Last week, the Seventh Circuit upheld a lower court’s class certification in the case of Harris v. comScore, Inc. Although issued without opinion, the Seventh Circuit’s refusal to reverse the District Court’s certification should signal to online marketing and analytics firms that there may be significant exposure related to consumer data collection.
The comScore class action suit was based on violations of the Stored Communications Act (“SCA” at 18 U.S.C. § 2701(a)(1), (2)), the Electronic Communications Privacy Act (“ECPA” at 18 U.S.C. § 2511(1)(a), (d)), the Computer Fraud and Abuse Act (“CFAA” at 18 U.S.C. § 1030(a)(2)(C)), and common law unjust enrichment.
The complaint alleged that comScore improperly obtained and used consumers’ personal information after they downloaded and installed comScore’s software. The software at issue here is called OSSProxy. Once installed on a computer, OSSProxy constantly collects data about the user’s computer activity and sends that data back to comScore’s servers. Depending on how cognizant you are of data collection software and current practices, the following may or may not shock you:
“The OSSProxy software collects a variety of information about a consumer’s computer, including the names of every file on the computer, information entered into a web browser, including passwords and other confidential information, and the contents of PDF files.”
OSSProxy was installed on millions of computers between 2008 and 2011. To accomplish this, comScore distributes its OSSProxy software through cooperation with third-party providers (appropriately referred to as “bundlers”) who distribute free digital products to consumers online. Upon downloading the bundlers’ free software, the consumer is prompted to download OSSProxy. The prompt includes a “Download Statement” and, at least in some cases, a link to comScore’s User License Agreement (ULA). OSSProxy downloads and installs on a consumer’s computer only after the consumer checks “Accept.” The bundler’s free digital product downloads and installs even if the consumer “Rejects” the OSSProxy terms, although that fact is confusingly unapparent to an average consumer.
A critical common question among putative class members was whether comScore exceeded the scope of the consent it received from consumers. As reproduced in the District Court opinion, the Downloading Statement reads in relevant part as follows:
After quickly dismissing the unjust enrichment claim as inappropriate for class action treatment, the Court allowed the claims based on three federal statutes that provide protection against the unauthorized data collection from the plaintiffs’ computers. Each of the three statutes provides an exception to liability if the person obtaining the information has the consent of the computer user.
The plaintiffs alleged that comScore exceeded the scope of their consent to monitoring in the ULA (as incorporated via the Downloading Statement) by:
1) “fuzzifying” or “obscuring” confidential information collected, rather than automatically filtering that information;
2) failing to “make commercially viable efforts to purge” confidential information that it does collect from its database;
3) intercepting phone numbers, social security numbers, user names, passwords, bank account numbers, credit card numbers, and other demographic information;
4) intercepting the previous 25 websites accessed by a consumer before installation of comScore’s software, the names of every file on the consumer’s computer, the contents of iPod playlists on the computer, the web browsing history of smartphones synced with the computer, and portions of every PDF viewed by the user during web browsing sessions; and
5) selling the data collected from the consumer’s computer.
Specifically, the Stored Communications Act (SCA) provides a private action against any person who intentionally accesses without authorization a facility through which an electronic communication service is provided or intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system. The Electronic Communications Privacy Act (ECPA) provides the same with respect to any person who intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication, or intentionally uses, or endeavors to use, the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication. Finally, the CFAA creates a private right of action against any person who intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer.
The Court concluded that the class action requirements under Federal Rule of Civil Procedure 23(a) (i.e., numerosity, commonality, typicality, adequacy of representation, and ascertainability), as well as the requirements under Rule 23(b)(3) of predominance and superiority were all met. Rule 23(b)(3) provides that a class action may be maintained only if “the court finds that the questions of law or fact common to class members predominate over any questions affecting only individual members, and that a class action is superior to other available methods for fairly and efficiently adjudicating the controversy.” As to this “predominance and superiority” requirement, the Court was not moved by comScore’s assertion that class certification should be precluded due to the issue of whether each individual plaintiff suffered damage or loss from comScore’s actions. As the Court stated,
“That argument has no applicability to the ECPA or SCA claims, both of which provide for statutory damages. The CFAA is different, however, in that it grants a civil action only to “[a]ny person who suffers damage or loss.” [Nevertheless], the Seventh Circuit has recently reiterated that individual factual damages issues do not provide a reason to deny class certification when the harm to each plaintiff is too small to justify resolving the suits individually.”