Do Stores That Offer Loyalty Cards Have a Duty to Notify Customers of Product Safety Recalls?
A Recent Suit Raises This Novel Question

By ANITA RAMASASTRY

Thursday, Aug. 05, 2004

An interesting new Washington state court suit raises an important question: If a retailer benefits from collecting personally identifiable information about its customers, does it have a corresponding duty to use such data to alert its customers that products they've bought have been recalled for health or safety reasons? And if so, could turning over private data to companies actually create benefits, as well as privacy risks, for the consumer?

In the suit, consumer Jill Crowson is suing her grocery store -- Quality Food Center (QFC), a subsidiary of Kroger -- for negligent infliction of emotional distress and disregard of a "duty to warn" under the Washington Product Liability Act. Crowson alleges in her complaint that QFC failed to alert her family that ground beef it had sold them had been recalled in December's mad-cow scare.

Yet, Crowson says, QFC easily could have done so through information it maintained connected with her Advantage card - a "loyalty card" that meant QFC had Crowson's name, address and purchasing information. According to her complaint, QFC tracks every purchase made by consumers presenting the Advantage Card, including product description, date of purchase, store of purchase and the price, and saves that data alongside customer contact information.

Now, Crowson says, her family members "feel like walking time bombs" knowing they may be infected with the human form of mad-cow disease which the complaint states may have an up-to-30-year incubation period. And they are not the only ones: Crowson is seeking class action status for herself and what she believes are "hundreds" of similarly-situated Washington customers at QFC's approximately 40 stores in the state.

Some lawyers think Crowson's suit is a stretch. Federal law does not impose on companies a specific duty to notify consumers when tainted meat is recalled under the direction of the U.S. Department of Agriculture (USDA), as was the case here. Also, Crowson and her family, and the class she seeks to represent, are suing based on fear (and possible future harm), not current illness. Moreover, the chance they will actually get Mad Cow Disease some time in the future are apparently remote.

Nevertheless, the lawsuit has strong intuitive appeal: QFC could have saved the Crowsons and others like them a lot of worry, and perhaps sleepless nights, with what appears would have been minimal effort, using information at its digital fingertips. And the court has already once refused to dismiss it - finding that there were sufficient factual questions about the beef and about QFC's responsibility to the Crowsons, to merit further exploration of the evidence, through discovery and in the courtroom.

Regardless of the outcome of Crowson's suit, it underscores the need for retailers and policymakers to examine what sort of responsibilities come with private data gathering under loyalty card schemes.

The Lawsuit: The Chronology of Facts Alleged, and the Loyalty Card at Issue

On December 22 and 23, 2003, Crowson bought ground beef from a QFC store. Also on December 23, 2003, the USDA recalled Washington beef after it confirmed that a cow slaughtered in Washington had been infected with Mad Cow Disease. But Crowson says QFC did not pull the affected meat from its shelves until December 24, and did not post signs in its stores announcing the recall until December 27. By then, the Crowson family had eaten the meat.

Crowson states that she only learned of the recall by reading an article in her local newspaper. She said she subsequently called the supermarket chain, then faxed QFC a letter asking that her purchase be traced through her QFC Advantage card. On January 10, she was notified that her ground beef purchase was indeed from the recalled batch.

Crowson says that what QFC allegedly did in response to the recall - pulling the beef from shelves the next day, and posting signs three days after that -- was far from enough. She says it should have immediately warned customers who had bought possibly tainted meat through newspaper, radio and television advertising -- and by contacting individually those who, like her, had Advantage cards. Its failure to do so, she says, is what makes the company liable to her and other shoppers.

The Advantage Card is known in the retail industry as a customer "loyalty card" - providing discounts on specific items, in exchange for consumer information that will aid in better tailoring the company's marketing efforts. Combining the data from one's loyalty card application with data from other commercial databases or public records (for examples, mortgage records, or court filings) can often allow a very specific profile of each consumer.

Some states limit the types of information that a grocery store can collect from you when you register for a loyalty card. For example, California state law prohibits a grocery store from requiring that you turn over your social security or your driver's license number.

Companies, of course, stress the potential savings that might result from use of a loyalty card. Consider, for instance, the sales pitch on the QFC website it reads: "If you don't have a QFC Advantage Card, you're missing out! The Advantage Card is a powerful new way to save on the groceries you buy every day. It gives you the best of all possible worlds: premium quality, superb service and lower prices. That's something no other grocery store can match. So make sure you take advantage of the big savings."

Privacy advocates complain that loyalty cards result in the improper use - and, often, sale to third parties - of customers' private information. QFC apparently doesn't sell customers' data to third parties, however. Its website promises that "QFC will not release your name to any list service or manufacturer, and that such information will be held in the strictest of confidence-even within our company."

Privacy advocates also warn, however, that even if third-party sales of data are not allowed, the data compiled can always be accessed with a subpoena or warrant and used against the customer in court proceedings. Meanwhile, consumer advocates claim that certain loyalty cards don't really offer the savings they promise. Nevertheless, numerous stores employ loyalty cards.

Turning the Privacy Debate on Its Head: With Great Information, Comes Great Responsibility?

The Crowson lawsuit turns the privacy debate on its head. Typically, privacy advocates ask retailers to safeguard the personal information they collect about their shoppers. In this case, in contrast, plaintiff is asking that QFC delve into its database to notify her about a meat recall.

QFC does this very thing if a consumer loses his or her keys with an Advantage Card attached to them - returning the keys free of charge. So Crowson's attorney, Steve Berman, asks: "If they can contact you over a lost set of car keys, why couldn't they contact you and tell you that the beef you purchased could kill you?"

According to some news reports, QFC was reluctant to call customers regarding the recall based on privacy concerns. But in this case, the concerns seem misplaced. No privacy law is violated when a consumer communicates with the customer herself regarding private information - indeed, every offer the customer receives is, in a sense, this kind of communication. When the customer is receiving personalized discounts based on her purchase history, why can't she receive personalized health and safety warnings based on that history, too?

Was There a Duty to Warn Here?

From the law's perspective, the question will be not whether QFC ideally should have warned the Crowsons - of course it should have. The question will be if it had a legal duty to do so. Such a duty would come from either the common law of torts, which allows claims where there is a duty to behave reasonably to prevent foreseeable harm to others. . Or it might come from the Washington product liability statute - which, as noted above, creates a "duty to warn" in certain situations.

And of course, if there is no current duty, the legislature may see fit to pass a statute creating such a duty. :It may seem more prudent, however, for retailers to voluntarily assume such a responsibility. When companies benefit from collecting customer information, shouldn't they also assume a duty to protect customers from known risks associated with that very information? Some risks, of course, may be a matter of opinion. But this one was not: The fact of the risk was acknowledged by the USDA recall of the meat. With this kind of clear notice of the risk, it seems that QFC either does - or ought to - have a duty to protect customers from this risk.

Of course, should a retailer not wish to take on this responsibility, it can also change its loyalty program. QFC and other retailers could still track consumer purchases without asking them for personally identifiable information.


Anita Ramasastry is an Associate Professor of Law at the University of Washington School of Law in Seattle and a Director of the Shidler Center for Law, Commerce & Technology.

FindLaw Career Center


      Post a Job  |  View More Jobs

    View More