A federal judge presiding over the "Data Valdez" lawsuit has ruled that AOL members may pursue their attempt to force the company to destroy records about users' searches.
U.S. District Court Judge Saundra Brown Armstrong in Oakland, Calif. ruled recently that the consumers' allegations -- including the assertions that AOL "engages in a practice and policy of storing
search queries" -- were sufficient to entitle the members to seek an injunction. The decision means only that the consumers can attempt to prove that they are entitled to an injunction, not that
they will prevail. Trial in the matter is not slated to take place until November of 2011.
AOL's chief litigator Jim Villa says the company is "aggressively pursuing AOL's defense in this
matter. He also says AOL is "extraordinarily proactive about protecting our customers' information."
Armstrong's ruling, quietly issued late last month, is the latest development in the
continuing fallout from AOL's "Data Valdez" data breach -- the name given to a few AOL employees' disastrous decision to release three months of search queries for 650,000 members.
Although the
members had been "anonymized," some were identified based solely on the patterns in their search queries. For instance, The New York Times was able to identify AOL user Thelma Arnold within days of the breach.
The incident is often used to
illustrate that "anonymous" information can be used to identify specific individuals. In fact, a Federal Trade Commission report about behavioral targeting cited the data breach as one reason why it might not make sense to have different privacy standards
for "personally identifiable information," like names, and "anonymous" information, like clickstream data.
A group of AOL members sued the company federal district court in the Northern District
of California in September of 2006, alleging that AOL violated federal wiretap laws and various California state laws.
At one point, the case was dismissed because AOL's terms of services
contained a clause requiring that disputes be litigated in Virginia. But an appellate court ruled last year that claims by California AOL users stemming from alleged violations of the state's laws
could proceed.
Late last month, Armstrong dismissed several of those claims, but kept alive counts alleging that AOL violated the California Consumers Legal Remedies Act.
Armstrong
specifically rejected AOL's position that the consumers should not be allowed to pursue their claims because they had not sufficiently alleged they were injured by the search query disclosure. She
said the plaintiffs alleged that "AOL disclosed highly sensitive personal information belonging to 658,000 of its members," and that the revealed data included "highly sensitive" financial
information. Furthermore, she wrote, plaintiffs also alleged that AOL revealed "information regarding members' personal issues, including sexuality, mental illness, alcoholism, incest, rape, adultery
and domestic violence."
The California Consumers Legal Remedies Act provides that consumers can sue for injunctive relief and restitution, but not damages.
Armstrong wrote that the
consumers could pursue their request for an injunction because the data breach allegedly caused an ongoing injury. She wrote that even though AOL took down the search queries, the company allegedly
did so after they had been available for two weeks.
"Plaintiffs aver that as a matter of policy, AOL continues to collect and disseminate the same type of data disclosed in 2006," Armstrong
wrote. "These facts are sufficient to allege an ongoing injury."