Recently, New York AG Eliot Spitzer settled a case against Datran Media that could have some wide-ranging implications for information privacy law. Datran Media styles itself “a leading performance-based marketing company with Enabling Technology that connects marketers to consumers through a comprehensive set of email marketing and digital media services.” This is basically a verbose way of saying that it sends unsolicited email, which is perhaps a kind way of describing spam.
Datran obtained personal information from other companies which violated their privacy policies in selling the data to Datran. According to the AP:
The Internet “customer acquisition” companies proclaimed on their websites that they wouldn’t lend or sell the information provided. Consumers were often enticed to reveal their names, addresses and financial data in exchange for free iPods and DVD movies.
Spitzer accused Datran of knowing of the companies’ pledges but nevertheless spamming those consumers with unsolicited e-mails advertising discount drugs, diet pills and other products. Spitzer’s staff said it believed this was the largest deliberate breach of Internet privacy discovered by U.S. authorities.
In other words, the theory of the case was that Datran engaged in “unfair and deceptive trade practices” when it acquired and used information which it knew was being improperly supplied. Datran settled with Spitzer for $1.1 million. The settlement agreement is here.
Obviously, the database industry is up in arms. In an article critical of the case, Kirk Nahra, a partner at the law firm of Wiley Rein & Fielding, LLP, describes it as an “Alice-in-Wonderland result.” He observes that “Spitzer is holding Datran liable for the list seller’s violation of its own policies.” He goes on to write:
How far will this go? Does the vendor have to review underlying consents? Does the vendor have to engage in an audit of the list supplier’s privacy practices? How does this new vendor-to-vendor due diligence obligation affect the already growing client-to-vendor oversight obligations?
Obviously, it is too soon to know the full implications of this case—including whether there are any real implications beyond this specific set of facts and companies. It is clear, however, that the Datran settlement adds a new and difficult dimension to vendor contracting, making it even more time consuming and burdensome to retain vendors for any activity that involves personal information. Is that really a result that protects people’s privacy?
I don’t think that the Datran theory is so outlandish. Under fiduciary duty law, a person can be liable for knowingly accepting the benefit of a breach. The law restricts knowingly receiving stolen property. And the federal Wiretap Act of ECPA penalizes any person “who intentionally discloses, or endeavors to disclose, to any other person the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subsection.” 18 U.S.C. § 2511(1)(c). Therefore, many other areas of the law recognize the concept of liability for knowingly benefiting when another party has violated the law or breached a duty to another.
Chris Hoofnagle has an excellent discussion of the implications of this case:
As a result of the case, it’s clear that it is unfair and deceptive to acquire personal information knowing that the data come from a site that promises not to sell it. But does it also mean that Datran violated the law in cases where it didn’t know or should have known about the sellers’ privacy policies?
Guidance may be found later in the settlement agreement, where Datran agreed to independently review the provenance of all personal information it buys, to confirm that the seller explicitly stated to consumers that the data could be transferred to third parties, and to keep copies of these privacy policies.
In order to limit exposure to further lawsuits, all purchasers of personal information are going to have to exercise more due diligence in how they select lists.
Originally Posted at Concurring Opinions
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.