We earn commissions when you shop through the links below.
While privacy policies are often presented alongside Terms of Service (ToS), their legal character has been contested. Are they binding contracts, mere notices, or something in between? U.S. courts have developed divergent approaches, often depending on how the policies are presented and whether traditional principles of contract formation are satisfied.
1. Privacy Policies as Contractual Promises
When incorporated into ToS or explicitly assented to, privacy policies can constitute enforceable obligations.
- In re JetBlue Airways Corp. Privacy Litig., 379 F. Supp. 2d 299 (E.D.N.Y. 2005) — dismissed breach of contract claims because JetBlue’s privacy policy was not part of a bargained-for exchange; it was a unilateral policy statement.
- In re Northwest Airlines Privacy Litig., 2004 WL 1278459 (D. Minn. 2004) — similarly held that a privacy policy did not create a contractual duty where it was not incorporated into terms accepted by the user.
Principle: A privacy policy is generally not enforceable as a contract unless explicitly integrated into an agreement the user assents to (e.g., via clickwrap).
2. Deceptive Practices and the FTC
Even where privacy policies are not contracts, they may create enforceable obligations under Section 5 of the Federal Trade Commission Act (15 U.S.C. § 45), which prohibits “unfair or deceptive acts or practices.”
- FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015) — affirmed the FTC’s authority to regulate companies that misrepresent data practices.
- In re Snapchat, Inc. (FTC Consent Order 2014) — Snapchat agreed to restrictions after allegedly misrepresenting the ephemerality of messages.
Key Distinction: Courts may not enforce privacy policies as contracts, but misrepresentations in such policies can trigger regulatory enforcement.
3. Contract Modification and Data Rights
A recurring issue involves unilateral modification of privacy policies.
- Douglas v. Talk America, Inc., 495 F.3d 1062 (9th Cir. 2007) — a company cannot bind users to new terms (including changes to data practices) merely by posting them online without notice or assent.
- Courts require reasonable notice and manifestation of assent for modified terms to be enforceable.
4. Arbitration of Privacy-Related Claims
Where privacy policies are integrated into ToS containing arbitration provisions, disputes over data collection and usage are generally compelled to arbitration.
- In re Facebook Biometric Info. Privacy Litig., 185 F. Supp. 3d 1155 (N.D. Cal. 2016) — Facebook’s motion to dismiss based on arbitration was rejected because the ToS in place at the time did not cover biometric claims. Case illustrates how contract timing and assent determine arbitrability.
5. Limits of Contractual Waivers
Companies cannot contract around statutory rights related to privacy and data security. For example:
- Courts have invalidated clauses purporting to waive rights under statutes such as the Electronic Communications Privacy Act (ECPA) or state biometric privacy laws.
- Even enforceable ToS cannot override mandatory statutory protections.
Key Takeaways
- Privacy policies, standing alone, are often treated as unenforceable policy statements rather than contracts.
- Once incorporated into ToS with clear assent, they may create contractual obligations.
- FTC enforcement fills the gap where contract law does not, policing deceptive practices.
- Unilateral modifications to privacy terms are vulnerable unless users are given notice and opportunity to assent.
- Contract law cannot displace statutory privacy rights, which remain enforceable regardless of ToS language.
In the next post, we’ll turn to Drafting ToS as a Business, focusing on how U.S. case law informs best practices for enforceability and risk allocation.
