In the latest reaction to AOL’s erroneous posting of some of its members’ search term data this past August, two unnamed California residents and Kasadore Ramkissoon of Richmond County, N.Y., have filed suit against the Internet service provider in the U.S. District Court in Oakland, Calif., alleging violations of the Electronic Communications Privacy Act, as well as California state law.
Their suit, which is seeking class action status, follows separate requests made last month by twoprivacy advocacy groups — the Electronic Frontier Foundation and the World Privacy Forum — that theFederal Trade Commission investigate AOL’s actions. The search term data disclosure, according to the World Privacy Forum’s filing, violated FTC laws that hold companies accountable for statements made in their privacy policies.
Legal Redress for Personal Mortification?
AOL’s release of the data understandably struck a nerve among Internet users. While it is doubtful that many people would object to the disclosure that they once shopped at the now defunct eToys (the scene of another battle over privacy on the Internet a few years ago when the firm tried to sell its customer list as part of bankruptcy proceedings), many of the AOL revelations were not so innocuous. Many Internet users have at one time or another typed in very personal or unusual requests for information that they would prefer not to be connected with publicly.
For the record, AOL maintains that it did not deliberately release users’ data, and in actuality, the data was notdirectly linked to users’ names. Due to employee error, the company accidentally posted to an AOL public Web site search termqueries made by 650,000 of its users over a three-month period that were meant for the use of academic researchers. Unfortunately, the data was organized so that it was relatively easy to identify some of the members who had made the queries.
In general, privacy policies — usually vetted by legions of attorneys — are written to give companiesas much wiggle room as possible to play with their customers’ data. Vague language can be adoubled-edged sword, however, that can sometimes work to customers’ advantage as well. For instance, a privacypolicy that states the company will collect data to conduct research about a customer’s use of the Internet does not necessarily give the company the right to share that data. Additionally, sharing does not necessarily imply the right to public release.
Another subject of dispute is whether AOL actually identified its members or not. Predictably, AOL claims it did not, placing the blame for their exposure on members who conducted so-called “vanity searches,” or searches for their addresses or work places. A case can be made, however, that AOL all but connected the dots to identify which users searched for which terms.
Tried and Failed
Not every argument made by the plaintiffs or by AOL is likely to succeed, attorneys contacted for this article agree. For instance, AOL might argue in court that the employees responsible for the release of member data did not follow internal policies. It will be an uphill climb, though, to sell that argument. “Under most federal and state laws, the burden is on the company to demonstrate that it had adequate controls to prevent an inadvertent release of protected information,” Callaway said.
“Claims such as ‘I didn’t read it,’ ‘I couldn’t be expected to read it,’ or ‘It is an unconscionable policy,’ have all been unsuccessful” in the past, he said.