Can We Rely on Privacy Policies?

With the recent case of Saffold v. Plain Dealer Publishing Co., involving a newspaper website that outed an anonymous commenter who was a judge, we invited Woodrow Hartzog to write a post about these issues.  Woodrow is the author of a terrific article about the enforceability of the privacy policies (via promissory estoppel) of online communities and social network websites, forthcoming in Temple Law Review. — DJS


Virtually every website you visit has a privacy policy.  These policies are often incorporated into a website’s terms of use.  This attachment of contractual obligation to privacy policies has significant implications.  Like many standard-form contracts, these policies are often vague or practically unreadable, leaving most users with only a general sense of how their personal information will be treated.  Yet, privacy policies often begin with promissory language along the lines of “we are committed to protecting your privacy and handling any personal information we obtain from you with care and respect.”  Thus, the language in privacy policies raises a number of questions.  Are website promises to protect anonymity binding?  Can these promises create a reasonable expectation of privacy?

The recent spate of lawsuits addressing a website’s privacy policies and terms of use seems important beyond the First Amendment implications aptly addressed by others.  A few of these decisions seem to pop up every year.  Yet, inevitably, most of them provide only a cursory analysis of the effect of contracts on privacy.  As a result, it’s unsurprising that these decisions are often met with ambivalence or a general sense of irrelevance. Many commentators rightly observe that courts are reluctant to find actionable damages for adherents to online agreements when websites violate their own terms.

Yet a few of these lawsuits seem to buck the trend by focusing on a user’s reliance on representations of confidentiality by a website.  The recent decision in McVicker v. King, No. 09-cv-436 (W.D. Pa. March 3, 2010) is worth noting as an explicit finding that a privacy policy can create an expectation of privacy for users.

In this employment dispute, the plaintiff William McVicker subpoenaed Trib Total Media, publisher of the, for information disclosing the identities of a number of users commenting pseudonymously on their website. The plaintiff argued that the identities of the users were needed to impeach the testimony of the defendants who fired him.

The United States District Court for the Western District of Pennsylvania denied McVicker’s motion to compel the publisher to reveal the identities of the website’s users.   The court based its denial on several grounds including the fact that “disclosure of the anonymous internet speakers’ identities is not appropriate under the rights guaranteed by the First Amendment.”  (See the Citizen Media Law Project’s First Amendment analysis here.)

Yet what seems most interesting about this case is the court’s attention to the website’s privacy policy.  The court “summarily rejected” the plaintiff’s argument that the terms of service of the website do not create any expectation of privacy in their identities.  As support, the court cited the website’s statement of corporate policy which echoes the beginning of many online privacy policies: “[p]rotecting consumer privacy online is important to us.  By taking steps to protect the privacy of our members, we also hope to increase members’ confidence in the site and as a result, increase their online activity.”  After citing a bit more of the policy, the court found that “[t]he privacy policy clearly reflects that Total Trib Media will disclose its users personally identifiable information only in very limited situations.  Thus the Court finds that the terms of service of the blog create an expectation of privacy for any registered user.”

Thomas O’Toole at Techlaw criticized the court’s approach: “The website privacy policy was pretty standard stuff, including assertions that the website operator will use personal information submitted “only as permitted by law,” and that ‘[t]he Company may also disclose your information in response to a court order, and at other times when the Company believes it is reasonably required to do so.’”

While I wish the court had provided more detailed analysis regarding the creation of an expectation of privacy, I don’t think the decision should be given short shrift.  While the court doesn’t explicitly mention it, it seems to be making a finding based on a reliance of the website’s representation of confidentiality.  The court specifically identified the vague language used by the website that was seemingly intended to instill a sense of confidence and trust that the website will protect users’ personal information.

These terms explicitly lay out the bargain proposed by the website: We want you to contribute to the website.  In return, we will protect your privacy.  As a result, phrases such as “the company may disclose your information [when it] believes it is reasonably required to do so” cannot be interpreted in isolation.  Instead, terms in online agreements must be couched within the broad promise of confidentiality and attempt by the website to induce a user’s reliance on confidence in exchange for revenue-generating, personally identifiable information.

Consequently, the McVicker decision is interesting not only for the explicit language used by the court, but also for the reliance interest which seemingly supported its conclusion.  This decision could serve to foreshadow the result in Saffold v. Plain Dealer Publishing Co. as it is seemingly in line with Dan’s analysis of claims for breach of contract, promissory estoppel, and breach of confidentiality.


Woodrow Hartzog is a Roy H. Park Fellow and Ph.D. student at the University of North Carolina at Chapel Hill School of Journalism and Mass Communication.

You may also like...

1 Response