Even as federal courts become more lenient with affording standing in data breach lawsuits, limits remain to the type of claims courts will permit to proceed. The United States District Court for the Central District of California provided a recent example on June 18, 2019, in dismissing a suit against Delta Air Lines arising from a data breach suffered in 2017 by a vendor for Delta that supports the company’s website by providing chat services and collecting customer data (this good information will give you more data on that).
In McGarry v. Delta Air Lines, Inc,[1], a customer/passenger filed a putative class action against Delta asserting causes of action for breaches of contracts, including Delta’s contract of carriage and its published privacy policy, which the customer alleged were incorporated into the purchase of the ticket. In dismissing the claim, the court noted that while the contract of carriage referenced the collection of customer data, it did not contain any agreement as to how the data would be handled and, therefore, the mishandling of the data could not be a breach of the agreement. Further, the court observed that Delta’s privacy policy, which is referred to on the customer’s receipt for her ticket purchase, expressly states that “[t]his privacy policy is not a contract and does not create any legal rights or obligations.”
Delta avoided certain other state claims, in this and other
actions, by relying on the protections afforded to it under the federal Airline
Deregulation Act. While other businesses may not have that law to rely on, they
can still take a lesson from the McGarry case and include expressly
limiting language in their privacy policy, and any other agreements or public
facing material that references such a policy.
[1] C.D. Cal, No. 2:18-cv-09827, DE 130 (June 18, 2019)