Deceptive Privacy Promises Violate Lanham Act

Thomas Hughes, Lisa J. Sotto and Maureen C. Cooney
June 5, 2008 — 792 views  

A jury recently awarded $4.5 million to CollegeNET Inc. (CollegeNET) for damages sustained as a result of unfair competition by rival XAP Corp. (XAP).  XAP was held liable for false and misleading statements it made about the privacy of personal data collected from users of its web site. CollegeNET v. XAP Corp., 03-CIV-1229-BR (October 5, 2006). The argument against XAP hinged on the company’s failure to convince the judge (on an earlier summary judgment motion) and the jury (at trial) that an opt-in provision constituted express consent to disclosure of the user’s personal information.

This case illustrates how a competitor can use privacy statements, as opposed to conventional advertising claims, as the basis of a Lanham Act challenge. It is also a warning to companies to examine—from the standpoint of a reasonable consumer—all reasonable interpretations of the privacy representations they make, as well as the language they treat as consent to share customer data. If reasonable consumers would not understand that they had given consent to share their personal information, neither would reasonable jurors.

Both the plaintiff, CollegeNET, and the defendant, XAP, provide online college admissions processing. CollegeNET charges the colleges and universities for its services, while XAP provides its services for free to educational institutions, but charges fees to commercial organizations, such as state agencies, loan-guaranteeing authorities, banks, and other lending institutions.

Prospective college students access XAP’s services through a number of web sites, some of which contain the following statement: “[p]ersonal data entered by the User will not be released to third parties without the user’s express consent and direction.” Other sites stated, “[t]he information you enter will be kept private in accordance with your express consent and direction. Click here to view the Privacy Statement.”
Some of the sites offered people the opportunity to obtain information about financial aid and student loans. To do so, users needed to check “yes” in response to the question, “[a]re you interested in receiving information about student loans or financial aid?” XAP shared the personal data of those who answered “yes” with those government and commercial institutions that partake of its services.

CollegeNET claimed that XAP violated the federal Lanham Act by making false representations to colleges and universities  about the privacy of the data it collects from prospective college students. Despite representing that it would not disclose personal data without the user’s express consent, it revealed such data if the applicant opted to receive information about financial aid and student loans. These misrepresentations placed CollegeNET at a competitive disadvantage and diverted some of its sales to XAP.

Prior to trial, XAP moved for summary judgment on the Lanham Act claim and argued, among other things, that its privacy statements were not deceptive because by opting in to receive product information, the users were expressly consenting to the disclosure of their personal information. It also argued that its privacy statements were not actionable “statements of fact” because they merely described how XAP would handle information and thus were “incidental, not intrinsic, to the company’s products and services.” The court disagreed and left these and other issues relevant to the Lanham Act claim for the jury. After trial, the jury returned a verdict in favor of CollegeNET and awarded it $4.5 million for XAP’s violation of the Lanham Act.

Several points from this case are worth noting:

  • It is not surprising that the jury rejected the argument that, by agreeing to receive product information, users “expressly consented” to disclosure of their personal data. Companies should use principles of advertising claim interpretation to determine all messages conveyed to reasonable users by their privacy statements, as well as any language they are treating as consent to disclose personal information. If reasonable users would not understand that they are consenting to the disclosure of their personal data, the statements should be revised.
  • The argument that a privacy policy or statement is “not a statement of fact” because it is “incidental” is weak, and getting weaker everyday, especially when a company’s business is collecting and packaging customer data. When asked in a consumer survey or while sitting on a jury, consumers will likely find that such statements are material to their decisions to provide information, as well as material to entities that purchase data, relying on company representations that consumers made informed decisions to share that data.
  • In addition to the Federal Trade Commission and state attorneys general scrutinizing privacy promises, another potential legal threat looms from competitors who can allege a cause of action under the Lanham Act for false statements regarding privacy practices.

Thomas Hughes, Lisa J. Sotto and Maureen C. Cooney

Hunton & Williams