Friday, July 09, 2010

AOL Users May Seek Injunction Barring Release of Internet Search Records

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

California consumers could proceed with claims under that state’s Consumer Legal Remedies Act (CLRA) against Internet service provider AOL for unlawfully making public a database containing the Internet search records of more than 650,000 AOL members, the federal district court in Oakland has decided.

The consumers could pursue injunctive relief, although they failed to provide the requisite notice under the CLRA in order to pursue a claim for damages.


The consumers alleged that AOL made false representations in its privacy policy and other statements posted on AOL's website, which assured members that AOL would endeavor to maintain the privacy of their personal information. These allegations were specific enough to satisfy the requirements of Federal Rule of Civil Procedure 9(b), the court said.

The expectations of privacy fostered by these statements were material in terms of influencing AOL members' decisions whether to disclose sensitive information, in the court’s view. Accordingly, the consumers sufficiently pleaded causation for purposes of the CLRA.

The consumers adequately alleged that they sustained injury as a result of AOL’s conduct. “Damage” under the CLRA could encompass harms other than pecuniary damages, the court noted. AOL’s disclosure of highly sensitive personal information regarding its members—including names, addresses, credit card numbers, Social Security numbers, and medical information—was not something that members bargained for when they signed up and paid fees for AOL's service.

Injunctive Relief

The consumers could seek an injunction requiring AOL to:

(1) ensure that member search data does not appear as search results in Internet search engines;

(2) take all necessary steps to enforce a license to prohibit commercial and non-research use of members' search data;

(3) no longer store or maintain records associated with members' searches on AOL's search engine; and

(4) destroy all such records in its possession.

AOL allegedly engaged in a practice and policy of storing search queries containing confidential information and allegedly had taken no steps to ensure that such data would not be disclosed again in the future. Although AOL had pulled the leaked database from its website, the information already had been posted on a number of other public sites.

AOL allegedly did not attempt to retrieve this information or to prevent further republication. The consumers asserted that AOL continued to collect and disseminate the same types of data, the court said.


The CLRA requires plaintiffs to provide notice to the defendant of the alleged statutory violation and a demand to rectify the alleged violation within 30 days. There was no dispute that the consumers had failed to do so, according to the court.
The claim for damages was dismissed without prejudice, until 30 days or more after the plaintiff complied with the notice requirement. If AOL corrected the alleged wrongs or indicated that it would correct the wrongs within the 30-day period, it could not be held liable for damages.

Disposal of Records

The consumers failed to state a claim that AOL violated the California Consumer Records Act (CRA), the court determined. The CRA provided that businesses must take all reasonable steps to shred, erase, or otherwise destroy customer records that were no longer to be maintained and required businesses to maintain security procedures to protect consumers' personal information.

The CRA was inapplicable because it applied only when a business intended to discard records containing personal information. The alleged disclosure by AOL did not occur in the course of AOL's disposal of customer records, the court said.

The decision is Doe v. AOL LLC, CCH Privacy Law in Marketing ¶60,493.

Further information regarding CCH Privacy Law in Marketing appears here on the CCH Online Store.

No comments: