Delta Air Lines scored a victory when a California federal court granted the company’s motion to dismiss a putative class action based on a data breach, primarily by arguing that its publicly posted privacy policy is not a contract and Delta did not have any enforceable obligation to keep the plaintiff’s data secure.
Teresa McGarry sought to represent a nationwide class of consumers alleging breach of contract, unjust enrichment, bailment and violation of both the Stored Communications Act (SCA) and the Computer Fraud and Abuse Act (CFAA) after the airline suffered a data breach in September 2017 but waited to inform customers until April 2018.
Delta moved to dismiss the action, arguing that the Airline Deregulation Act (ADA) preempted the plaintiff’s claims. U.S. District Judge Michael W. Fitzgerald agreed and found that precedent interpreting the federal statute holds that the “broad scope of ADA preemption sweeps claims as broad as those related to state consumer protections statutes, frequent flyer programs, common law covenants and advertising guidelines because they all have a connection to the core part of the ‘services’ that an airline provides, but does not sweep claims related to ‘amenities’ that airlines provide,” such as in-flight beverages and personal assistance to passengers with a disability.
With this background, the court found no enforceable contract in which the plaintiff could move forward on or make an argument that she was a third-party beneficiary to the contract between Delta and its online ticket provider, 24[7], a company that provides online chat services and collects user data for Delta, because it would require the court to look outside the contract between Delta and 24[7].
Nor could the plaintiff assert a breach of contract based on Delta’s privacy policy, as it expressly disclaimed that it constitutes a contract, stating, “This Privacy Policy is not a contract and does not create any legal rights or obligations,” the court noted, further rejecting an argument based on the “interconnected” nature of Delta’s Privacy Policy, the Contract of Carriage and the ticket issued to the travelers.
McGarry unsuccessfully argued that Delta built a perception among consumers that its data protection policies were adequate, creating a false sense of security and breaching state consumer protection and data breach laws by failing to maintain sufficient security, according to the complaint.
This isn’t the first time an airline has successfully gotten out of the terms of an agreement it wrote. When Northwest Airlines turned over to the U.S. government volumes of customer data in abrogation of its privacy policies, the customers sued. In that case, the court ruled that Northwest airlines was not bound by its own privacy policy (which the court described as a “general statement of policy” and not contractual), particularly in cases in which the customers whose data was breached could not demonstrate that they “actually read the privacy statement prior to providing Northwest with their personal information.”
Finally, the court found that the plaintiff failed to satisfy the statutory requirements to form the basis of either an SCA or CFAA claim, lacking evidence of a knowing state of mind or that Delta gained access to her computer without authorization or that her customer data was accessed through the placement of unauthorized cookies.
The court granted the motion to dismiss with leave to amend.
To read the order in McGarry v. Delta Air Lines, Inc., click here.
Why it matters: The key to Delta’s victory may have been a novel theory that its privacy policy should not be treated as a contract with a consumer. However, at a minimum a company’s privacy policy will still serve as a notice of the company’s information practices with respect to data collected from its customers. Further, while the policy may not be a binding agreement between a company and its customer, the FTC has frequently pursued companies that failed to adhere to their own security and privacy policies as a violation of Section 5 of the FTC Act. Thus, even though a plaintiff may not successfully bring a claim based on a breach of a privacy policy, the FTC will still hold companies responsible for failing to live up to their privacy promises. Therefore, it is always a good idea to reexamine your current privacy policy to make sure it accurately reflects your company’s practices.