Another big data breach has made the news, this time from Starwood Hotels and Resorts Worldwide (a subsidiary of Marriott International) in what might be the largest data breach in history. The legal and reputation fallout is likely to be massive. As a clearer picture of the damage emerges, Starwood's various online privacy statements and clickthrough terms and conditions will incisively scrutinized — as it will be here. Did Starwood follow clickthrough best practices, or did they render their terms meaningless?
The fallout is already here. Multiple billion dollar class action lawsuits have already been filed. GDPR fines are likely, and those could approach the billions on their own.
Starwood has a massive online footprint. With at least 30 different brands, online reservation options, reward plans, and more, there are likely hundreds (if not thousands) of ways to provide data to Starwood online and purportedly accept various privacy statements and clickthrough legal terms and conditions. We'll dissect the contents of those clickthrough legal terms in a subsequent post, but it's reasonable to assume that they are full of legal terms that Starwood will attempt to rely on in order to minimize its liability resulting from the data breach. It's critical to determine whether those clickthrough terms are enforceable in the first place.
For this post, we looked at two of Starwood's clickthrough acceptance points. Unfortunately, if they represent the level of attention given to clickthrough terms and policies across their digital ecosystem, Starwood is going to have some serious problems trying to rely on them.
The first clickthrough we looked at can be found here. On this form there is a “Continue” button, and below that are links to a “Privacy Center” and “Terms and Conditions.” Unfortunately, there is no clear statement anywhere to put someone on actual notice that by clicking “Continue” they are accepting the “Privacy Center” and the “Terms and Conditions.” Without actual notice, Starwood would be left to rely on “constructive notice.” This never works (just ask Zappos).
While this is admittedly only a small sample size out of Starwood's entire footprint of clickthrough agreements, two conclusions can be made:
When there is a lack of attention to clickthrough design and presentation, there is typically also a lack of attention as to how the underlying policies and content are tracked and managed. In turn, this creates additional enforceability challenges and raises more questions: Has Starwood tracked versions over time? Does it have readily produced, admissible records of which customers accepted what terms and policies? All of these issues and questions will undoubtedly be raised in court.
Don't let a data breach catch you unprepared. PactSafe can help. Talk to us today.