AOL’s Disclosure of Search Data May Support Claims Under California Law

[Post by Venkat]

Does v. AOL LLC, Case No. C06-5866 SBA (N.D. Cal.; June 22, 2010)

Plaintiffs bringing a class action against AOL for improper disclosure of search data scored in an initial victory in the Northern District of California. The court denied AOL’s motion for judgment on the pleadings, and allowed claims (under California consumer protection laws) to go forward.

Background: AOL “records and stores member search queries in a manner rendering it possible to connect the stored search queries with a particular member.” In July 2006 AOL “packaged” (??) approximately 20 million search records into a database which it then inadvertently posted on its website “for the public to download.” The database contained records of 685,000 AOL members that were stored in a two month period in 2006. The disclosed data includes sensitive information such as names, social security numbers, addresses, telephone numbers, credit card numbers, user names, passwords, and financial bank/account information.

Shortly after it posted the database, AOL pulled the database. However, by this time it had been downloaded and reposted on other websites. According to the complaint, “AOL’s response to the disclosure has been to do nothing.” AOL attempted to impose conditions on third parties who downloaded the database but it hadn’t taken any action to restrict such use.

Plaintiffs sued alleging federal claims (under the Electronic Communications Privacy Act) and state claims (under section 1750 and California false advertising statutes).

Discussion: The case is in an atypical procedural setting, but one that may be helpful to plaintiffs. AOL initially moved to dismiss and have the case transferred to Virginia based on the venue clause in its Member Agreement. The district court agreed and initially dismissed the lawsuit so it could be re-filed in Virginia. The Ninth Circuit reversed (in 2009) and held that the venue provision in AOL’s Member Agreement was unenforceable as to California residents bringing claims under “California consumer law.” On remand AOL moved to dismiss one of the named plaintiffs who is not a California resident and dismiss the claims that did not arise under California consumer law. The district court granted that motion. Plaintiffs appealed and asked the district court to stay resolution of the California consumer law claims until the Ninth Circuit resolves the issue of whether the remaining claims were properly dismissed. [That's a lot of procedural wrangling!]

Standing to seek injunctive relief: The court denies plaintiffs’ motion to stay. Moving on to the substantive claims, the complaint seeks an injunction, and AOL argued that plaintiffs lacked standing to seek injunctive relief. Injunctive relief would be available if there’s some risk that the complained of conduct would continue to occur. The court finds that plaintiffs had the requisite standing because plaintiffs alleged that AOL engages in a practice of storing search queries and “has taken no steps to ensure that such information is not disclosed again.”

California Consumer Legal Remedies Act: AOL argued that plaintiffs did not sufficiently plead injury under the CLRA. The court notes that the CLRA sets a “low but nonetheless palpable threshold of damage,” but encompasses harm “other than pecuniary damages.” Getting to plaintiffs’ allegations, the court notes that AOL allegedly “held itself out to the market as being a leader in internet security and privacy and represented . . . that its service was ‘safe, secure and private.'” The information disclosed by AOL includes highly-sensitive information, financial information, social security numbers. “Also disclosed was information regarding members’ personal issues, including sexuality, mental illness, alcoholism, incest, rape, adultery, and domestic violence.” [emphasis added] The court concludes that this is more than enough to allege injury under the CLRA.

AOL also argued that the CLRA claim sounded in fraud and must be pled with particularity. The court finds that plaintiffs satisfied this requirement, in specifying that “misrepresentations were made in AOL privacy policy and other statements posted on AOL’s website, and that the representations were false in that they assured members that AOL would endeavor to maintain the privacy and security of their personal confidential information.” AOL finally argued that plaintiffs failed to allege causation, but the court quickly dispenses of this argument, noting that where there are representations in a privacy policy regarding safeguarding personal data, a reasonable consumer would only sign up to disclose personal information in reliance of representations contained in the privacy policy. At the end of the day, plaintiffs’ CLRA claims are allowed to move forward.

UCL and FAL: AOL’s arguments around the unfair competition and false advertising laws were similar to its arguments against the CLRA claims. The court rejects these arguments. Finally, the court dismisses plaintiffs’ claims under the “Consumer Records Act,” which requires businesses to take “reasonable steps” to dispose of customer records when they are no longer “retained” by the business. The court (citing to the legislative history) notes that the statute was intended to prevent “dumpster diving,” and was not intended to encompass the situation in the present case.

__

It’s tough to assess what happened (and what will happen) at the pleading stage, but if AOL really disclosed those sensitive records and didn’t take any steps to remedy the situation what was AOL thinking?

It’s been blogged to death that breach of a privacy policy is not actionable in the typical consumer context. (See for example: “When Does a Privacy Policy Breach Support a Breach of Contract Claim? In re JetBlue;” “9th Circuit Affirms Rejection of Data Breach Claims Against Gap [citing cases].”) What’s different here? For one thing, there’s a statute which has a pretty low threshold for damages, and plaintiffs are wisely avoiding the negligence route. To the extent these are paying customers, they also can argue disgorgement and get their money back (or a portion of it). Finally, they’re arguing about the disclosure of information (intimate and personal details) where the harm lies in the disclosure and not the misuse of the data.

It was also interesting to see that the court focused on flowery language in AOL’s privacy policy. The FTC did something similar in its informal investigation of Twitter. (“The FTC Dings Twitter’s Security Practices — What Does This Mean for Everyone Else?.”)

The case is a reminder of the huge quantity of personal information that networks store about users. One can never be reminded of this often enough.

Other coverage: Wendy Davis (MediaPost): “AOL Suffers Blow In Lingering ‘Data Valdez’ Case.”

_______

Eric’s Comments: In retrospect, AOL’s decision to release the dataset was, at best, a ill-considered decision (and one that already cost several AOL employees their jobs). However, AOL claimed to release the dataset for research purposes, and it remains one of the few public datasets of how actual users search. (For obvious reasons, I don’t anticipate new ones being posted any time soon). While it’s hard to praise AOL here, the lawsuit has problems of its own. For one, Venkat mentions the damages/harm problem. Also, the ECPA claim raises the disconcerting specter that search queries are private communications between searchers and search engines–a legal proposition with potentially far-reaching effects that I’ve never been able to wrap my head around. If you want more information on these issues, this case is one of several explored in Paul Ohm’s paper on re-identification that I’ve praised repeatedly.