I wonder if they will be able to make any argument along the lines of: we’re much more confident about the identities of paying customers so we think there’s less privacy risk in that case.

I think they should lose the case but I’m curious if anyone can think of a good argument for their side, at all (in the European context where there are data laws, “it’s their website they do what they want” is the conventional US perspective but I don’t really see what that leaves us to discuss).