It has become an article of faith among many that privacy class actions face difficult hurdles in obtaining certification. That doctrine may be about to change, however, if last week’s decision in the Northern District of Illinois is any indicator.

The federal court in Harris et al. v. comScore, Inc. partially granted a motion for class certification that could lead to a class of over a million plaintiffs. The decision is significant for two principal reasons:

  • First, it demonstrates how the use of standardized statements or End User License Agreements (“EULAs”) can give rise to commonality within a class; and
  • Second, it delineates a path through which plaintiffs in a proposed class can overcome their initial burden to plead damages by bringing claims under the Electronic Communications Privacy Act (“ECPA”) and the Stored Communications Act (“SCA”), both of which provide for statutory damages.

Background: comScore’s Tracking of Consumers’ Personal Computer Usage

comScore Inc. is an internet market research company that designs and distributes software to collect the online activity of internet users, which comScore analyzes and sells to its clients. Once installed on a consumer’s computer, comScore’s software collects a variety of information including data entered into web browsers (such as user names and passwords), the names of the files on the computer, and the contents of the computer’s PDF files.

Most consumers download and install comScore’s software through its partnership with “bundlers,” who provide free digital products to consumers such as screensavers, games, and greeting card templates. During the installation of the free digital product, the consumer is presented with a boilerplate “Downloading Statement” notifying the consumer about comScore’s software. Underneath the Downloading Statement is a link to a boilerplate EULA, which a consumer must either “accept” or “decline” before proceeding with the download of the free product (although the free bundled software installs regardless of whether the consumer accepted the EULA and installed the comScore software).

The Complaint

Plaintiffs allege that comScore collected and sold information from millions of consumers’ personal computers without their knowledge. Plaintiffs assert a common law claim for unjust enrichment as well as violations under (1) the SCA, (2) the ECPA, and (3) the Computer Fraud and Abuse Act (“CFAA”). In particular, plaintiffs allege that comScore violated each of these statutes by intentionally accessing and intercepting consumer communications and internet behavior either without authorization or by exceeding any authorization, and by continuing to access the information even after the user uninstalled the bundled software.

Plaintiffs sought certification of: (1) a class of individuals who, since 2005, had downloaded and installed the comScore software via a third-party bundling partner after receipt of both the Downloading Statement and EULA; and (2) a subclass of individuals who installed the software after receipt of the Downloading Statement, but without first receiving a functional hyperlink to the EULA.

District Court’s Certification Decision

The district court granted certification of the proposed class and subclass for plaintiffs’ federal SCA, ECPA and CFAA claims. (The court denied certification of the unjust enrichment claim.) Plaintiffs easily met the numerosity requirement, as comScore’s software was installed on millions of computers between 2008 and 2011.

In finding that the plaintiffs also met the commonality requirement, the district court found the Downloading Statement and End User License Agreement to be form contracts to which each class and subclass member agreed. The court followed precedent in the Seventh Circuit to hold that claims arising out of form contracts “present the classic case for treatment as a class action.” See, e.g., Keele v. Wexler, 149 F.3d 589, 594 (7th Cir. 1998). The court rejected comScore’s argument that the scope of consent needed to be determined plaintiff-by-plaintiff based on each plaintiff’s subjective understanding of the agreement, instead finding that because each class member engaged in “a substantively identical process” to download the software, the scope would be determined by that identical process common across the class and subclass.

Because both of the named plaintiffs downloaded comScore’s software after downloading a free digital product from a bundling partner and viewing the Downloading Statement (and, in the case of the class, after having also received the End User License Agreement), the court found the claims typical of the proposed class and subclass. Similarly, the court easily found that the named plaintiffs adequately represented the interests of the class and subclass.

The court further found that the class was ascertainable – and thus identifiable as a class – because of comScore’s possession of the putative members’ contact information. Thus, comScore’s tracking activities actually supported class certification, because comScore could determine the bulk of class membership from its own client records.

Finally, in determining that questions common to the class predominated over any individual questions and that a class action would be superior to other methods of adjudication, the court breezed by the issue of differing damages among putative class members. Because both the ECPA and the SCA provide for statutory damages, the question of whether individual plaintiffs suffered damage was inapplicable as to those claims. Moreover, even though the CFAA – unlike the ECPA and SCA – requires a plaintiff to suffer $5,000 in a year of damage or loss, the court found this issue outweighed by the convenience of resolving the remaining common issues together.

Moving Forward from comScore, Inc.

Plaintiffs will likely seize upon the decision in comScore, Inc. in looking to certify classes in privacy cases involving any type of uniform or boilerplate contract. The use of that boilerplate gives plaintiffs an easier hook to establish commonality. Just as significantly, the court’s holding on the SCA and ECPA damages issues offers a road map to any plaintiff who can make out a claim under either of these statutes, allowing them to avoid the damages hurdle that CFAA typically presents. The comScore court’s decision, if left undisturbed, may presage that much-predicted, but still largely unrealized, new wave of privacy class claims.