A recent federal court opinion raises concerns that privacy cases alleging violations of a standard user license agreement may be susceptible to class certification.
Last week, the U.S. District Court for the Northern District of Illinois certified a class in a consumer privacy lawsuit against comScore, Inc. Plaintiffs allege that comScore exceeded the scope of the consent obtained from consumers who downloaded the company’s software. They allege that the software collects information beyond that disclosed in the company’s terms of service, and that the software collects confidential information about the users instead of filtering or later purging that information. The complaint asserts claims under the Stored Communications Act, 18 U.S.C. § 2701(a)(1)–(2); the Electronic Communications Privacy Act, 18 U.S.C. § 2511(1)(a) & (d) (“ECPA”); and the Computer Fraud and Abuse Act, 18 U.S.C. § 1030(a)(2)(C) (“CFAA”). Plaintiffs also assert a common law claim for unjust enrichment. The class, which includes all persons who downloaded the company’s software since 2005, may exceed one million members.
The court certified a class to pursue all three federal statutory claims. In doing so, the court found several “common questions” suitable for class treatment, including the scope of consent granted by comScore’s user license agreement (“ULA”) and the downloading statement that users accepted prior to installing comScore’s software. The court rejected comScore’s argument that the “scope of consent” varies from class member to class member depending on his or her “subjective understanding of the agreement and the surrounding circumstances.” Although the ECPA allows for consent to be implied from the surrounding circumstances, the court rejected that defense where users manifest consent through substantially identical downloading statements and/or ULAs.
The court rejected comScore’s challenge that the named plaintiffs are not typical of the class because they experienced other problems with their computers and thus will have difficulty establishing that any decline in the performance of their computers was attributable to comScore’s software. The court found that this evidence would be relevant, if at all, only to the question of damages.
In addition, the court rejected defendants’ argument that individualized questions of whether each class member can establish “damage or loss” preclude class certification under the CFAA. Most courts have held that the mere disclosure of information does not qualify as harm under the CFAA, but the comScore court found that it would be more efficient to proceed as a class, and hold individual damages hearings later if necessary, “than it would be to litigate all of the common issues repeatedly in individual trials.”
The court found plaintiffs’ unjust enrichment claim unsuitable for class certification, based on choice of law considerations. Because the putative class likely includes individuals from all 50 states (as well as some foreign countries), and the law of unjust enrichment varies from state to state, the court determined that class certification is not a superior method for adjudicating those claims.
The decision demonstrates that the plaintiff bar’s efforts to develop privacy class actions may be gaining some traction. In particular, the court’s reliance on comScore’s form disclosures and ULA in order to find common questions as to the scope of users’ consent may lead to additional class action filings against companies that collect data based on such disclosures.