned purpose. The court further rejected the plaintiff’s argument that the Privacy Policy creates a reasonable expectation of privacy on the part of Delta customers, despite stating that it is not a contract on its face because it expressly states that it “is not a contract and does not create any legal rights or obligations.”
Based on the foregoing, the court granted Delta’s motion to dismiss with leave to amend as to the breach of contract claim. The full text of the order in McGarry v. Delta Airlines, Inc. can be found here.
Delta’s victory is unique in that it is the first time that a court has determined that a business owes no obligation of privacy to a customer because its Privacy Policy explicitly disclaims any type of contractual relationship between the business and its customers. Prior court decisions where privacy policies were not considered contracts have involved cases in which the consumer could not demonstrate actually having read the company’s privacy policy in the first place. Notably, the California federal court has put forth a new approach to the question of whether a breach of contract claim can be successfully brought by a plaintiff based on the terms of a general privacy policy or statement, and only time will tell whether this approach will be adopted by other courts across the nation.
In the meantime, companies should assess their privacy policies or statements to determine whether they include explicit language disclaiming contractual obligations if they hope to avoid liability arising out of a claim of breach of such privacy policy or statement. While this may not play out in the same manner in every court, the precedent indicates that it is better to be safe than sorry.
For questions and assistance regarding this topic, please feel free to contact any member of our Privacy and Data Security Team.