In what has been dubbed, “the largest privacy class action suit ever,” the Seventh Circuit in Harris v. comScore, Inc., refused interlocutory review of the District Court’s order granting class certification. Although utterly silent as to the basis for denying review under Fed. R. Civ. P. 23(f), the Court of Appeal’s decision is likely to impact future privacy class actions as well as corporate culture as we know it.
In comScore, plaintiffs brought suit—after downloading and installing comScore’s software onto their computers—alleging that comScore exceeded the scope of its User License Agreement when it improperly mined and sold their personal information. ComScore—an online research company—collects and analyzes data about consumers’ activities on the internet through a computer software program called OSSProxy. Once installed, this program “constantly collects data about the activity on the computer and sends it back to comScore’s servers.” ComScore, pursuant to its User License Agreement, uses this data to generate market reports, which assists its clients to understand market trends. But, comScore allegedly sold information that it explicitly stated would, if collected, be purged from its servers, specifically “phone numbers, social security numbers, user names, passwords, bank account numbers, credit card numbers, and other demographic information.”
Plaintiffs moved to certify a class of “all individuals who, at any time since 2005, downloaded and installed comScore’s tracking software onto their computers.” ComScore, however, argued that certification was inappropriate because individual inquiries would be necessary to determine whether class members downloaded the software in question. Rejecting defendant’s lack of predominance argument, the Court certified the class, finding that plaintiffs raised “a variety of common questions” and these common questions predominated “over any questions affecting only individual members.” Indeed, the Court found that even “if substantial individual adjudication is necessary the Court will consider appropriate class limitations,” but that issue “presents no obstacle to class adjudication.”
ComScore disagreed and promptly petitioned the Seventh Circuit for interlocutory review. However, the Seventh Circuit denied the Rule 23(f) petition, without opinion, essentially leaving the District Court’s class certification opinion undisturbed.
The Seventh Circuit’s silence notwithstanding, corporations should be aware of the comScore decision for two reasons. First, the massive class approved will unquestionably impact privacy class action litigation, as the decision below will be heavily relied on by the plaintiffs’ bar in advancing their arguments for class certification in privacy cases. Plaintiffs may argue that in the context of data collection, “issues of whether plaintiffs consented to [the] data collection, the scope of that consent, and whether [a defendant] exceeded that consent can all be determined on a class basis.” Second, this decision also demonstrates why companies that gather and utilize consumer data need to be mindful of class action exposure that could result from any alleged failure to obtain consumer consent to use data, or claimed uses that exceed the purported scope of that consent.