After nearly seven years of litigation, two class actions, and millions of dollars in legal and settlement fees, AOL hopes that it can finally put its infamous anonymization failure incident behind it. On May 24, 2013, a Virginia federal judge gave final approval to a class action settlement between AOL and a class of more than 650,000 AOL members whose search queries were disclosed to the public. The settlement agreement involves $5 million in cash payments to class members and nearly $1 million in attorneys’ fees.
The anonymization failure incident has become almost folklore in the privacy world. It stemmed from an incident back in 2006 when a few AOL employees decided to release three months of search queries of 650,000 of its members online with the intention that the data would be used for academic research purposes. Although the members had been supposedly anonymized, some of them were re-identified based solely on the patterns in their searches. For example, The New York Times was able to re-identify Thelma Arnold, a 62-year-old widow from Georgia who performed searches on her friends’ medical ailments and her three dogs, based on her search data. The public backlash over the incident was strong. AOL quickly removed the results and apologized. Along with calls for regulatory action by public interest groups, two nationwide class actions were filed. The first was filed in 2006 in California federal court, but was subsequently dismissed on the basis of a forum selection cause. The second was brought in 2011 and settled just last week. Along with monetary relief, AOL warrants in the settlement agreement that it will maintain policies and procedures to mitigate the possibility of such an incident happening again. However, the settlement notes that if Microsoft, Yahoo, or Google employ less burdensome procedures, AOL may amend its procedures accordingly.
2006 seems like a long time ago, but class actions based on data breaches and other alleged privacy violations continue to be rampant. This case serves as an important reminder about how drawn out and far-reaching the costs of data breaches and other privacy violations can be. Not only can legal fees and settlement fees be quite high, but the costs of data breach notification letters, settlement administration fees, and the loss in consumer goodwill and brand reputation, can also be quite damaging. The fact that it took almost seven years also reminds us of how far the law lags behind these types of privacy issues. In this new era of Big Data, companies continue to develop new methods to utilize more and more bits and pieces of seemingly innocuous or de-identified data. The stakes are arguably even higher than they were in 2006, as consumers seem to be more attune to privacy issues than they were back then. The opportunities are great, but companies operating in this space should proceed with caution.