MEMORANDUM OPINION AND ORDER
In their Second Amended Complaint, plaintiffs Mike Harris and Jeff Dunstan allege, as individuals and on behalf of a class of similarly situated individuals, that comScore, Inc. (“comScore”) improperly obtained and used personal information from their computers after they downloaded and installed eomScore’s software. (Dkt. No. 169.) They assert violations of the Stored Communications Act (“SCA”), 18 U.S.C. § 2701(a)(1), (2) (Count I), the Electronic Communications Privacy Act (“ECPA”), 18 U.S.C. § 2511(l)(a), (d) (Count II), and the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030(a)(2)(C) (Count III). They also assert a claim for common law unjust enrichment (Count IV). Currently pending before the court is plaintiffs’ motion for class certification (Dkt. No. 152), which requests that the court certify the following class and subclass:
Class: All individuals who have had, at any time sincе 2005, downloaded and installed comScore’s tracking software onto their computers via one of comSeore’s thii’d pai’ty bundling partners.
Subclass: All Class members not presented with a functional hyperlink to an end user license agreement before installing comSeoi’e’s softwai’e onto their computers.
For the reasons explained below, that motion is gi’anted in part and denied in pai’t.
BACKGROUND
Defendant comScore, Inc. collects data about the activities of consumers on the internet, analyzes the data, and sells it to its clients. (Dkt. No. 140, at 2.) ComScox-e gath-ex’s its data thi’ough a progi’am called OS-SProxy, which, if installed on a computer, constantly collects data about the activity on the computer and sends it back to comS-core’s servers. (Dkt. No. 155, Ex. C, at 3-6.) The OSSPi’oxy software collects a vai’iety of infoi’mation about a consumer’s computer, including the names of every file on the computer, information entered into a web browser, including passwords and other confidential infoi’mation, and the contents of PDF files. (Id.) ComSeoi’e has been using OSSPi’oxy in its cui’rent foi’m, aside from immaterial valuations, since 2005. (See Dkt. No. 155, Ex. A, at 194:8-195:16 (explaining that in 2005 comScoi’e stopped routing the information from the consumei’s’ computers through proxy servers).)
One primary way that comScore distributes OSSPi’oxy is through cooperation with “bundlers” who provide free digital products to consumers on the internet. (Dkt. No. 155, Ex. D, at 6.) During the process of downloading the bundlers’ frеe software, the consumer has the opportunity to download OSSProxy. (See id.) The process by which OSSProxy is presented to the consumer is “materially identical,” regardless of which bundler provides the digital product the consumer is downloading. (Id.) Specifically, during the installation of the free digital product, the consumer is presented with a short statement (“the Downloading Statement”) regarding OSSProxy under one of several brand names, including “RelevantKnowledge, Pre-mierOpinion, PermissionResearch, Opi-nionSquare, and MarketScore.” (Id. at 9-10; Dkt. No. 180 ¶ 34.) A representative Downloading Statement reads as follows:
*582 In order to provide this free download, RelevantKnowledge software, provided by TMRG, Inc., a comScore, Inc. company, is included in this download. This software allows millions of participants in an online market research community to voice their opinions by allowing their online browsing and purchasing behavior to be monitored, collected, aggregated, and once anonym-ized, used to generate market reports which our clients use to understand Internet trends and patterns and other market research purposes. The information which is monitored and collected includes internet usage information, basic demographic information, certain hardware, software, computer configuration and application usage information about the computer on which you install RelevantKnowledge. We may use the information that we monitor, such as name and address, to better understand your household demographics; for example, we may combine the information that you provide us with additional information from consumer data brokers and other data sources in accordance with our privacy policy. We make commercially viable efforts to automatically filter confidential personally identifiable information and to purge our databases of such information about our panelists when inadvertently collected. By clicking Accept you acknowledge that you are 18 years of age or older, an authorized user of the computer on which you are installing this application, and that you have read, аgreed to, and have obtained the consent of all computer and TV users to the terms and conditions of the Privacy Statement and User License Agreement.
(Id. at 10.) In general, underneath that message, the consumer is offered a link to the “Privacy Statement and User License Agreement” (the “ULA”)
The ULA, which is materially identicаl regardless of which bundler provides the digital product the consumer is downloading, contains terms governing which information OSSProxy will collect from the consumer’s computer and how that information will be used. (Dkt. No. 155, Ex. A, at 127:10-12; 134:6-18.) Significantly, the ULA indicates that it is an agreement between the consumer and a “sponsor”—usually another company connected in some way with comScore— but, in most cases, also states that comScore will use the information collected. (See Dkt. No. 155, Ex. I, at 1, 6.) The plaintiffs allege that comScore has exceeded the scope of the consumer’s consent to monitoring in the ULA by, among other things:
• designing its software to merely “fuzzify” or “obscure” confidential information collected, rather than “mak[ing] commеrcially viable efforts to automatically filter” that information (Dkt. No. 154, at 13-14);
• failing to “make commercially viable efforts to purge” confidential information that it does collect from its database (Dkt. No. 154, at 15-16);
• intercepting phone numbers, social security numbers, user names, passwords, bank account numbers, credit card numbers, and other demographic information (Dkt. No. 155, Ex. C, at 2-6);
• intercepting the previous 25 websites accessed by a consumer before installation of comScore’s software, the names of every file on the consumer’s computer, the contents of iPod playlists on the computer, the web browsing history of smart-phones synced with the computer, and portions of every PDF viewed by the user during web browsing sessions (Id.);
*583 • selling the data collected from the consumer’s computer (Dkt. No. 154, at 24.)
(See also Dkt. No. 169 ¶¶ 35-63.)
Named plaintiffs Jeff Dunstan and Mike Harris each downloaded and installed OS-SProxy onto their computers after downloading a free digital product offered by one of comSeore’s bundlers. (Dkt. No. 155, Ex. P, No. 1; Dkt. No. 155, Ex. Q, No. 1.) Harris downloaded OSSProxy on March 9, 2010, immediately noticed it, and tried to remove it. (Dkt. No. 176, Ex. P, at 83:14-16; 98:18-99:15; 103:24-104:10.) Harris asserts that he downloaded OSSProxy from the website macupdate.com. (Dkt. No. 176, Ex. P, at 71:15-18.) Harris’s profile on that website indicates that he never downloaded any programs (Dkt. No. 176, Ex. Q (listing the number of downloads as zero)), but he may have downloaded the program without logging into his account (See Dkt. No. 185 ¶¶ 5-8). Harris no longer has the computer he used to download the OSSProxy software. (Dkt. No. 176, Ex. P, at 43:19-44:4.)
Dunstan downloaded comScore’s OS-SProxy software in September of 2010. (Dkt. No. 176, Ex. S, No. 6.) Dunstan alleges that OSSProxy caused his computer to lock up and interfered with his internet access. (Id.) Dunstan used a program called “PC Tools Spyware Doctor” to remove OSSProxy within about one day of downloading it. (Id.; Dkt. No. 176, Ex. T, No. 6.) Dunstan’s computer may have been infected by viruses at the time that he downloaded OSSProxy, which may also have contributed to his computer problems. (See Dkt. No. 176, Ex. U.) Dunstan’s wife had access to his computer at the time of the download, and may have been the one who initiated the download. (Dkt. No. 176, Ex. V., at 26:7-18.)
LEGAL STANDARD
The plaintiffs bear’ the burden of demonstrating that class certification is appropriate. Oshana v. Coca-Cola Co.,
ANALYSIS
For the reasons explained below, the court determines that the plaintiffs proposed Class and Subclass cannot be certified with respect to the plaintiffs’ claims for state law unjust enrichment. See Fed.R.Civ.P. 23(c)(4) (allowing the court to certify a class action with respect to only particular issues). Specifically, the unjust enrichment claims do not satisfy the requirement of Rule 23(b)(3) that a class action be superior to other available methods for fairly and efficiently adjudicating the controversy.
I. Unjust Enrichment
As many courts in this district have recognized, unjust enrichment claims are generally unsuitable for class actions because they “pose insurmountable choice-of-law problems.” In re Aqua Dots Prods. Liab. Litig.,
The choice-of-law problem is present here, because the proposed Class and Subclass are not limited by geography and likely include plaintiffs from all 50 states, and even some foreign countries. The plaintiffs propose no solution to allow the court to manage the variety of laws that may be applicable to the Class, other than to suggest that the court certify two subclasses under California and Illinois law. (Dkt. No. 184, at 19.) That solution is plainly inadequate in light of the geographical diversity of the plaintiffs and the variation in applicable law. Accordingly, the court determines that the plaintiffs have not met their burden of establishing that a class action is the superior method for fairly and efficiently adjudicating this controversy. See Fed.R.Civ.P. 23(b)(3). The court therefore denies the class certification motion with respect to the unjust enrichment claims.
II. Certification of the Federal Statutory Claims
Each of the other three clаims alleged in Counts I, II, and III of plaintiffs’ Second Amended Complaint rely on federal statutes that provide protection against the unauthorized interception of information from the plaintiffs’ computers. As relevant here, the SCA provides a private action against any person who
(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or
(2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system.
18 U.S.C. § 2701(a). The ECPA does the same with respect to any person who
(a) intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication; [or]
(d) intentionally uses, or endeavors to use, the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subsection
18 U.S.C. § 2511(l)(a). Finally, the Computer Fraud and Abuse Act creates a private right of action against “[w]hoever ... intentionally accesses a computer without authorization or exceeds authorized access, and thеreby obtains ... information from any protected computer.” 18 U.S.C. § 1030(a)(2)(C). Each of the three statutes provides an exception to liability if the person obtaining the information has the consent of the computer user. See 18 U.S.C. § 2701(c); 18 U.S.C. § 2511(2)(e); 18 U.S.C. § 1030(e)(6).
The court will now address in turn each of the requirements for class certification of those federal statutory claims.
A. Numerosity
Rule 23(a)(l)’s requirement that the class be “so numerous that joinder of all members is impracticable is plainly met here. The total number of computers reporting data to comScore each year with the OSSProxy program has run into the hundreds of thousands each year since 2008. (Dkt. No. 155, Ex. B, No. 7.) In addition, evidence shows that OS-SProxy was installed on millions of computers between 2008 and 2011. (Id.) ComScore does not dispute that the number of potential class members easily satisfies the numerosity requirement.
B. Commonality
Next, the plaintiffs must satisfy Rule 23(a)(2)’s requirement that “there are questions of law or fact common to the class.” The plaintiffs need not establish multiple common questions at this stage, because “for purposes of Rule 23(a)(2) even a single common question will do.” Wal-Mart Stores, Inc. v. Dukes, — U.S. —,
Here, the plaintiffs raise a variety of common questions that can be resolved on a classwide basis. Most obviously, each Class member agreed to a form contract (made up of the ULA and the Downloading Statement), as has each Subclass member (the Downloading Statement only). It is well established that “claims arising from interpretations of a form contract appear to present the classic case for treatment as a class action.” Keele v. Wexler,
ComSeore contends that the scope of consent will vary for each plaintiff depending on his subjective understanding of the agreement and the surrounding circumstances. (Dkt. No. 177, at 15.) In support, сomSeore notes that at least under the ECPA, consent need not be explicit, but can also be implied from the surrounding circumstances. See Shefts v. Petrakis,
Another common issue is whether OS-SProxy’s data collection violates the terms of the ULA and the Downloading Statement. The OSSProxy software operates in a substantively identical fashion on all computers, regardless of the brand name under which it is distributed or the operating system of the computer. (Dkt. No. 155, Ex. A, at 91:8-92:9; Dkt. No. 155, Ex. C, at 2.) Thus, the software attempts to collect the same information from all computers, and the question of whether that collection exceeds the scope of consent is common to all plaintiffs.
ComSeore points out that OSSProxy will not collect certain categories of data from plaintiffs who never input data in those categories into their computers. (Dkt. No. 177, at 16.) For example, OSSProxy will not collect credit card numbers from plaintiffs who never input credit card numbers into their computers, nor will it collect the contents of iTunes playlists from plaintiffs who do not use the iTunes software.
ComSeore is correct that the question of whether OSSProxy’s data collection exceeds the scope of consent in certain respects may depend on the behavior of each individual plaintiff. But other potential violations of the scope of consent are common to all plaintiffs regardless of individual behavior, such as the allegation that OSSProxy collects the
C. Typicality
Next, the plaintiffs must demonstrate that “the claims or defenses of the representative parties are typical of the claims or defenses of the class.” The typicality requirement is closely related to commonality, and a “plaintiffs claim is typical if it arises from the same event or practice or course of conduct that gives rise to the claims of other class members and his or her claims are based on the same legal theory.” Keele,
In response, comSeore provides a list of “unique problems” it believes arise in Harris’s and Dunstan’s eases, making them atypical. (Dkt. No. 177, at 28-29.) Most of those problems relate to the issue of whether Harris and Dunstan actually downloaded the OS-SProxy software. Specifically, despite Harris’s and Dunstan’s testimony that they downloaded OSSProxy, comSeore notes that neither Dunstan nor Harris specifically remembers downloading the free digital product accompanying OSSProxy. (Dkt. No. 176, Ex. P, at 85:24-86:25; 91:2-9; 95:16-96:6; Dkt. No. 176, Ex. V, at 26:7-9; 30:6-24; 33:9-22.) In addition, Harris no longer owns the computer he used to download OS-SProxy, and his account onmacupdate.com does not reflect the download,
All of these arguments are based on speculation. ComSeore provides no actual evidence showing that Harris and Dunstan did not download OSSProxy. Harris’s and Dun-stan’s testimony that they downloaded OS-SProxy is thus unrefuted, and provides ample evidence that their claims are typical.
Next, comSeore points out that Harris had OSSProxy installed on his computer for only a short period. (Dkt. No. 176, Ex. P, at 103:24-104:10.) That fact is irrelevant to Harris’s ability to represent the class, however, for the ECPA, the SCA, and the CFAA do not require a violation to last for any particular length of time, and comSeore does not explain how the length of a violation might be relevant.
Finally, comSeore points to Dunstan’s and Harris’s testimony that they each had problems with their computers apart from the OSSProxy software (from virases or age), and that OSSProxy thus did not cause any decline in the performance of Dunstan’s and Harris’s computers. (Dkt. No. 176, Ex. P, at 109:12-25; Dkt. No. 176, Ex. V, at 40:16-22; 62:8-11.) That testimony is relevant, if at all, only to the question of dаmages, and does not significantly alter the typicality of Dun-stan’s and Harris’s claims. Radmanovich v.
D. Adequate Representation
The fourth requirement under Rule 23(a) is that the named plaintiffs will “fairly and adequately protect the interests of the class.” To meet that requirement, the plaintiffs must show that “(1) the representative does not have conflicting or antagonistic interests compared with the class as a whole; (2) the representative is sufficiently interested in the case outcome to ensure vigorous advocacy; and (3) class counsel is experienced, competent, qualified and able to conduct the litigation vigorously.” Matthews v. United Retail, Inc.,
ComScore does not dispute that the adequacy requirement is met. In addition, the court is not aware that Harris and Dunstan have any conflicting interests, Harris and Dunstan have vigorously participated in this case thus far, and class counsel are qualified to represent the class. The court determines that the adequacy requirement is met.
E. Aseertainability
In addition to the four explicit requirements listed in Rule 23(a), “[t]he plaintiff must also show that the class is indeed identifiable as a class.” Oshana,
The aseertainability requirement serves several important objectives. First, it eliminates serious administrative burdens that are incongruous with the efficiencies expected in a class action by insisting on the easy identification of class members. Second, it protects absent class members by facilitating the best notice practicable under Rule 23(c)(2) in a Rule 23(b)(3) action. Third, it protects defendants by ensuring that those persons who will be bound by the final judgment are clearly identifiable.
Marcus v. BMW of N. Am., LLC,
Here, the parties agree that eomScore possesses contact information, in the form of e-mail addresses, for some portion of the proposed Class and Subclass. (Dkt. No. 177, at 27; Dkt. No. 152, at 19 n. 27.) That portion of the proposed Class and Subclass, at least, is readily ascertainable. For the rest of the Class and Subclass, comSeore asserts that the only way to determine class membership is to require each alleged class member to submit an individual affidavit, which comSeore will be entitled to challenge. ComScore asserts that this process would be unwieldy.
ComScore is correct that it is sometimes improper to allow class membership to be established only by the assertion of alleged class members without the corroboration of any of the dеfendant’s records. Marcus,
Here, the bulk of the class membership will likely be determined by comScore’s records, making evaluation of any additional plaintiffs claiming membership by affidavit manageable. If further litigation reveals that the portion of the class asserting membership by affidavit is excessively large, the court can consider at that time whether to limit the class definition to only those whose downloading of OSSProxy is reflected in comScore’s records. See Shvartsman v. Apfel,
F. Rule 23(b)(3): Predominance and Superiority
Finally, the plaintiffs here must establish that “the questions of law or fact common to class members predominate over any questions affecting only individual members, and that a class action is superior to other available methods for fairly and efficiently adjudicating the controversy.” Fed.R.Civ.P. 23(b)(3). Rule 23(b)(3) “tests whether proposed classes are sufficiently cohesive to warrant adjudication by representation,” and is “far more demanding” than Rule 23(a)’s commonality requirement. Amchem Prods., Inc. v. Windsor,
Most of the issues that comSeore alleges require individual adjudication and make administration of a class action infeasible have already been addressed. The issue of whether each individual plaintiff downloaded OSSProxy will be determined primаrily by comScore’s records, and if substantial individual adjudication is necessary the court will consider appropriate class limitations. The issue thus presents no obstacle to class adjudication. In addition, the issues of whether plaintiffs consented to OSSProx/s data collection, the scope of that consent, and whether comSeore exceeded that consent can all be determined on a class basis, as described above.
ComSeore also asserts that the statutes of limitations present individual issues that preclude class certification. The CFAA, SCA, and ECPA all have two-year statutes of limitations that do not begin to run until a plaintiff discovers the potential violation. See 18 U.S.C. § 1030(g) (CFAA); 18 U.S.C. § 2707(f) (SCA); 18 U.S.C. § 2520(e) (ECPA). ComSeore argues that аdjudication of most plaintiffs’ claims will thus require a case-by-case determination of when they discovered comScore’s violation.
In practice, however, the statute of limitations issue is unlikely to present significant difficulties. First, the issue only arises for plaintiffs who downloaded OSSProxy before August 23, 2009 (two years before this suit was filed). Second, comScore’s data collection is ongoing, so even among those plaintiffs, all those who still have OSSProxy installed on their computer (or who had it installed at any time after August 23, 2009) are within the limitations period. Third, it is unlikely that any of the remaining plaintiffs were sufficiently aware of OSSProxy’s operations to trigger the limitations period. Violations of the ECPA, SCA, and CFAA require only collecting information without the plaintiffs’ consent. No plaintiff would be aware of the information OSSProxy was collecting unless he analyzed the computer code of the program itself. Few potential class members likely fall into this category. The statute of limitations issue thus does not provide reason to deny class certification. Cf. In re Monumental Life Ins. Co.,
In addition, eomScore asserts that the issue of whether each individual plaintiff suffered damage or loss from comScore’s actions precludes certification. That argument has no applicability to the ECPA or SCA claims, both of which provide for statutory damages. 18 U.S.C. § 2520(c); 18 U.S.C. § 2707(e). The CFAA is different, however, in that it grants a civil action only to “[a]ny person who suffers damage or loss.”
The Seventh Circuit has recently reiterated that individual factual damages issues do not provide a reason to deny class certification when the harm to each plaintiff is too small to justify resolving the suits individually:
A class action is the more efficient procedure for determining liability and damages in a case such as this, involving a defect that may have imposed costs on tens of thousands of consumers yet not a cost to any one of them large enough to justify the expense of an individual suit. If necessary a determination of liability- could be followed by individual hearings to determine the damages sustained by each class member---- But probábly the parties would agree on a schedule of damages____The class action procedure would be efficient nоt only in cost, but also in efficacy, if we are right that the stakes in an individual case would be too small to justify the expense of suing, in which event denial of class certification would preclude any relief.
Butler v. Sears, Roebuck & Co.,
For the reasons explained above, the plaintiffs’ motion for class certification (Dkt. No. 152) is granted in part and denied in part. The court hereby certifies the following Class and Subclass for purposes of resolving plaintiffs’ SCA, ECPA, and CFAA claims:
Class: All individuals who have had, at any time since 2005, downloaded and installed eomSeore’s tracking software onto their computers via one of eomScore’s third party bundling partners.
Subclass: All Class members not presented with a functional hyperlink to an end user license agreement before installing comScore’s software onto their computers.
The court denies class certification for purposes of resolving thе plaintiffs’ common law unjust enrichment claims. A status hearing is set for 4/18/13 at 9:00 am to set further dates.
Notes
. The parties do not dispute the key facts relevant to the class certification motion, nor do they request an evidentiary hearing. The court therefore determines that an evidentiary hearing is unnecessary. See Fed.R.Civ.P. 43(c).
. One of comScore's partners offering the free digital products failed to offer a link to the ULA for a short period of time. Consumers who downloaded that product are part of the proposed Subclass, which includes all downloaders of comScore’s tracking software who were not presented with a functional hyperlink to the ULA.
. The plaintiffs do not contend that the class should be certified under one of the other provisions of Rule 23(b), so the court need not address them.
. If litigation on the merits reveals that OS-SProxy has not exceeded the scope of the plaintiffs' consent in a way common to the entire class, and if the court finds it necessary to evaluate whether individual plaintiffs engaged in behavior subjecting them to OSSProxy's unauthorized collection of their information, the court may reevaluate its class certification decision. See Fed.R.Civ.P. 23(c)(1)(C) ("An order that grants or denies class certification may be altered or amended before final judgment.”).
. As mentioned above, Harris need not have been logged in to download the software (see Dkt. No. 185 ¶¶ 5-8), so the absence of a record of the download associated with his account does not show that he did not download the software.
. ComSeore also asserts that the SCA applies only to "a facility through which an electronic communication service is provided,” 18 U.S.C. § 2701(a)(1), and that personal computers are not such "facilities.” (Dkt. No. 177, at 26.) The plaintiffs concede that every member of the proposed Class and Subclass downloaded OSSProxy to his personal computer. (Dkt. No. 184, at 15.) The issue of whether personal computers are "facilities” under the SCA, which the court need not resolve at this time, is thus common to the entire class.
. Under the CFAA, damage means “any impairment to the integrity or availability of data, a program, a system, or information,” 18 U.S.C. § 1030(e)(8), while loss refers to "аny reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 18 U.S.C. § 1030(e)( 11).
. 18 U.S.C. § 1030(g) provides that "[a] civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i).” Subclause (I) is the only subclause conceivably applicable. The court need not decide at this stage whether 18 U.S.C. § 1030(c)(4)(A)(i)(I) allows class plaintiffs to aggregate their damages to meet the $5000 requirement.
. Thе Supreme Court recently reversed a grant of class certification where "[questions of individual damage calculations will inevitably overwhelm questions common to the class.” Comcast Corp. v. Behrend, - U.S. -,