AI Summarize

Share

Courts are increasingly treating Privacy Policies as enforceable promises, not just regulatory notices. If your policy says you will not share data, will delete it after one year, or will encrypt it at rest, a judge may treat those statements like contract terms or warranties and hold you liable if they are not true. For businesses, this means every line of the Privacy Policy must be drafted as if it will be read aloud in court one day.

For example, if your Privacy Policy states that you will not share user data with third parties, and then you go on to do so, your business could be sued for breach of express contract in some jurisdictions. While not all cases brought by individual consumer plaintiffs and classes (groups of plaintiffs with a common complaint) so far have been successful, it is vital that your business takes steps to protect itself against this threat.

This article will examine how Privacy Policies can become enforceable promises, which jurisdictions allow such cases, how courts interpret them, and what your business can do to avoid accidental liability.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



How Contract Law Can Apply to Privacy Policies

In US courts, Privacy Policies can support at least four types of contract‑based claims, and each one turns everyday drafting choices into potential litigation risk.

Before considering how courts have applied these principles in practice, it helps to understand the contract law theories that could interpret a Privacy Policy as a set of binding obligations.

There are four main types of breach of contract claims that could theoretically be used by a consumer who feels you have not complied with your privacy obligations. Courts can interpret statements in your Privacy Policy as contractual promises.

To understand how these claims can arise, let's look at the four main types of breach of contract claims that could be used against your business.

Breach of contract

Especially when users assent to Terms and Conditions that incorporate the Privacy Policy, specific privacy statements could be interpreted as contractual terms.

Grounds for complaint: If a user discovers that a business retained their data for five years when the Privacy Policy said it would only retain it for one year, they may attempt to file a breach of contract suit.

Breach of implied contract

An implied contract does not have written terms, but arises from the relationship between the company and its users. By offering services that require users to share personal data, a company implicitly agrees to handle that data with care and in accordance with its Privacy Policy.

Grounds for complaint: Users of a social media service may argue that simply by signing up and sharing data, there was an implied promise that their information would be safeguarded. They may say that this brings a reasonable expectation of the Privacy Policy being treated as a contract.

Breach of express warranty

An express warranty is a definite, affirmative statement about the attributes of a product or service. If a Privacy Policy makes claims about its data security protocols, this could qualify as an express warranty.

Grounds for complaint: If your Privacy Policy claims all customer files are encrypted while at rest, yet a breach reveals it failed to do so for operational convenience, a lawsuit may follow.

Breach of implied warranty

An implied warranty is not written, but is a baseline expectation of ordinary care or security, in this context, when handling personal data. Some of these expectations are codified in the Uniform Commercial Code.

Therefore, even if your business does not breach the terms of its Privacy Policy, it could still fall foul of contract law if it does not meet basic, unwritten standards of data security.

Grounds for complaint: If a company fails to provide an adequate level of security when providing services where it is expected as standard, such as a cloud computing service, then a breach of implied warranty suit could follow.

These categories show the different ways that Privacy Policy promises might form the basis of a legal complaint. But how do courts decide when a Privacy Policy really functions as a contract?

In practice, the safest approach is to treat all specific promises about retention, sharing, and security as if they were enforceable contract terms, and to involve product, security, and operations teams in reviewing them regularly.

How Your Privacy Policy Could Become an Enforceable Contract

A Privacy Policy is not designed to be a contract. Instead, it is meant to function as a notice that informs data subjects (users and customers) about the data you collect, how you gather it, and what you do with it. It is designed to be a representation, not a warranty or promise. That said, your Privacy Policy must comply with the Federal Trade Commission Act Section 5, which prohibits deceptive acts or practices, and the EU EDPB Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, which requires data security by design and transparent communication with users.

As the FTC Privacy and Security Enforcement guidance shown below indicates, you need to treat every statement in your Privacy Policy as if a court might enforce it literally. So, if you cannot prove any statement, either change it or remove it.

FTC - Protecting Consumer Privacy and Security - Privacy and Security Enforcement - clause

As the American Bar Association shows below, there is a crucial difference – a representation is a statement of fact rather than a promise of fact.

Text highlights differences between representations and warranties, noting representation is a statement of fact, warranty a promise of fact

Interpreting representations as promises

If your Privacy Policy is presented as part of your website's Terms and Conditions, individual plaintiffs in some jurisdictions could try to argue that the statement it contains forms part of a binding agreement between you and the user.

US courts have held that a Privacy Policy may become contractually enforceable when it is part of a clickwrap agreement. That means that the user had to actively agree to the terms of the Privacy Policy, such as by checking a box or clicking "I agree." In these cases, the wording of your Privacy Policy may move from being a representation that informs the user to a set of express promises that bind both parties.

On the other hand, a browsewrap agreement, in which users are deemed to accept terms simply by browsing a site, and not normally considered contractually binding.

Example case: In re JetBlue Airways Corp. Privacy Litigation (2005)

In this notable case, a group of plaintiffs alleged that JetBlue breached a contract with them by sharing customer data with a government contractor. As shown below in an excerpt from the litigation document published by VLex, this was despite a representation in its Privacy Policy that the financial and personal information it collected would not be shared with any third party.

JetBlue privacy policy states financial and personal information protected by secure servers and not shared with third parties

The New York court ultimately dismissed the case on two grounds:

  • Not a violation of the Electronic Communications Privacy Act (ECPA): The court ruled that because JetBlue was not an electronic communication service or remote computing service provider, it did not qualify as a defendant under the ECPA.
  • No compensable damages: The plaintiffs' complaint was ultimately dismissed under state common law, as they could not prove they had suffered compensable damages as a result of the Privacy Policy violation (see excerpt from ruling hosted by Wilson Sonsini Goodrich & Rosati).

    Plaintiffs allege harm to privacy interests without diminished personal information quality in amended complaint

Why the JetBlue case matters

While the case did not fulfil the plaintiffs' objectives, it did establish an important precedent: the court did not dismiss the complaint on the grounds that the Privacy Policy did not constitute a contract.

At the same time, courts describing JetBlue have stressed that a posted Privacy Policy does not automatically become part of the contract with customers: the plaintiffs failed to allege facts showing that the policy was incorporated into their contract of carriage. JetBlue is therefore best read as a warning in both directions: a Privacy Policy can support contract‑style theories if it is tied to the transaction, but plaintiffs must still plead contract formation and damages with specificity.

Since this case and in spite of the development of many state privacy regulations, there has been a steady rise in the number of contract-based cases on the grounds of privacy violations in the United States. However, this has not been followed by an uptick in contract law complaints in other jurisdictions.

Example Case: Bass v. Facebook (2019)

In the case of Bass v. Facebook (2019), a group of users sued Facebook after hackers exploited a weakness in its data security systems and stole access tokens, exposing information from millions of accounts. The plaintiffs argued that by creating Facebook accounts and sharing personal data, they had entered into an implied contract with the company.

As the International Association of Privacy Professionals (IAPP) commented below, the court agreed that "Facebook's data use policy and terms of service were construed as contractual promises to limit data sharing, and the plaintiff properly alleged such contractual promise was violated."

Facebook's data use policy construed as contractual promises limiting data sharing, with breach of contract claims discussed

Why Bass v. Facebook matters

Although the case was ultimately unsuccessful due to a limitation-of-liability clause, which we will discuss later, it again showed that Terms of Service and Data Policies could be considered implied promises, or a contract between a business and its customers.

Subsequent analysis of Bass and similar cases highlights that breach‑of‑contract and implied‑contract theories are often the most promising paths for plaintiffs to clear standing and damages hurdles in US data‑privacy litigation, especially when statutory private rights of action are limited.

For businesses, Bass illustrates that clear "limitation of liability" and "warranty disclaimer" language in terms of service can materially reduce exposure even when a court is willing to treat privacy and data‑use statements as contractual promises.

So the lesson is that any statement in your Privacy Policy must be legally defendable in terms of both data privacy laws and contract law.

Why Risks Are Higher in the US than Other Jurisdictions

Unlike the EU and many other countries, the United States does not have one universal data privacy law. An increasing number of states have enacted privacy laws, with California, Colorado, and Virginia among the most comprehensive.

California allows individual users to take legal action when their rights are violated by data breaches, but most state privacy laws do not. Some US consumers have therefore explored alternative legal routes to seek damages for Privacy Policy violations, even when no data breach has occurred.

This is possible because, as we have seen, the US has a track record of courts entertaining cases that treat Privacy Policies as enforceable promises under tort or contract law. Tort law concerns civil complaints in which one person has been harmed by another person or organization. Using tort or contract law to resolve Privacy Policy breaches is much less common in other jurisdictions than it is in the United States.

Jurisdiction How Privacy Policies Create Risk Likelihood of Contract-Based Claims
U.S. Policies may become enforceable promises through contract or tort claims (e.g., JetBlue, Bass v Facebook). High
EU Primarily GDPR regulatory enforcement; inaccurate policies may trigger fines. Low–Medium
UK Tort claims (misuse of private information) and GDPR-based damages possible. Low–Medium
Canada PIPEDA relies on regulatory complaints, not contract suits. Low

For businesses, it's important to ensure Privacy Policies and terms are contract‑ready for US users and coordinate with litigation counsel on limitation of liability and dispute resolution clauses in the document. Outside the US, you should align privacy notices tightly with regulatory requirements (GDPR, UK GDPR, PIPEDA) and incident‑response plans, as private contract claims remain less common but regulatory and tort exposure is significant.

Rising number of lawsuits

This is shown by a study by Reporters' Notes, which was cited in the book Empiricism and Privacy Policies in the Restatement of Consumer Contract Law by Gregory Klass. It highlighted multiple cases in which consumers used Privacy Notice violations as the basis for breach-of-contract claims.

Study found 51 consumer breach-of-contract claims for violations of privacy notices constituting contracts

These cases show no signs of slowing down. As shown below in a report by Wiley, in 2024, there were 1,970 data privacy lawsuits filed in federal courts, and more in state courts.

In 2024, over 1,970 data privacy lawsuits filed in federal courts, highlighting ongoing litigation

The takeaway is clear: if you target US consumers, you need to consider more than just regulators when designing your Privacy Policy. You must be able to prove you are delivering on every implied promise in the policy if one day a court interprets it as a contract.

How Privacy Policies are viewed outside the US

In other jurisdictions, users may have the right to attempt to file Privacy Policy-violation lawsuits on the basis of contract or tort law.

However, they are much less common than in the United States. Outside the US, privacy‑related civil claims more often rely on statutory rights under the GDPR or UK GDPR, or on torts such as misuse of private information, than on treating the privacy policy itself as a standalone contract.

Consider the following breakdown:

  • EU: If a user's rights under the GDPR, as set out in a Privacy Policy, are violated, Article 82 of the General Data Protection Regulation (GDPR) gives them the right to pursue statutory damages. If a user wanted to file a breach of contract claim, this would be at the discretion of the courts of the individual member state.
  • United Kingdom: Like the EU, the UK GDPR also gives users the right to pursue damages for material and non-material losses, which include actual financial losses and other intangible losses, such as mental distress. Even in notable cases such as Bekoe v. London Borough of Islington, the basis for the complaint was the misuse of private information and GDPR violations, rather than contract law violations.
  • Canada: The Personal Information Protection and Electronic Documents Act (PIPEDA) does not allow individuals the right to sue under PIPEDA, but they may seek compensation by filing a complaint with the Privacy Commissioner of Canada. It is less common for individuals or classes to seek compensation for violations of Privacy Policies under contract law.

This list is not exhaustive, but it underlines that in most non-US jurisdictions, it is uncommon for Privacy Policy violations to be considered breaches of contract law.

Why this matters to all businesses

However, this does not mean that handling the data of non-US residents can afford to be complacent. As the UK Bekoe v. London Borough of Islington case illustrated, companies can still face civil claims under tort law, such as for misuse of private information.

Therefore, whether your customers are in the US, UK, Europe, Canada, or elsewhere, the underlying lesson is the same: your Privacy Policy should reflect your actual practices. Inaccurate statements create risk everywhere, even if the legal route to resolution differs from place to place.

How to Draft a Robust Privacy Policy

Courts and plaintiffs increasingly treat Privacy Policies as proof of what a company promised. Therefore, it's no longer enough to ensure it meets your privacy law obligations. Your company needs to treat it as a binding commitment – effectively, a contract between you and anyone who uses your website or services.

The following tips can help you do that in practice.

1. Ensure every statement is factual and verifiable

Write your Privacy Policy so that every sentence can be proven with evidence in discovery.

Avoid any language that sounds good, but could be misconstrued as a promise. For example, avoid marketing language such as "we take privacy seriously" or "we use industry-leading security." Instead, provide an appropriate level of factual detail and be prepared to prove it.

The example below from Facebook's updated Privacy Policy shows how it accomplishes this while satisfying the regulatory requirement to be highly readable. It links to more details on the "appropriate mechanisms" and gives a simple example of encrypting data during international data transfers. This language is factual and verifiable without bogging the Privacy Policy down with technical details that may soon require updating.

Facebook Privacy Policy - How do we Transfer your information - Section outlines safeguards for international data transfers, emphasizing encryption during transit to prevent unauthorized access

For in‑house teams, this usually means:

  • Maintaining written descriptions of security controls and retention practices that match the policy language.
  • Coordinating with security and engineering to confirm that statements about encryption, access controls, and deletion are accurate and current.
  • Scheduling periodic reviews so that new features or vendors do not quietly make the policy misleading.

2. Match words to operations

Every promise in your Privacy Policy, whether expressed or implied, must reflect a real process in your organization. This means mapping the entire flow of data through your systems, and depending on the size of your organization, it may require collaboration with multiple data-handling departments.

Review your data operations end-to-end:

  • What you collect
  • How you store it
  • How long you keep it
  • When and how you delete it

Then rewrite your Privacy Policy to reflect these real-world practices.

Consent is the cornerstone of privacy regulations, and could form the basis of contract or tort cases if there is a mismatch between your consent flows and your Privacy Policy. Make sure the language used in your cookie banner, sign-up checkboxes, and preference center matches your Privacy Policy so everyone is on the same page.

4. Review vendor and partner disclosures

If you share data with analytics, advertising, or cloud providers, name the categories and purposes. Courts expect clarity on who receives data and why. It's crucial to have contracts with those vendors that require them to meet the same privacy standards you promise users.

The example below from YouTube's Privacy Policy follows the same pattern as Facebook and is a great model for other businesses – a clear explanation of who they share data with (with a link to more information) and examples of why they need it.

Google provides personal information to affiliates and trusted businesses under privacy compliance

5. Consider lawful limitation-of-liability language

The Bass v. Facebook case mentioned earlier failed because Facebook included a clear limitation-of-liability clause in its Terms of Service. A limitation-of-liability clause does not stop your business from getting sued, but it limits its exposure to damages.

In Facebook's case, the clause led to the case being dismissed and protected it from potentially crippling damages in this class action suit. The wording in the "Limits on liability clause" in Facebook's current Terms of Service below is clear and protects it from frivolous suits.

Facebook - ToS - Section disclaims all warranties, whether express or implied, setting limits on liability

Including a limitation-of-liability clause in your Terms and Conditions could be a shrewd move for your business, too. Your Terms of Service should cap damages and describe dispute procedures in plain language. However, if it is buried in the small print, unclear, does not comply with local laws, or is too broad in scope, it could be overridden by the courts.

6. Maintain version control and evidence

Privacy Policies are constantly updated, but what matters is what was in place when the alleged violation occurred. Keep dated copies of every Privacy Policy, with notes on what changed and why. In litigation, version history can help demonstrate transparency and good-faith compliance.

Conclusion

Businesses are no longer able to view their Privacy Policies simply as regulatory compliance documents. As the cases discussed above show, you can be held accountable for their contents, with courts, especially in the US, increasingly viewing them as a set of contractual promises around how a business collects, uses, and protects personal data. Crucially, customers can hold businesses to account for Privacy Policy violations even when no data breach occurs or when a contract or warranty is only implied.

Whether you operate in the United States or other jurisdictions, the lesson is clear: only include in your Privacy Policy terms that your business can prove. Ensure every disclosure is factual, align it with consent flows and real-world data practices, and document every change to your Policy. Doing so will keep regulators satisfied and protect your company from being caught up in the growing wave of tort and contract law complaints about Privacy Policies.

Privacy Policy Generator
The first step to compliance: A Privacy Policy.

Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.

Generate Privacy Policy