In its recent decision in Harris v. comScore, Inc., the Seventh Circuit declined to review a trial court order certifying a plaintiff class consisting of hundreds of thousands of computer owners who downloaded software that permitted comScore, Inc. to track internet traffic and usage. The comScore software was not supposed to load onto a computer unless the user affirmatively accepted a click wrap agreement that disclosed how comScore tracked and utilized the users’ data. Plaintiffs allege that the software sometimes loaded onto computers without giving users the opportunity to read and accept the click wrap agreement, but primarily claim that comScore accesses and uses data in ways that violate its agreement. Plaintiffs seek damages for unjust enrichment and allege violations of the Stored Communications Act (“SCA”), 18 U.S.C. § 2701(a)(1), the Electronic Communications Privacy Act (“ECPA”), 18 U.S.C. § 2511(1)(a), (d), and the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030(a)(2)(C).
Plaintiffs moved to certify a class consisting of all persons in every state in the U.S. who downloaded the comScore software. Plaintiffs argued that the alleged policy of accessing and using their data in a manner contrary to the express terms of the comScore click wrap agreement meant that common issues of law and fact predominated with respect to the claimed violations of state and federal law. In opposition, comScore raised a host of issues, including questions about whether both named plaintiffs actually downloaded the software, whether the identity of class members was ascertainable through objective criteria, whether certain class claims were timely, and whether the injury or loss could be established through proof common to the class as a whole.
The trial court declined to certify a class to pursue the unjust enrichment claims, concluding that substantial variations in applicable state laws made it impossible to adjudicate the unjust enrichment claims of the multistate class in a single action. The court did, however, certify a class to pursue the federal statutory claims. The court conceded that proof of some issues might vary for some class members, but ultimately found that the core issue in the case – whether comScore’s use of data violated the terms of its own agreement – could be addressed by proof common to the class as a whole. Reinforcing this conclusion was the availability of mandatory statutory damages under the SCA and ECPA, which avoided individual questions about loss or injury that often preclude certification of classes alleging misuse of data under state common law and consumer protection causes of action.
A petition to the Seventh Circuit seeking review of the class certification decision under Rule 23(f) promptly followed. Under that rule, appellate courts have the discretion to review class certification decisions directly where there is a likely error of law or close question of first impression. The Seventh Circuit denied the petition without opinion, making it impossible to know the precise ground for denial.
The objections to class certification identify strong arguments for comScore on the merits. Most significantly, comScore raises serious questions about the validity of plaintiffs’ claim that comScore violates the terms of its own agreements. That particular question, however, is plainly common to the class as a whole. Most of the arguments that comScore makes – particularly with respect to statute of limitations, the specific types of violations committed, and whether it is possible to identify class members whose downloads are not recorded in comScore’s records – provide better grounds for narrowing the class than for doing away with it altogether. Finally, because the SCA and ECPA permit recovery of statutory damages without proof of financial loss, the claims advanced in Harris do not pose the types of individualized issues concerning fact of injury that often block certification of other types of data privacy claims.
These considerations demonstrate why companies that track and utilize consumer data need to be mindful of class action exposure that could result from any alleged failure to obtain consumer consent to use of data, or claimed uses that exceed the scope of that consent. A company accessing or using data pursuant to the terms of a click wrap agreement needs to exercise particular care to ensure (i) that data is not used or accessed unless the user has entered into an agreement (proof of which the company retains); (ii) that the agreement clearly discloses how the company accesses the data and what it does with that data; and (iii) that the company does not use or access the data in any manner that is inconsistent with its agreement.