Oath Waives Users' Lawsuit Rights, Will Share 'Individually Identifiable' Data With Third-Parties

Oath, Verizon’s online content subsidiary, which owns both Yahoo and Aol, has published a new privacy policy. The policy waives users’ rights to sue the company in a class action lawsuit. Oath also notes that this new change is “an important part” of its relationship with you. The company's new terms will also give it the right to fully analyze all of your emails and share "individually identifiable" data with Verizon and hundreds of third-party companies.

Yahoo And Aol Are Merging Infrastructures

Oath recently announced that it will be merging the email infrastructure of Aol and Yahoo. The company will use Yahoo’s back-end infrastructure to power the Aol email system, too.

Last year, we learned that Yahoo suffered the largest data breach in history, which exposed three billion user accounts. We also know from previous reports that Yahoo’s former CEO, Marissa Mayer was often in conflict with the company's security team, so the infrastructure was likely not as secure as it could have been.

Reuters also reported that Yahoo’s leadership may have also allowed an NSA backdoor to reside on its servers, giving the NSA search access to its email database.

Oath Waives Right To Launch Class Action Lawsuit

Oath’s new terms and policies disallow users from suing the company in a class action lawsuit, if they agree to these terms. However, if they don’t agree, the users will soon no longer be able to use their Yahoo accounts (Aol had already instituted a similar policy before Verizon purchased it). For the moment, users can skip the message, but it seems to appear on almost every interaction with the Yahoo Mail service.

In its new Terms of Service (ToS), Oath included the following:

You understand that by agreeing to these terms, arbitration or a small claims action will be the sole and exclusive means of resolving any dispute between us. You also understand that by agreeing to these terms, you and Oath are giving up the right to bring a claim in court or in front of a jury (except for matters that may be brought in small claims court), and that you and Oath are giving up the right to proceed with any class action or other representative action.

Oath arbitrations will be handled by the American Arbitration Association. Collective arbitration will not be allowed, which means each user will have to make their case against Verizon/Oath’s top lawyers and hope to win. In some cases, companies are not allowed to force users into arbitration. Therefore, Oath also says in its ToS that if the dispute proceeds in court, the users will agree that there will not be a jury trial--only a trial by court.

Although the new changes will affect users that now agree with the terms, a federal judge had already ruled last month that a class action lawsuit over the previous data breach must still go through. In that lawsuit, Yahoo is being sued for negligence in handling user data, breach of contract, and failure to disclose the breach in a reasonable amount of time. The breach happened in 2013, but Yahoo didn't disclose it until 2016. The users suing Yahoo also argued that the breach put them at risk of identity theft, which required them to spend money on credit freeze, monitoring, and other protections.

Oath To Share “Individually Identifiable” Data

The new privacy policy will give Oath permission to mine your Yahoo and Aol emails for advertising purposes. Yahoo had to settle a lawsuit in 2016 over its similar practices at the time. However, the company agreed to only analyze emails that were opened by users. Oath is taking all of that back, and will analyze every email, including information you get from your bank and the EXIF data of images and videos, location information, and more.

Additionally, Oath’s new ToS says that your Yahoo/Aol data will be shared within Oath, with Verizon and its affiliates, and over 100 third parties such as analytics companies, social widget companies, advertising technology companies, content and video content providers, game developers, and others.

The new privacy policy and ToS looks quite aggressive in terms of how little control it gives users, so it remains to be seen how the EU will respond once the GDPR passes. In the United States, the CONSENT Act may protect users against most of the potential abuses, if it passes. Although Oath is owned by Verizon, it’s still an “edge provider” itself, so it should still fall under the same regulations.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • compprob237
    Well, wasn't using that account much anyway. Time to delete it.
  • AnimeMania
    I think this might include every user that gets internet from AT&T.
  • mrmez
    It's hilarious to every other country that in the USA a company can have a legally binding agreement where you're not allowed to sue them.
  • ravewulf
    That type of agreement unfortunately seems to be pretty common these days and should really be declared illegal/unconstitutional.
  • TheOtherOne
    Wait .. You are telling me that in the land of "free", you can NOT sue a company when (not if) they screw you over illegally and break privacy laws?

    Bravo! Murica.
  • Co BIY
    Is there a place where a consumer can go and get a side by side comparison of email accounts for privacy purposes.

    I do think that if privacy is a requirement then a free service is basically ruled out.
  • grimfox
    @THEOTHERONE You can still sue them but only for small claims, which depending on the area has different caps usually less than $1000. And you have to present your case on your own vs their representative which will likely have a law degree. Good luck trying to collect any evidence from "Oath" to prove your claim.
  • caduzalak
    This "Oath" missed April 1 with 25 days. better timing next time guys.
  • Giroro
    "you can NOT sue a company when (not if) they screw you over..."
    Not if you clicked a checkbox one time back in the 90's as a minor, you can't.

    "...and break privacy laws?"
    Privacy laws? What privacy laws?
  • sykozis
    20917628 said:
    That type of agreement unfortunately seems to be pretty common these days and should really be declared illegal/unconstitutional.

    AT&T tried to do the same thing a few years back. The courts ruled against AT&T when it was challenged.