A federal judge presiding over the "Data Valdez" lawsuit has ruled that AOL members may pursue their attempt to force the company to destroy records about users' searches. U.S. District Court Judge Saundra Brown Armstrong in Oakland, Calif. ruled recently that the consumers' allegations -- including the assertions that AOL "engages in a practice and policy of storing search queries" -- were sufficient to entitle the members to seek an injunction. The decision means only that the consumers can attempt to prove that they are entitled to an injunction, not that they will prevail. Trial in the matter is not slated to take place until November of 2011.
AOL's chief litigator Jim Villa says the company is "aggressively pursuing AOL's defense in this matter. He also says AOL is "extraordinarily proactive about protecting our customers' information."
Armstrong's ruling, quietly issued late last month, is the latest development in the continuing fallout from AOL's "Data Valdez" data breach -- the name given to a few AOL employees' disastrous decision to release three months of search queries for 650,000 members.
Although the members had been "anonymized," some were identified based solely on the patterns in their search queries. For instance, The New York Times was able to identify AOL user Thelma Arnold within days of the breach.
The incident is often used to illustrate that "anonymous" information can be used to identify specific individuals. In fact, a Federal Trade Commission report about behavioral targeting cited the data breach as one reason why it might not make sense to have different privacy standards for "personally identifiable information," like names, and "anonymous" information, like clickstream data.
A group of AOL members sued the company federal district court in the Northern District of California in September of 2006, alleging that AOL violated federal wiretap laws and various California state laws.
At one point, the case was dismissed because AOL's terms of services contained a clause requiring that disputes be litigated in Virginia. But an appellate court ruled last year that claims by California AOL users stemming from alleged violations of the state's laws could proceed.
Late last month, Armstrong dismissed several of those claims, but kept alive counts alleging that AOL violated the California Consumers Legal Remedies Act.
Armstrong specifically rejected AOL's position that the consumers should not be allowed to pursue their claims because they had not sufficiently alleged they were injured by the search query disclosure. She said the plaintiffs alleged that "AOL disclosed highly sensitive personal information belonging to 658,000 of its members," and that the revealed data included "highly sensitive" financial information. Furthermore, she wrote, plaintiffs also alleged that AOL revealed "information regarding members' personal issues, including sexuality, mental illness, alcoholism, incest, rape, adultery and domestic violence."
The California Consumers Legal Remedies Act provides that consumers can sue for injunctive relief and restitution, but not damages.
Armstrong wrote that the consumers could pursue their request for an injunction because the data breach allegedly caused an ongoing injury. She wrote that even though AOL took down the search queries, the company allegedly did so after they had been available for two weeks.
"Plaintiffs aver that as a matter of policy, AOL continues to collect and disseminate the same type of data disclosed in 2006," Armstrong wrote. "These facts are sufficient to allege an ongoing injury."