Business Lessons from AOL's Search Data Mishap

Recently, America Online voluntarily released three months of search queries by nearly 700,000 AOL users for educational and research purposes. For a short time, this data, consisting of queries, identification numbers, time of query and ClickURLs, was posted on a public portion of AOL's site. It has since been reposted, analyzed, and discussed on many Internet sites.

America Online's public disclosure of its users' search query data demonstrates the sensitive nature of search records and serves as a cautionary tale for businesses that collect and use their customers' search data.

The Electronic Communications Privacy Act (ECPA)

While it appears that AOL's disclosure may not run afoul of the ECPA, a brief inspection of the statute's provisions may help businesses avoid any violations.

The ECPA, codified at 18 U.S.C. 2701 et seq. prohibits a "person or entity providing an electronic communication service to the public" from "knowingly divulg[ing] to any person or entity the contents of a communication while in electronic storage by that service." Section 2702(a)(1).

One central issue is whether a search query is deemed a "communication" for purposes of the ECPA. Under the statute, "contents of communications, records, [and] other information" receive different levels of protection. Communications receive the highest protection.

Search queries could conceivably be characterized as any one of these three categories of information. Unlike traditional communications, such as email, search queries are not sent to another person, but to the search engine. Like email, however, a search engine user may have a subjective expectation of privacy in his/her queries. An inspection of some of the explicit AOL search queries renders this obvious conclusion.

Arguably, there may be no objective expectation of privacy in search queries due to the open nature of search engines. Virtually all search engines are made available to the Internet community at no charge, without any login or registration requirements.

Although the applicability of the ECPA is unsettled, businesses that collect queries from their search engine appliances should be extremely careful with any kind of disclosure of the data, be it public or internal.

An interesting side note: Section 2710 carves out a special section dealing with the disclosure of Video Tape rentals or sale records. Basically, video rental services are liable if they disclose your renting habits. Like search queries, rental records are not traditionally thought of as communications, but they may contain sensitive information. If search queries are not deemed "communications" for purposes of the ECPA, perhaps it is time for Congress to add some form of Search Engine liability to this or another section of the statute.

Finally, businesses should not assume that the ECPA is the only federal data law they need to follow when it comes to dealing with search data. Depending on the nature of the businesses, the entity may be subject to a number of federal laws pertaining to customer data, such as the Sarbanes-Oxley Act, SEC Rules 17a-3 and 17a-4, the Gramm-Leach Bliley Act, and HIPPA.

Privacy Policy

In addition to possible violations of the ECPA, businesses that disclose search data may run afoul of their own privacy policies. Depending on the specific wording of the privacy policy, there could be a cause of action against the disclosing entity for breach of contract.

AOL's privacy policy explicitly designates "information about the searches you perform through the AOL Network" as "AOL Network Information." Under the policy's section entitled "How Your AOL Network information is Used," the policy broadly states that the search data can be used:

  • to operate and improve the Web sites, services and offerings available through the AOL Network;
  • to personalize the content and advertisements provided to you;
  • to fulfill your requests for products, programs, and services;
  • to communicate with you and respond to your inquiries;
  • to conduct research about your use of the AOL Network; and
  • to help offer you other products, programs, or services that may be of interest.

 

According to AOL, the disclosure occurred as part of an AOL Research program, which is probably covered by the policy.

Given the lack of any clear legislative directive on the handling of search data, a broadly-worded privacy policy, like AOL's, permits businesses wide discretion when using search data. Regardless, to avoid violating your customers' trust, businesses should always practice caution when managing this sensitive class of information.

Use of Search Data

Search queries provide a valuable window into the needs of Internet users. Businesses that provide a local search engine on their sites can learn a lot about what users want from their particular site by inspecting search data.

Internal and external distribution and analysis of this sensitive information should be periodically monitored by legal counsel to comport with internal policies and relevant laws.

In light of AOL's data disclosure mishap, there are several lessons to keep in mind when dealing with search data:

  • Be careful what you disclose.
    Companies routinely resort to selling their customer data for marketing purposes. Before undertaking this action, businesses should consult their legal advisor so as not to run afoul of the ECPA and other state and federal laws. Contrary to what many believe, a victim of disclosure that violates the ECPA need not suffer extensive damages. Section 2707(c), provides for statutory damages not less than $1,000 per person harmed, and the court can also look to the profits made by the disclosing party. In-house legal departments would therefore do well to periodically discuss the need for legal review of all marketing initiatives, as they often involve the sale and exchange of sensitive data.

  • Limit access to the data.
    Businesses should have policies in place that restrict the general distribution of raw customer data, including search queries. Keep track of who is accessing the data. Consider excluding independent contractors, interns, temporary employees and non-related departments from accessing the data. When the data is disseminated for internal purposes, remember to first strip out any personally identifiable information, such as names, IP addresses, social security numbers, physical addresses, member identification numbers, and the like.

  • Don't retain search data beyond a reasonable time.
    Financial institutions, brokers, accounting firms and members of the health care industries are required by law to retain customer data in a prescribed manner. Most private companies, however, are not under strict laws regarding data retention. Thus, it may be wise to delete outdated search data to keep it from coming back to haunt your business. Always delete sensitive data in a thorough fashion, which may even require physical destruction of tapes, disks, and other storage media.