On Tuesday, June 11, 2013, the Seventh Circuit denied comScore’s appeal from the district court’s ruling granting class certification, thereby allowing a class of tens of millions of plaintiffs from around the world to proceed to trial as a class action suit. In re comScore, Inc., No. 13-8007 (7th Cir. June 11, 2013).

ComScore is an internet research company that monitors the usage of consumers who install comScore’s software and sells the data its collects to its clients who in turn use the data for marketing research and analysis of online behavior. To induce consumers to install its software, comScore bundles the software with free programs such as screensavers and games. Upon downloading the free programs, consumers are simultaneously prompted to download the monitoring software. During installation of the software, consumers are presented with a Downloading Statement and a link to the User License Agreement which contains terms governing which information the software will collect from users’ computers and how that information will be used.

ComScore’s monitoring software captures a variety of information about a consumer’s computer such as the names of every file on the computer and information entered onto a web browser, including user names, passwords, credit card numbers, bank account numbers, and phone numbers. In the Downloading Statement, however, comScore assures consumers that it makes “commercially viable efforts to automatically filter confidential personally identifiable information . . . and to purge [its] databases of such information.”

Consumers, Mike Harris and Jeff Dunstan (“Plaintiffs”) brought a putative class action against comScore alleging violations of the Stored Communications Act (“SCA”), the Electronic Communications Privacy Act (“ECPA”) and the Computer Fraud and Abuse Act (“CFAA”) for improperly obtaining and using personal information of consumers after they downloaded and installed comScore’s software. Specifically, Plaintiffs asserted that comScore exceeded the scope of consumers’ consent to monitoring in the User License Agreement by among other things intercepting confidential personal information and failing to purge the confidential information from its databases.

The District Court’s Opinion

Addressing each of the Rule 23 mandatory requirements, the district court granted certification of a class consisting of “all individuals who have had, at any time since 2005, downloaded and installed comScore’s tracking software into their computers via one of comScore’s third party bundling partners” for all three federal statutory claims. See Harris v. comScore, Inc., No. 11 C 5807, 2013 WL 1339262 (N.D. Ill. Apr. 2, 2013)

Commonality

Importantly, the district court found numerous questions relevant to the alleged statutory violations could be resolved on a class wide basis. The court rejected comScore’s argument that the scope of consent provided by the class members was an individualized inquiry, stating that where consent was manifested though the adoption of a form contract, such as the Downloading Statement and User License Agreement, and each class member engaged in a substantively identical process to download the software, the scope of consent determination was common across the class. Further, the court reasoned that because the ECPA, the SCA and the CFAA only required proof of one incident of the software exceeding the scope of consent to establish a violation, the fact that the data collection varied for each individual depending on their use did not defeat the commonality element because the software collects certain data, such as the names of every file located on a user’s computer, from every user.

Ascertainability

Additionally, the district court ruled that Plaintiffs satisfied the Rule 23 ascertainability requirement, which requires the plaintiff to show that the class members are easily identifiable, despite the fact that at least a portion of class members are identifiable only through submission of individual affidavits.

In allowing ascertainbility to be determined through a combination of company records and individual affidavits, the district court diverges from recent federal court opinions cautioning against “approving a method that would amount to no more than ascertaining by potential class members say so.” Marcus v. BMW of North Am., LLC, 687 F.3d 583 (3d Cir. 2012); See also, In re Wal-Mart Stores, Inc. Wage & Hour Litig., No. C 06-2069, 2008 WL 413749, *8 (N.D. Cal. Feb. 13, 2008) (finding that where “Wal-Mart’s database did not provide records of either termination or the dates employees made themselves available for final payment . . . the proposed subclass was not ascertainable”); Deitz v. Comcast Corp., No. C06-06352, *8 (N.D. Cal. July 11, 2007) (finding the class unascertainable where the defendant’s records did not keep track of which subscribers owned cable ready TV boxes); Dumas v. Albers Medical, Inc., No. 03-0640, 2005 WL 2172030, *6 (W D. Mo. Sept. 7, 2005) (finding the class unascertainable where no records exist which would allow the class members to be identified); In re Onstar Contract Litig., 278 F.R.D. 352, 373 (E.D. Mich. 2011) (finding that the class was not ascertainable because very few class members could be identified through the data maintained by Onstar and the remaining member identification would require individual inquiries).

Predominance and Superiority

comScore argued that the statute of limitations raised individual issues which precluded class treatment because the SCA, ECPA and CFAA all had two year statutes of limitations subject to the discovery rule and, therefore, an individualized inquiry would be required to determine when each plaintiff discovered the alleged violation. The district court, however, disagreed stating that comScore’s data collection is ongoing, therefore, those individuals with the software still installed are still within the limitations period. Further, the district court reasoned that discovery of the information being collected by the software required analysis of the program’s computer code and it is unlikely that many class members would have the requisite knowledge about computers to discovery the violation thereby triggering the statute of limitations.

Finally, the district court rejected comScore argument that the issue of whether each individual suffered damage or loss from comScore’s actions precluded certification, finding the SCA and the ECPA provided statutory damages for which only a violation must be established. The district court further noted that although the CFAA required proof of loss aggregating at least $5000 in value, “individual factual damage issues do not provide a reason to deny class certification when the harm to each plaintiff is too small to justify resolving the suits individually.”

Implications

The district court’s decision granting class certification and the Seventh Circuit subsequent denial of comScore’s Rule 23(f) petition creates significant challenges for companies involved with data collection and opens the door for a wave of statutory based privacy class action lawsuits.