Friday, September 29, 2006
AOL's Privacy Policy on Trial
AOL's privacy policy and how it is interpreted by the courts and federal government will be in the spotlight as two separate actions against the company move forward. In the latest reaction to AOL's erroneous posting of some of its members' search term data this past August, two unnamed California residents and Kasadore Ramkissoon of Richmond County, N.Y., have filed suit against the Internet service provider in the U.S. District Court in Oakland, Calif., alleging violations of the Electronic Communications Privacy Act, as well as California state law. Their suit, which is seeking class action status, follows separate requests made last month by two privacy advocacy groups -- the Electronic Frontier Foundation and the World Privacy Forum -- that the Federal Trade Commission investigate AOL's actions. The search term data disclosure, according to the World Privacy Forum's filing, violated FTC laws that hold companies accountable for statements made in their privacy policies.
AOL's release of the data understandably struck a nerve among Internet users. While it is doubtful that many people would object to the disclosure that they once shopped at the now defunct eToys (the scene of another battle over privacy on the Internet a few years ago when the firm tried to sell its customer list as part of bankruptcy proceedings), many of the AOL revelations were not so innocuous. Many Internet users have at one time or another typed in very personal or unusual requests for information that they would prefer not to be connected with publicly. For the record, AOL maintains that it did not deliberately release users' data, and in actuality, the data was not directly linked to users' names. Due to employee error, the company accidentally posted to an AOL public Web site search term queries made by 650,000 of its users over a three-month period that were meant for the use of academic researchers. Unfortunately, the data was organized so that it was relatively easy to identify some of the members who had made the queries.
While the incident was no doubt personally mortifying to some, there are only a few narrow avenues litigants can explore that might lead to AOL being held liable by the courts or the government. The outcome depends entirely on how the company's privacy policy is interpreted.
"State and federal law, and AOL's own privacy policy, will shape this case," Claudia Callaway, a partner with Manatt Phelps & Phllips said. In previous statements, AOL has acknowledged that the release was a violation of internal policies. However, the company claims that it did not violate the privacy policy provided to its members. In general, privacy policies -- usually vetted by legions of attorneys -- are written to give companies as much wiggle room as possible to play with their customers' data. Vague language can be a doubled-edged sword, however, that can sometimes work to customers' advantage as well. For instance, a privacy policy that states the company will collect data to conduct research about a customer's use of the Internet does not necessarily give the company the right to share that data. Additionally, sharing does not necessarily imply the right to public release. Another subject of dispute is whether AOL actually identified its members or not. Predictably, AOL claims it did not, placing the blame for their exposure on members who conducted so-called "vanity searches," or searches for their addresses or work places. A case can be made, however, that AOL all but connected the dots to identify which users searched for which terms.
Not every argument made by the plaintiffs or by AOL is likely to succeed, attorneys contacted for this article agree. For instance, AOL might argue in court that the employees responsible for the release of member data did not follow internal policies. It will be an uphill climb, though, to sell that argument. "Under most federal and state laws, the burden is on the company to demonstrate that it had adequate controls to prevent an inadvertent release of protected information," Callaway said.
Conversely, if the plaintiffs cannot prove that AOL violated its privacy policy, they may have an equally difficult time in court, suggested Chip Babcock, a partner with Jackson Walker in Houston and Dallas. "There have been a number of different arguments made that could apply -- but have been rejected by various courts," he said. "Claims such as 'I didn't read it,' 'I couldn't be expected to read it,' or 'It is an unconscionable policy,' have all been unsuccessful" in the past, he said.
Brought to you by the Guardian eCommerce Privacy Seal Program.
AOL's release of the data understandably struck a nerve among Internet users. While it is doubtful that many people would object to the disclosure that they once shopped at the now defunct eToys (the scene of another battle over privacy on the Internet a few years ago when the firm tried to sell its customer list as part of bankruptcy proceedings), many of the AOL revelations were not so innocuous. Many Internet users have at one time or another typed in very personal or unusual requests for information that they would prefer not to be connected with publicly. For the record, AOL maintains that it did not deliberately release users' data, and in actuality, the data was not directly linked to users' names. Due to employee error, the company accidentally posted to an AOL public Web site search term queries made by 650,000 of its users over a three-month period that were meant for the use of academic researchers. Unfortunately, the data was organized so that it was relatively easy to identify some of the members who had made the queries.
While the incident was no doubt personally mortifying to some, there are only a few narrow avenues litigants can explore that might lead to AOL being held liable by the courts or the government. The outcome depends entirely on how the company's privacy policy is interpreted.
"State and federal law, and AOL's own privacy policy, will shape this case," Claudia Callaway, a partner with Manatt Phelps & Phllips said. In previous statements, AOL has acknowledged that the release was a violation of internal policies. However, the company claims that it did not violate the privacy policy provided to its members. In general, privacy policies -- usually vetted by legions of attorneys -- are written to give companies as much wiggle room as possible to play with their customers' data. Vague language can be a doubled-edged sword, however, that can sometimes work to customers' advantage as well. For instance, a privacy policy that states the company will collect data to conduct research about a customer's use of the Internet does not necessarily give the company the right to share that data. Additionally, sharing does not necessarily imply the right to public release. Another subject of dispute is whether AOL actually identified its members or not. Predictably, AOL claims it did not, placing the blame for their exposure on members who conducted so-called "vanity searches," or searches for their addresses or work places. A case can be made, however, that AOL all but connected the dots to identify which users searched for which terms.
Not every argument made by the plaintiffs or by AOL is likely to succeed, attorneys contacted for this article agree. For instance, AOL might argue in court that the employees responsible for the release of member data did not follow internal policies. It will be an uphill climb, though, to sell that argument. "Under most federal and state laws, the burden is on the company to demonstrate that it had adequate controls to prevent an inadvertent release of protected information," Callaway said.
Conversely, if the plaintiffs cannot prove that AOL violated its privacy policy, they may have an equally difficult time in court, suggested Chip Babcock, a partner with Jackson Walker in Houston and Dallas. "There have been a number of different arguments made that could apply -- but have been rejected by various courts," he said. "Claims such as 'I didn't read it,' 'I couldn't be expected to read it,' or 'It is an unconscionable policy,' have all been unsuccessful" in the past, he said.
Brought to you by the Guardian eCommerce Privacy Seal Program.