In a notable decision that may lead to an increase in privacy class actions under federal law, the Seventh Circuit in Harris v. comScore, Inc. upheld the certification of a class action for alleged privacy violations under the Stored Communications Act (SCA), the Electronic Communications Privacy Act (ECPA), and the Computer Fraud and Abuse Act (CFAA). In certifying the class, the district court found that statutorily defined damage amounts eliminated the need for plaintiffs to prove their injuries individually.
Plaintiff representatives alleged that comScore unjustly enriched itself under state common law, and that it violated the SCA, ECPA, and CFAA by operating outside of the terms of its User License Agreement (ULA) for its data collection software. In analyzing plaintiffs' motion to certify a class consisting of users who downloaded the software since 2005, the district court denied certification on the unjust enrichment claim but certified the class under the federal statutes. The court found that plaintiffs had alleged various common questions capable of resolution on a classwide basis under these statutes—which define statutory penalties per violation—and that the issues common to the class predominated over individual ones.
Notably, the court rejected comScore's argument that the class was unmanageable because each plaintiff had to prove actual damages. The court instead held that the damages claimed were statutory in nature and thus determinable, absent individual showings of injury. The SCA, for example, provides a minimum statutory fine of $1,000 for a violation, while the ECPA provides a statutory penalty range of $50 to $10,000.
For the CFAA claim, which requires a threshold showing of at least $5,000 in loss and does not specify a minimum fine amount for a violation, the court declined to address whether plaintiffs could aggregate their damages to reach the threshold loss amount. Nonetheless, the district court found, and the Seventh Circuit agreed, that resolving all of the common liability and damages issues under all three statutory claims in a single proceeding, with separate individual damages hearings as necessary, would efficiently resolve the issues in the case.
The holding in Harris v. comScore may contribute to an already increasing number of class action privacy suits under federal law. Historically, other circuits (including the Fourth Circuit) have found that putative class members lack standing to pursue class actions where there is no evidence of actual harm. Following similar holdings in recent Ninth Circuit cases, however, the Seventh Circuit's comScore opinion continues a trend in finding that statutory damages under federal privacy laws are sufficient to satisfy the commonality and predominance requirements of a Rule 23(b)(3) class. Whether other circuits will join the Seventh and Ninth Circuits remains an open, and important, question.