Who Owns Transaction Information?

Posted on May 24, 2008 by Michael Froomkin

Although I usually couldn't care less about celebrity gossip, I was very interested to see this article (in the India Times, no less!), TomKat threaten to sue baby store over leaked shopping details.

Basically, these two celebs claim a right of privacy and a violation of their right of publicity because a store they shop at has been blabbing the details of their purchases.

I'm interested in this because back when I was writing one of the early articles about digital certificates, The Essential Role of Trusted Third Parties in Electronic Commerce, 75 Ore. L. Rev. 49 (1996), I had a heck of a time finding relevant law on the subject of the ownership of transaction information, a problem that persisted into the writing of The Death of Privacy?, 52 STAN L. REV. 1461 (2000). I finally concluded that for ordinary transactions, where there was no special duty of confidentiality (e.g. lawyer, doctor) or celebrity with a special right of publicity, the basic rule was that customer and merchant both own the facts and can do what they wish with them.

The right of publicity claim is a narrow one: the shop can't claim endorsement by the celebrity (e.g. by using their images in an ad), but that doesn't amount to a gag order. For example, the shopkeeper can certainly brag to customers so long as s/he doesn't imply or claim an endorsment.

But the privacy claim? Absent either a contractual or legal duty, it's just not there. Maybe it should be, but that will take a change in the law.

This entry was posted in Law: Privacy. Bookmark the permalink.

5 Responses to Who Owns Transaction Information?

  1. Chris Hoofnagle says:
    May 24, 2008 at 10:54 am

    Michael, our recent report on Californians’ perceptions of privacy rules *offline* might be interesting with respect to TomKat. We’re finding that most consumers think that privacy is built in by default in consumer transactions. From the abstract:

    “…We asked a representative sample of Californians about the default rules for protecting personal information in nine contexts. In six of those contexts (pizza delivery, donations to charities, product warranties, product rebates, phone numbers collected at the register, and catalog sales), a majority either didn’t know or falsely believed that opt-in rules protected their personal information from being sold to others.”

    It’s online at http://ssrn.com/abstract=1133075

  2. Ben Hyde says:
    May 24, 2008 at 7:28 pm

    I presume it is also the case that you shouldn’t presume you can see the transaction data from the another party with whom you have an ongoing commercial relationship. For example the bank, google, amazon shares your account transaction data with you at their pleasure.

    But yes, the gossip case where in the other party shares some or all the transaction with yet other parties is, or course, where it gets the most entertaining.

  3. md 20/400 says:
    May 25, 2008 at 7:28 pm

    There was a case of transactional publicity that resulted in a new law: Clarence Thomas’ video rentals.

  4. froomkin says:
    May 25, 2008 at 7:37 pm

    Right bill, wrong judge: that was Judge Bork’s (innocuous) video rental record. As I wrote in “The Death of Privacy?”,

    A very small number of statutes impose limits upon the sharing of private transactional data collected by persons not classed as professionals. The most important may be the Fair Credit Reporting Act. (255) In addition to impressing rules designed to make credit reports more accurate, the statute also contains rules prohibiting credit bureaus from making certain accurate statements about aged peccadilloes, although this restriction does not apply to reports requested for larger transactions. (256) More directly federal privacy-oriented commercial data statutes are rare. The Cable Communications Policy Act of 1984 forbids cable operators and third parties from monitoring the viewing habits of subscribers. Cable operators must tell subscribers what personal data is collected and, in general, must not disclose it to anyone without the subscriber’s consent. (257) The “Bork Bill,” formally known as the Video Privacy Protection Act, also prohibits most releases of customers’ video rental data. (258)

    255. 15 U.S.C. §§ 1681-1681s (1999).

    256.See id. § 1681c (prohibiting reporting of bankruptcies that are more than 10 years old; “[c]ivil suits, civil judgments, and records of arrest that, from date of entry, antedate the report by more than seven years or until the governing statute of limitations has expired, whichever is the longer period;” tax liens paid seven or more years earlier; or other noncriminal adverse information that is more than seven years old. None of the prohibitions apply if the transaction for which the report will be used exceeds $150,000, or the job on offer pays more than $75,000 per year.); see also id. § 1681k (requiring that consumer credit reporting agencies have procedures in place to verify the accuracy of public records containing information adverse to the data subject).

    257. 47 U.S.C. § 551 (1999).

    258. 102 Stat. 3195 (1988) (codified as 18 U.S.C. § 2710 (1999)). The act allows videotape rental providers to release customer names and addresses to third parties so long as there is no disclosure of titles purchased or rented. Customers can, however, be grouped into categories according to the type of film they rent. See id. § 2710(b)(2)(D)(ii).

  5. Tony Whitfield says:
    May 27, 2008 at 10:51 am

    It’s worrying to think how much data is gathered about us online and what’s done with it, some business models are built around user data as being one of the biggest assets such as Google.

    There needs to be more regulations put in place governing the use and handling of this data, especially the deletion of online accounts after you terminate services. Mostly you have no clue what happens after you close an online account, is it deleted off the server, just your login removed and the full account remains, sold to the Russians? Who knows generally you can’t find out this information.

Comments are closed.