Seventh Circuit Denies 26(f) Relief Allowing A Potentially Massive Privacy Class to Proceed to Trial in Harris v. comScore

Posted by Judy Selby on June 12, 2013

This post is a joint submission with BakerHostetler's Class Action Lawsuit Defense blog.

As reported here in April, an Illinois federal district court certified a privacy class that could number tens of millions of plaintiffs in the case of Harris v. comScore. The plaintiffs claimed that comScore, an online data research company, violated the Stored Communications Act, the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act.  The plaintiffs also asserted a claim for unjust enrichment. The district court certified the class based on the plaintiffs’ statutory claims only, and not surprisingly, comScore petitioned the Seventh Circuit under Rule 23(f) for an interlocutory appeal of that ruling. 

On appeal, comScore noted that the court “certified a worldwide class—tens of millions of people—consisting of everyone who has downloaded …. comScore’s software through a third party since 2005,” and stated, “No privacy case of anything approaching this size has ever been certified, for the simple reason that the individualized issues inherent in case of this type make them particularly unsuited to class treatment.”  comScore argued that the district court failed to engage in a “rigorous analysis” before ruling on the class certification issue, and that the decision could “change the course of class action practice in data privacy cases.” 

comScore’s appeal was supported by an amicus brief filed by industry groups, including the Direct Marketing Association, the American Association of Advertising Agencies and the US Chamber of Commerce.  The amici argued that the district court “created what appears to be the largest class ever certified in a contested internet privacy case, and there is good cause to conclude that it does so erroneously by avoiding Supreme Court precedent and deferring mandatory Rule 23 determinations until trial.”  The amici further contended that they “face a groundswell of privacy class actions, such as this one, brought under ill-fitting statutes by uninjured named plaintiffs presenting uncorroborated (and often untestable) allegations that their privacy rights, and those of a massive class of allegedly ‘similarly situated’ individuals, have been violated.” 

Yesterday, in summary fashion, the Seventh Circuit issued an Order denying comScore’s petition.  The court did not articulate the basis for its decision.  The ruling allows the case to proceed to trial, which reportedly will begin before the end of the year.  Going forward, class action defendants can expect plaintiffs’ attorneys to rely heavily on the comScore decision to argue for class certification of statutory-based claims in privacy and other cases.

Illinois Supreme Court Finds Insurance Coverage for TCPA Claims under Traditional Liability Policies

Posted by Judy Selby on June 03, 2013

This post is a joint submission with BakerHostetler's Class Action Lawsuit Defense blog.

The Illinois Supreme Court held on May 23, 2013, that claims based on alleged violation of the Telephone Consumer Protection Action (TCPA) are covered under traditional general liability policies.  Standard Mut. Ins. Co. v. Lay,  2013 IL 114617 (Ill. 2013).  In so ruling, the Court overruled the decision of a lower appellate court, which had affirmed the trial court’s holding that the claims were not covered.  The Court also broke with the determinations of courts from several other jurisdictions, which previously found that TCPA claims are not covered.

In Lay, Locklear Electric, Inc. (Locklear) filed a class action complaint against Ted Lay Real Estate Agency (Lay), after Lay’s agent sent a “blast fax” advertisement to approximately 5,000 people and entities.  The plaintiffs sought the TCPA-prescribed damages of $500 per violation, as well as injunctive relief.  Lay consented to a court-approved settlement of over $1.7 million, and Locklear agreed to seek satisfaction of the judgment exclusively from Lay’s insurance proceeds.

Lay’s insurer, Standard Mutual Insurance Company (Standard), then commenced a declaratory judgment action to determine its liabilities under its commercial general liability and businessowners liability policies.  Among the issues to be decided was whether the TCPA constitutes a “penal statute.”  Standard’s policies preclude coverage for willful violations of penal statutes.  The trial court granted Standard’s motion for summary judgment on that point, which was affirmed on appeal.  The appellate court held that TCPA damages are punitive and “are not insurable under as a matter of law under Illinois law and public policy and are not recoverable from Standard.”  The court reasoned that the “actual damages incurred by a violation of the TCPA are more in the nature of an irksome nuisance.... Actual damages to any one individual are likely to be small.  Five hundred dollars then becomes a predetermined amount of damages and is clearly not meant to compensate for any actual harm.”  Id. at 10.

The Illinois Supreme Court disagreed.  The court reviewed the legislative history of the TCPA, and concluded that the $500 liquidated damages under the statute were meant, in part, to be an incentive for private parties to enforce the TCPA.  “Whether we view the $500 statutory award as a liquidated sum for actual harm, or as an incentive for aggrieved parties to enforce the statute, or both, the $500 fixed amount clearly serves more than punitive or deterrent goals.”  Id. at 10-11. The court also held that the availability of treble damages “is but one part of the regulatory scheme, intended as a supplemental aid to enforcement rather than as a punitive measure.”  Id. at 11.  Consequently, the court concluded, “We hold that the TCPA is a remedial and not a punitive statute, and that the $500 liquidated damages per violation are not punitive damages.”  Id.  Acknowledging that its decision was at odds with holdings of the 10th Circuit, the Colorado Supreme Court, and a New York appellate court, the court stated that its ruling was based on the “true intent of Congress in enacting the TCPA.  Id.

The court declined to address the issue of whether punitive damages are insurable under Illinois law, noting that resolution of that issue was not necessary to the disposition of the case.  The case was remanded to the appellate court to address other remaining issues.

As TCPA class actions and other similar statutory-based claims continue to proliferate across the country, we can expect defendants to pursue coverage under traditional liability insurance policies based on the Illinois Supreme Court’s reasoning here.  

Hannaford vs. comScore - Up and Down Results for Privacy Class Action Defendants

Posted by Judy Selby on April 08, 2013

Editor's note: This is a cross-blog post with BakerHostetler’s Class Action Lawsuit Defense blog.  For the latest class action defense updates, visit www.ClassActionLawsuitDefense.com.

Sighs of relief by class actions defendants following the denial of class certification in Hannaford may give way to renewed uncertainty now that a massive class, estimated by the plaintiffs’ lawyer to be more than a million people, was certified by an Illinois federal district court last week in the case of Harris v. comScore.

According to its website, “comScore measures what people do as they navigate the digital world – and turns that information into insights and actions for our clients to maximize the value of their digital investments.”   comScore has more than 2,100 clients worldwide, ranging from private corporations, major media outlets, to governments.  comScore gathers data through a software program called OSSProxy, which, when installed on a computer, constantly collects data about activities on the computer. comScore works with so-called “bundlers,” who provide free digital products to internet users.  While downloading the bundlers’ free software, consumers are given the opportunity to download OSSProxy.  The named plaintiffs in Harris v. comScore both downloaded and installed OSSProxy after downloading a free digital program from one of comScore’s bundlers.

In their Complaint, the plaintiffs alleged that “comScore has developed highly intrusive and robust data collection software ... to surreptitiously siphon exorbitant amounts of sensitive and personal data from consumers’ computers [and] uses deceitful tactics to disseminate its software and thereby gain constant monitoring access to millions of hapless consumers’ computers and networks.”  They further alleged that “comScore’s sophisticated computer applications monitor every action conducted by users [and that the collected] data is sent to comScore’s servers, and then organized and sold to  [comScore’s] clients.”  comScore allegedly collects a “terrifying” amount of data from “unsuspecting customers,” including usernames and passwords, search engine queries, and credit card numbers.

The plaintiffs asserted claims for (1) violation of the federal Stored Communications Act (SCA), which, among other things, makes it unlawful to obtain access to stored communications on another person’s computer system without authorization; (2) violation of the federal Electronic Communications Privacy Act (ECPA), which prohibits unauthorized wiretapping and electronic eavesdropping; (3) violation of the federal Computer Fraud and Abuse Act (CFAA), which prohibits accessing computers in excess of authorization; and (4) common law unjust enrichment.

Two certifications were sought -- Class certification of “All individuals who have had, at any time since 2005, downloaded and installed comScore’s tracking and software onto their computers via one of comScore’s third party bundling partners,” and Subclass certification of “All Class members not presented with a functional hyperlink to an end user license agreement before installing comScore’s software onto their computers.”

Unjust Enrichment Claim

The court first addressed the unjust enrichment claim, ruling that it could not be resolved on a class basis because of “insurmountable choice-of-law problems.”  The court noted that the proposed Class and Subclass likely would include plaintiffs from all 50 states as well as some foreign countries, and that the plaintiffs “propose no solution to allow the court to manage the variety of laws that may be applicable to the Class, other than to suggest that the court certify two subclasses under California and Illinois law.” That proposal was rejected as being “plainly inadequate in light of the geographical diversity of the plaintiffs and the variations in applicable law.”

Statutory Claims

comScore did not fare as well with regard to class certification of the plaintiffs’ remaining claims.  After confirming that each of the federal statutes at issue provides a private right of action, the court ruled that the plaintiffs satisfied the requirements for class certification under FRCP 23 for each statute. 

            Numerosity

comScore did not dispute that the numerosity requirement was met, noting that comScore’s program was installed on millions of computers between 2008 and 2011. 

            Commonality

The court found that the plaintiffs raised a variety of common questions that could be resolved on a classwide basis.  Most significant was the fact that each Class and Subclass member agreed to a form contract, and that “claims arising from interpretations of a form contract appear to present the classic case for treatment as a class action.”  The court rejected comScore’s argument that each plaintiff’s subjective understanding of the agreement and his or her scope of consent rendered class treatment inappropriate, finding that “[t]hat rule has no place where a party manifested consent through the adoption of a form contract.” 

            Typicality

The court held that this requirement was satisfied because both the Class and the Subclass representative plaintiffs “used a substantively identical process to download OSSProxy,” following which the Subclass representative was not presented with a functioning hyperlink to the end user agreement.  The court dismissed what it called comScore’s “speculative” arguments that the named plaintiffs were atypical because of issues concerning whether they actually downloaded OSSProxy.  comStar had presented no “actual evidence” that the named plaintiffs did not download the software, and therefore, the plaintiffs’ “unrefuted” testimony that they downloaded the software provided “ample evidence that their claims are typical.” 

            Adequacy

comScore did not dispute that the adequacy requirement was met.  Further, there was no evidence of conflicting interests on the part of the named plaintiffs.  They vigorously participated in the case thus far, and plaintiffs’ counsel were deemed to be qualified to represent the class. 

            Ascertainability

Because comScore possesses contact information for some of the proposed Class and Subclass members, the court ruled that those portions of the proposed classes were identifiable in satisfaction of the ascertainability requirement.  The court ruled that any remaining class members could claim membership by affidavit.  Although rejecting comScore’s argument that the affidavit process would be unwieldy, the court acknowledged that the issue could be reconsidered if the portion of the class asserting membership by affidavit proved to be excessively large, in which case the class could be limited to members who downloaded OSSProxy as reflected in conScore’s records. 

            Predominance and Superiority

comScore argued that statutes of limitations raised individual issues that are not suited to class treatment.  Because the limitation periods for SCA, ECPA and CFAA begin to run two years after a plaintiff discovers a potential violation, comScore asserted that a case-by-case determination would be required to determine when each plaintiff discovered the alleged violation.  The court disagreed on the grounds that the issue arises only for class members who downloaded OSSProxy two years before the lawsuit was filed, some of those class members still have OSSProxy installed on their computers, and it is unlikely that any remaining class members had the requisite knowledge of OSSProxy’s operations to trigger the statute of limitations.

In addition, since SCA and ECPA provide for statutory damages, the court rejected comScore’s contention that there were issues concerning whether each individual plaintiff suffered damage or loss. And even though CFAA grants a civil action only to persons “who suffer damage or loss,” and further requires that each offense lead to a “loss to 1 or more persons during any 1-year period ... aggregating at least $5,000 in value,” the court held that it would be more efficient to resolve all of the common issues in a single proceeding than to hold individual damages hearings.

If the estimate of the plaintiffs’ lawyer concerning class membership proves to be correct, Harris v. comScore is likely to be the largest privacy case ever certified on an adversarial basis.

South Korea Court Opens the Door for Unintentional Data Breach Collective Actions

Posted by Erica Gann Kitaev on March 02, 2013

Authorship Credit:  Nathan A. Schacht

This is a cross blog post with BakerHostetler's class action blog.  For the latest in class action developments, visit classactionlawsuitdefense.com

On February 15, 2013, the Seoul Western District Court in South Korea issued a judgment in a collective consumer action against a South Korean company for a data breach involving personal data in its possession.   Importantly, the unlawful breach at issue in this case was not caused by the company’s intentional misconduct, but instead the company’s carelessness and mismanagement of the personal information in its possession.  This appears to be the first ever judgment abroad rendering such a ruling.

In this landmark decision, the court ruled in favor of 2,882 petitioners who filed a collective action against SK Communications, a telecommunications operator who operates internet sites and search engines.  The judgment resulted in an order requiring SK Communications to pay each petitioner approximately USD 185 for a total award of approximately USD 534,200. 

According to reports about this case, the focus was on SK Communications’ violation of its duty to protect the personal data of its operations’ subscribers, including their names, dates of birth, cell numbers and social security numbers.  Apparently, after an SK Communications security manager completed a project online, the security manager failed to log out of the system and left the computer on overnight.  This oversight left the system open and susceptible to hackers who accessed the system and caused the leak without even having to bypass password protections.  Despite the unintentional conduct and the company utilizing some software and password protections to prevent hacking and the resulting data breaches, the court ruled that the software and protections used were not enough.  In addition, the court concluded that the company’s carelessness and mismanagement of its online operations was substandard and, therefore, unlawful, warranting damages. 

Although the amount of the award in this case is not eye-popping by U.S. standards, the decision indicates a significant shift in the treatment of data breaches and utilizing collective actions to remedy such breaches abroad.  Given that mismanagement and carelessness may lead to large damage awards, international companies must be cautious with the systems and protections it has in place to guard the personal information in its possession.  Even more, international companies should be aware of the trend for remedying data breaches through collective actions abroad, as this decision and the discussion surrounding it indicate that this type of ruling may be just the beginning.  The main lesson to take away from this decision is that governments and courts, even abroad, are cracking down on substandard protections for personal information and breaches resulting from not only intentional misconduct related to breaches, but mismanagement and carelessness.  By not taking this lesson to heart, international companies may face significant and growing collective damages awards in foreign jurisdictions.

For a multi-jurisdictional summary of key requirements of international data privacy laws, see BakerHostetler's International Compendium of Data Privacy Laws.

Magistrate Recommends Dismissal with Prejudice of Claims Against Global Payments

Posted by Craig Hoffman on February 20, 2013

Global Payments, which processes credit card transactions, announced on March 30, 2012 that an unauthorized person gained access to a portion of its processing system.  Global Payments later disclosed that Track 2 data (card number, expiration date, verification code but not cardholder name or address) of 1.5 million cardholders were taken.  Three individuals brought a putative class action alleging that fraudulent charges were made to the credit card they used at merchants who used Global Payments to process their transactions.  The plaintiffs asserted claims of: (1) negligence; (2) violations of the Stored Communications Act (SCA); (3) violations of the Fair Credit Reporting Act (FCRA); (3) violations of the Georgia Uniform Deceptive Trade Practices Act; and (4) implied contract and third party beneficiary breach of contract claims.  Global Payments moved to dismiss all claims on the grounds that the plaintiffs failed to allege sufficient facts to establish Article III standing or all of the necessary elements of their seven claims.  United States Magistrate Judge Janet King issued a recommended decision on February 5, 2013.   

The magistrate addressed the Article III argument first.  The plaintiffs only alleged that they discovered fraudulent charges on their account -- they did not allege that they actually paid for the fraudulent charges.  They also did not allege that their information was used to commit identity theft, which the magistrate used to distinguish the Eleventh Circuit’s decision in AvMed.  Accordingly, the magistrate found that the plaintiffs failed to adequately plead an injury in fact.  In so doing, the magistrate stated that the plaintiffs’ personal information does not have an inherent monetary value.  The magistrate also found that allegations of increased risk of future identity theft were insufficient because they were entirely speculative.  However, the magistrate recommended that the Rule 12(b)(1) motion be denied as moot based on her recommendation that all claims in the plaintiffs’ first amended complaint be dismissed with prejudice for failing to state a claim under Rule 12(b)(6).

In addressing the Rule 12(b)(6) motion, the magistrate easily identified why the SCA and FCRA claims were fatally defective—Global Payments does not provide electronic or remote computing services to the public, it did not knowingly divulge plaintiffs’ information, and it does not provide consumer reports or act as a consumer reporting agency.  The Georgia Unfair and Deceptive Trade Practices Act claims were dismissed because plaintiffs did not allege any facts showing that they would be harmed without injunctive relief (injunctive relief is the exclusive remedy of this claim), in part because they could not identify any representations from Global Payments that they relied on and because their allegations of increased risk of future harm were speculative.  The negligence claim, which was premised on allegations that Global Payments was not PCI DSS compliant at the time it was compromised, was dismissed based on the economic loss doctrine and because plaintiffs could not identify any duty owed by Global Payments because the parties had no direct relationship.  The contract claims were dismissed: (1) based on precedent from prior breach cases that consumers are not intended beneficiaries of contracts between merchants and the entities that facilitate their card processing; and (2) because plaintiffs did not allege that they were aware of or relied on any representations from Global Payments before providing their credit card to a merchant that used Global Payments.

If the district court judge adopts the magistrate’s recommended decision, this will serve as yet another example of why putative class actions arising out of payment card industry breaches are an uphill climb for plaintiffs.  For example, similar claims were brought against another payment processor (Heartland) after it disclosed a compromise that affected over 100 million cardholders.  Although Heartland settled the consumer claims by establishing a fund of $1 million, only eleven cardholders submitted valid claims.  Indeed, the primary sources of liability and expense to breached entities comes from notification costs, attorney and forensic investigation fees, network security remediation costs, and the fines and assessments from the credit card networks.  Of the $93.9 million in expenses related to the compromise recorded by Global Payments  through November 30, 2012 (as disclosed in its January 8, 2013 10-Q), $35.9 million was their estimate of total fraud losses, fines and other charges that will be imposed by the card networks.

Privacy Class Actions: Year-in-Review

Posted by Erica Gann Kitaev on January 04, 2013

During 2012, privacy class actions continued to trend toward two major categories: 1) actions that arose out of a data breach event and 2) actions brought to prosecute an alleged consumer privacy right. 

Article III Standing in Data Breach Class Actions

A key issue in data breach class actions is the question of what types of injuries are necessary to confer standing to sue.  In general, many of the federal district courts that have dismissed data breach class actions due to a failure to allege or prove injury have done on Article III standing grounds.  As a general proposition, it remains true that plaintiffs have not been able to establish standing where the conduct and harm alleged was simply use or disclosure of personal information, and where the complaint only alleged hypothetical or future injury. However, there are signs that courts may be more willing to consider what were once considered speculative injuries as sufficient to confer Article III standing.

In Resnick v. Avmed, Inc., the 11th Circuit reversed the dismissal of all but two claims in a class action that arose from a data breach.  In Resnick, two unencrypted Avmed laptops containing personal health information (“PHI”) and personally identifiable information (“PII”) for approximately 1.2 million Avmed customers were stolen, and the plaintiffs alleged that they were the victims of identity fraud approximately 10 to 14 months after the theft.  The Southern District of Florida dismissed plaintiffs’ claims, in part because the complaint failed to allege cognizable injury. 

The Eleventh Circuit reversed on all but two counts.  The court held that the plaintiffs properly alleged an injury in fact that was fairly traceable to the Avmed theft by alleging that they were careful with their own PII, that they were the victims of identity theft, and that their identities were stolen only after the Avmed incident. And, because Plaintiffs alleged they suffered monetary damages, the court held that their alleged injuries were cognizable and redressable.   Based on similar reasoning, the court also found that under the Twombly standard of federal pleading, the plaintiffs had properly alleged causation for purposes of their common law claims.  The court further found that the plaintiffs stated an unjust enrichment claim because they paid Avmed premiums, part of which allegedly went to Avemd’s data security expenses.

Likewise, in In re: Sony Gaming Networks and Customer Data Security Breach Litigation, the court found that the plaintiffs had alleged sufficient injury to establish Article III standing.  Citing to Krottner v. Starbucks, which held that future injury could be cognizable if it were “real and immediate” rather than “conjectural” or “hypothetical,” the court found that under the circumstances, by “alleg[ing] that their sensitive Personal Information was wrongfully disseminated, thereby increasing the risk of future harm,” the plaintiffs had stated “a cognizable loss sufficient to satisfy Article III’s injury-in-fact requirement.”  The court largely dismissed the plaintiffs’ claims for failure to state a claim, however, because those alleged injuries, while sufficient for standing purposes, were not sufficient for purposes of stating a claim under the law. 

One key difference between Avmed and Sony is the inability of the plaintiffs in the Sony case to allege any identity theft or out-of-pocket expenses resulting from the breach.  Thus, the probability of a dismissal for lack of injury or standing in a data breach class action appears to be higher where there is no evidence of identity theft or other use of any compromised information. 

Claims for Statutory Damages

Plaintiffs have had some success in avoiding the standing or lack of injury defense by bringing claims for statutory damages.  With respect to state claims, over the last several years, plaintiffs have frequently brought claims under state consumer protection statutes and state data breach statutes. 

The second key category of privacy cases are those brought under a federal or state consumer privacy statute.  Federal consumer privacy statutes include the Fair Credit Reporting Act as amended by the Fair and Accurate Credit Transactions Act (FCRA/FACTA) (15 U.S.C.A. § 1681 et seq.); the Telephone Consumer Protection Act (TCPA) (47 U.S.C.A. § 227); the Driver’s Privacy Protection Act (DPPA) (18 U.S.C.A. §§ 2721–25); the Electronic Communications Privacy Act (ECPA) (18 U.S.C.A. §§ 2510–22); and the Video Privacy Protection Act (VPPA) (18 U.S.C.A. § 2710).

Several high profile cases were litigated or settled this year under the VPPA, which provides for damages of $2,500.00 per violation for improper retention or disclosure of a consumer’s video viewing history, including cases against Netflix, Blockbuster, Redbox, and Hulu.  Perhaps the most significant development in the law as it relates to the VPPA this year was the ruling in In re Hulu Privacy Litigation that rejected Hulu’s argument that the VPPA does not apply to online video providers. 

Also trending this year were claims under the TCPA, which provides for statutory damages of $500 or $1,500 per violation (for willful violations), alleging liability premised on unsolicited text messages.  A significant decision this year in the TCPA area was handed down by the U.S. Supreme Court in Mims v. Arrow Financial Services, LLC, in which the Court held that TCPA claims arise under federal law and may be asserted in federal court even absent diversity of citizenship jurisdiction.  Prior to Mims, the federal circuits disagreed over whether the TCPA provided for federal question jurisdiction or whether jurisdiction was limited to state courts and federal suits brought or removed on diversity jurisdiction.

As in the data breach cases, a common question that arises in statutory damages cases is whether the named plaintiff must prove some sort of injury to herself and/or members of the putative class in order to recover statutory damages.  In some situations, courts have held that no proof of injury is required at all for the recovery of statutory damages; however, in some cases, such as this year’s decision in Sterk v. Best Buy Stores, L.P., defendants have been successful in arguing for dismissal on the grounds that the plaintiff had alleged no plausible actual injury.  

The problem for all parties in these cases seeking statutory damages is that the damages, when aggregated over hundreds, thousands, or even millions of consumers, can become crippling to the defendant.  Accordingly, constitutionally excessive damages is a defense that defendants frequently raise in these cases, though no reported decision appears to have decided the viability of the defense. 

Class Certification and Settlement

To date, class certification battles have been rare in cases arising out of data breach, which is likely explained by the fact that so many defendants have been successful disposing of cases prior to certification. With respect to consumer privacy cases, particularly those that arise out of a defendant’s privacy policies, the statutory privacy claims are often litigated on the merits, with little argument around the issue of whether a class can be properly certified, though that certainly is not always the case.  For example, in Local Baking Products, Inc. v. Kosher Bagel Munch, Inc., the New Jersey appellate court decided this year, after reviewing cases on both sides of the issue, that TCPA claims were not suitable for class certification because class treatment is not a superior method for handling claims because the statutory damages regime incentivizes individual actions. Further, the court found, common issues did not predominate because of individualized issues over whether calls and faxes were authorized by the consumer.

Frequently, privacy class actions are certified for settlement purposes, and given the immense exposure under statutory damages provisions, settlement at even close to the maximum aggregate value of the claims is a practical impossibility, which creates challenges for both the parties and the courts.  Cases are commonly settled for coupons or services, injunctive relief or compliance monitoring (i.e., changes in privacy policies), cy pres awards, or monetary relief to class members in the cases where statutory damages are sought.  And while most privacy class action settlements have been approved, in some cases, the courts have been skeptical. 

For instance, the district court in Fraley v. Facebook declined to grant preliminary approval to a proposed settlement in November.  In Fraley, the plaintiffs charged that Facebook violated its own privacy policies as it related to the use of Facebook subscribers’ information in connection with the “sponsored stories” advertising service.  The proposed settlement called for a $20 million settlement fund, half of which was earmarked for class counsel, and the other half of which would be distributed as cy pres awards.  Judge Richard Seeborg specifically questioned the adequacy of compensation to the class in light of the $750 per violation that would be recoverable under the statute at issue.  Judge Seeborg ultimately granted preliminary approval, however, of a revised settlement that allowed for payments of up to $10 per class member.

 

 

Recent Trends in Class Actions for Telephone and Fax Solicitation and Advertising

Posted by Craig Hoffman on December 17, 2012

Authorship Credit: Justin T. Winquist

Editor’s Note: This post is a joint submission to BakerHostetler’s Class Action Lawsuit Defense blog.

Class actions under the Telephone Consumer Protection Act (TCPA), 47 U.S.C. § 227, continue to be an active trend in consumer and privacy class action litigation. The TCPA, which was historically called the "fax blast" statute, prohibits unsolicited faxes and automated calls for the purpose of commercial solicitation. The TCPA has a statutory penalty provision that allows consumers to recover $500 for each violation and up to $1,500 for violations found to be willful and knowing. The ability to collect far more in statutory penalties than the actual damages caused by a given violation (often pennies for ink and paper) makes TCPA violations an appealing target for enterprising plaintiffs' class action lawyers. The aggregation of thousands of claims together can create huge monetary exposure for defendants and the potential for easy settlements and the large contingent fees that come with them.

FEDERAL JURISDICTION OVER TCPA CLAIMS

Arguably the most significant development in TCPA litigation this year was the United States Supreme Court's decision in Mims v. Arrow Financial Services, LLC, which held that TCPA claims arise under federal law and may be asserted in federal court even absent diversity of citizenship jurisdiction. Prior to Mims, the federal circuits disagreed over whether the TCPA provided for federal question jurisdiction or whether jurisdiction was limited to state courts and federal suits brought or removed on diversity jurisdiction. The Court resolved the issue in favor of federal jurisdiction, finding that "federal and state courts have concurrent jurisdiction over private suits arising under the TCPA." Because of Mims, plaintiffs now have the option of bringing TCPA suits in state court or federal court, even in the absence of diversity jurisdiction.

Mims also has important implications for companies defending TCPA claims. Prior to Mims, defendants had some success arguing that state laws limiting class actions -- such as § 901(b) of New York's Civil Practice Law and Rules, which prohibits class actions for claims seeking statutory penalties -- were applicable in federal TCPA actions. Where successful, those arguments meant that federal diversity jurisdiction over the class action was trumped by state laws prohibiting certain types of class actions. In the wake of Mims, however, some federal courts have rejected these arguments, finding that federal substantive and procedural law apply to TCPA claims in federal court. In one recent opinion with extensive analysis on the issue, the United States District Court for the District of New Jersey concluded in Bais Yaakov of Spring Valley v. Peterson's Nelnet, LLC that federal courts are not required to follow state laws in adjudicating TCPA claims.

The Mims decision is also impacting the statute of limitations defense to TCPA claims. Because of the peculiar nature of the TCPA, courts have historically split over whether a state or federal statute of limitations applies. In Giovanniello v. ALM Media LLC, the Second Circuit answered this question and held that a shorter state-law limitations period applied rather than the four-year federal catchall provision. However, the Supreme Court granted certiorari, and recently vacated that decision and remanded for further consideration in light of Mims. In one decision following Mims, the United States District Court for the Eastern District of Pennsylvania, in Hawk Valley, Inc. v. Taylor, reached the conclusion that the federal limitations period applies.

CLASS ACTIONS UNDER THE TCPA

Another major issue being litigated is whether TCPA claims are suitable for class action treatment at all. Several decisions have highlighted a split among both the state and federal courts on class action suitability. Of particular note is the decision of the New Jersey Superior Court, Appellate Division in Local Baking Products, Inc. v. Kosher Bagel Munch, Inc., which provides an excellent survey of the various state and federal court decisions on both sides of the issue. The court in Local Baking Products ultimately decided that class certification of TCPA claims was not appropriate. It reasoned that class actions are not a superior procedure for enforcing the TCPA because Congress had made statutory penalties available so that individuals would be incentivized to pursue vindication of their rights in individual actions in small claims or other state courts. In addition to lack of superiority, a common reason offered by other courts for rejecting TCPA class certification is that the question of whether faxes or calls were authorized is too individualized for common questions to predominate.

A Supreme Court of Kansas decision upholding a lower court's decision granting class certification in a TCPA case illustrates the other side of the split on certification issues. In Critchfield Physical Therapy v. The Taranto Group, Inc., the court rejected both the argument that individual actions in small claims court would be superior to a class action and the argument that the question of consent was too individualized. In addition, the court rejected the argument that class actions would not be superior in light of the threat that aggregating thousands of individual statutory penalties together could create an "annihilating" judgment against the defendant that would be disproportionate to any harm to the class.

The increase in automated dialing technology and cellular telephone prevalence is also giving rise to new substantive and class certification issues in TCPA cases. With respect to cell phones, one new issue is whether consent to receive calls on a particular cell phone number applies to subsequent holders of that cell phone number. For example, if person A consents to receive calls from company X on a certain cell number, can company X continue to call that number with TCPA impunity even though the number is later assigned to different people? In May, the Seventh Circuit answered no, holding that simply providing a company with a cell number does not authorize perpetual calls to that number after it has been reassigned to someone else. Soppet v. Enhanced Recovery Co., LLC.Consent to receive calls on a cell phone has also been an issue in the class certification context. For example, the Ninth Circuit recently found that individualized issues of consent to receive calls did not preclude a finding of typicality and commonality for purposes of certifying a class. Meyer v. Portfolio Recovery Associates, LLC.

TCPA CLAIMS BASED ON TEXT MESSAGING

TCPA claims based on text messages sent to cell phones are also a major trend today. Although the TCPA does not expressly reference text messages, the Federal Communications Commission and courts have consistently interpreted the term "call" in the TCPA to include SMS and MMS text messages. E.g., Satterfield v. Simon & Schuster, Inc. Defendants have argued that claims based on text messages are not suitable for class action treatment because each plaintiff would have to show individually that she was charged for the text sent to her cell phone. Some courts have rejected this argument, finding that the TCPA does not require plaintiffs to show that they incurred charges for text messages sent to their phones. E.g., Agne v. Papa John's Intern., Inc.

THIRD PARTY LIABILITY AND PENDING FCC INTERPRETATION

Finally, a major issue applicable to virtually any company that uses telephone, text or fax marketing is whether and to what extent a company can be liable under the TCPA for calls made (or faxes or texts sent) by third parties. This issue typically arises where a company is sued for TCPA violations but the actual caller or faxer was a marketing company, franchisee or independent agent. In some cases, the relationship can be even more removed, for example, where a company's independent contractors hire marketing firms that then hire separate telemarketing firms, which actually make the calls.

In most decisions to date, courts have held that vicarious liability of this sort is possible under the TCPA, and that there is no bright-line limit on how far is too far removed to impose liability. Most courts have tackled the issue under a traditional agency analysis. A recent decision from the United States District Court for the Northern District of West Virginia, Mey v. Pinnacle Sec., LLC, is a good example of the prevailing analysis. The Mey court stated that the defendant could be liable for calls made by its lead-generating company if the lead company "acted as an agent" and the defendant "controlled or had the right to control them and, more specifically, the manner and means of the [solicitation] campaign they conducted."

Significantly, however, the Mey court also recognized that a more strict form of liability might be possible under the TCPA. Certain sections of the TCPA allow consumers to sue for calls made by or "on behalf of" an entity. The meaning of this "on behalf of" language is currently the subject of a Joint Petition for Declaratory Ruling before the Federal Communications Commission, on which the FCC has solicited public comments. One interpretation advocated in the public comments is an agency analysis similar to what the courts have done to date. Another, however, is a strict liability approach that would impose liability on any party that "benefits from" the offending communication, even absent knowledge or direction. If adopted, this strict liability approach could significantly increase exposure for companies because liability could be imposed even without the companies' knowledge that calls were made, or faxes or texts were sent, in the company's name. The FCC has not yet issued a ruling on the issue.

WHAT YOU CAN DO

The BakerHostetler Privacy and Data Protection and Class Action Defense Teams have extensive experience defending claims under the TCPA and other statutory damage statutes, as well as advising clients of their obligations under the TCPA and similar statutes. If you have questions, please contact Gerald J. Ferguson ( gferguson@bakerlaw.com or 212.589.4238); Paul G. Karlsgodt (pkarlsgodt@bakerlaw.com or 303.764.4013); Justin T. Winquist ( jwinquist@bakerlaw.com or 303.764.4059); or any member of our Privacy and Data Protection or Class Action Defense Teams , or your regular BakerHostetler contact.