On May 30, 2014, comScore Inc. announced that it has reached a $14 million settlement in the largest class ever certified in an Internet privacy lawsuit, composed of users who claim that comScore installed analytics software on their computers and sold their personal data to media outlets without their knowledge or consent. ComScore, a publicly-traded company, faced upwards of $1 billion in liability under various federal statutes aimed at protecting consumer privacy. This made it one of the largest (if not the largest) privacy class action certified in the country.

Background on ComScore Lawsuit 

ComScore is an online analytic company. On its website, comScore describes itself as “comScore measures what people do as they navigate the digital world – and turns that information into insights and actions for our clients to maximize the value of their digital investments.”[1] In a second amended complaint filed on January 31, 2013, the plaintiffs alleged that comScore collects data about the activities of consumers on the internet, analyzes the data, and sells it to clients. Plaintiffs contend that comScore gathers its data through a program called OSSProxy, which, if installed on a computer, constantly collects data about any activities on that computer and sends it back to comScore’s servers. The plaintiffs alleged that the OSSProxy software collects a variety of information about a user’s computer, including the names of every file on the computer, information entered into a web browser, including passwords and other confidential information, and the contents of PDF files.

By way of background, in August 2011, the comScore plaintiffs filed a lawsuit, Harris et al. v. comScore, Inc., case number 1:11-cv-05807, in the United States District Court for the Northern District of Illinois, alleging that comScore improperly obtained and used personal information from their computers after they downloaded and installed comScore’s OSSProxy software. Based on these allegations, the plaintiffs asserted violations of the Stored Communications Act, the Electronic Communications Privacy Act, and the Computer Fraud and Abuse Act.

On April 2, 2013, the court entered its decision regarding the plaintiffs’ request for class certification. As to the plaintiffs’ specific claims, the court declined to certify a class on the plaintiffs’ claims for common law unjust enrichment, based on a determination that “the law of unjust enrichment varies too much from state to state to be amenable to national or even to multistate class treatment.” However, the court determined that the plaintiffs’ federal statutory claims were suitable for class disposition, and further determined that the named plaintiffs would “fairly and adequately protect the interests of the class.” The court defined the class as: “[a]ll individuals who have had, at any time since 2005, downloaded and installed comScore’s tracking software onto their computers via one of comScore’s third party bundling partners.” The court also certified a subclass, defined as “[a]ll Class members not presented with a functional hyperlink to an end user license agreement before installing comScore’s software onto their computers.”

ComScore appealed to the United States Court of Appeals for the Seventh Circuit, arguing that the class representatives were unable to prove whether each of the class members had in fact downloaded comScore software. On June 11, 2013, the Seventh Circuit denied comScore’s appeal in a one-line decision.

As the class reportedly included some ten million web users, with statutory damages of $10,000 per violation under the Stored Communications Act, the district court’s decision granting class certification as the federal privacy claims opened up a potential $1 billion exposure against comScore – a publicly traded company.

Details of Settlement 

If approved, the $14 million settlement will cover $4.6 million of the plaintiffs’ attorneys’ fees and the remaining funds would be distributed to participating class members on a pro rata basis. Users who file claims will receive an estimated $200 payment. The settlement agreement also requires comScore to alter its privacy policies and end user license agreements to bring its disclosures in line with its data collection practices.

Plaintiffs’ attorney Jay Edelson of Edelson PC, the firm representing the class, has said that the deal “stacks up favorably” with other high-profile privacy cases which largely have been resolved through small payouts to class members or cy pres awards to nonprofit groups.

On June 6, 2014, Judge James Holderman granted the plaintiffs’ motion for preliminary approval of the settlement and set the final approval hearing for October 1, 2014.

Recommendations for Companies 

For compliance and to avoid potential exposure based on the collection and use of data from analytics companies such as comScore, companies should develop a set of best practices for use in the collection of behavioral data and ensure that their any agreements with analytics companies reflect these practices. The risks are significant – i.e., $10,000 per violation and (in many cases) millions of alleged violations, depending on the manner in which the data is collected and used. 

The FTC’s recent May 2014 report titled “Data Brokers, a Call for Transparency and Accountability” recommends best practices for companies like comScore that “collect consumers’ personal information and resell or share that information with others…” Adequate notice to consumers of data broker practices are a cornerstone of that report. Companies that use web analytic vendors or that gather data themselves, should also familiarize themselves with FTC complaints, consent decrees and guidance as it relates to Big Data. Alston & Bird has prepared a checklist summarizing all of the FTC prior orders as it pertains to Big Data as well as the five reports issued by White House, the Senate, the CA AG and the FTC regarding best practices. This Alston & Bird Big Data Privacy Checklist is available on a fee basis.

Crafting your company’s Big Data program in a manner that is consistent with regulatory expectations, while always recommended, is all the more imperative in light of some of the recent public statements by the FTC that it will not promulgate specific regulations before commencing enforcement privacy and data security actions, expressed, as recently as May 12, 2014 in the pending LabMd FTC administrative matter.

In the recent FTC v. Wyndham Worldwide decision rendered on April 7, 2014, Judge Salas of the United States District Court for the District of New Jersey held that the FTC need not promulgate specific guidelines before enforcing in the data security area:

“In other words, Hotels and Resorts argues that, because the FTC has the power to issue particularized regulations and that it is plausible to do so, it must. (See id.; 11/7/13 Tr. at 87:20-88:1 ("I think it is black letter law that an agency with rule-making authority, which they have, they have rule-making authority, Congress has given it to them, that when they are going to take action, enforcement actions, they have to publish rules in order to give companies fair notice of what is prohibited by their actions.")). 

But the contour of an unfairness claim in the data-security context, like any other, is necessarily "flexible" such that the FTC can apply Section 5 "to the facts of particular cases arising out of unprecedented situations." See Colgate-Palmolive Co., 380 U.S. at 384-85. And, Hotels and Resorts invites this Court to dismiss the FTC's complaint on fair notice grounds despite the FTC's many public complaints and consent agreements, as well as its public statements and business guidance brochure—and despite Hotels and Resorts' own references to "industry standard practices" and "commercially reasonable efforts" in its privacy policy. (See Compl. ¶ 21).” 

The Court declines to do so.

FTC v. Wyndham Worldwide Corp., 2014 U.S. Dist. LEXIS 47622, 40-41 (D.N.J. Apr. 7, 2014) (Emphasis added). Our blog post regarding the Wyndham decision may be found here

Further, privacy and data security cases are having an impact on the C suite a well as corporate boards. With the departure for example of Target’s CIO and the announced departure of its CEO, a consulting firm recently reported that 7 of the 10 Target board members should be removed for failing to exercise adequate oversight and ask sufficient compliance questions as it pertains to privacy and security.