A Georgia district court denied certification of a multi-state common law invasion of privacy class in which plaintiff sought damages and an injunction against the lessor of computers allegedly containing unauthorized spyware. The court held that the class members could not be ascertained in an objective and administratively feasible manner. The court also held that common issues did not predominate over individual issues with regard to numerous variations in applicable state law as well as with the class members’ relative expectations of privacy in computer use and the affirmative defense of consent.
Plaintiff was an attorney who leased laptop computers for his law firm from Aspen Way, a franchisee of Aaron’s, Inc. He sued Aspen and Aaron’s for common law invasion of privacy alleging defendants installed spyware called “PC Rental Agent” (PCRA) on the computers without his consent and then remotely accessed the computers to unlawfully capture private information.
Aaron’s acknowledged that it pre-installed PCRA on all 4,195 class computers but insisted that PCRA only provided Aspen with non-private geolocation information and the ability to activate a kill switch. Aaron’s acknowledged, however, that it offered Aspen an optional spyware feature known as “Detective Mode” that would allow Aspen to remotely capture keystrokes, screen shots and webcam images from the computers. Aarons did not pre-install Detective Mode on all the class computers. Aspen specifically requested Aaron’s to install Detective Mode on only 167 of them. Aspen also asserted that it had routinely obtained customer consent as to the presence of PCRA on their computers and that some activations of Detective Mode had been at customer request after a computer was stolen.
The attorney sought to certify a multi-state class defined as: “(1) those persons who leased and/or purchased one or more computers from Aspen Way on which [PCRA] was installed without the lessor’s consent and (2) their household members and employees.” Defendants objected to certification on the ground that this class was overbroad because the members included numerous household members who never had access to the law firm computers, were not injured, and had no cause of action. Likewise, the class definition had no end date, so the class included household members and employees that did not overlap with the period of time the lessee or purchaser used the computer.
In response to defendants’ arguments, plaintiff proposed an alternative class definition: “All users, and/or the lessor/owner, of computers leased and/or purchased from Aspen Way from June 6, 2008 to December 23, 2011, on which [PCRA] was installed without their consent, including users who were household members or employees of the lessor/purchaser.” Defendants objected to the alternative definition on the ground that the class members were not ascertainable. In particular, by basing class membership on computer use, they argued plaintiff’s alternative includes numerous users who would be extremely difficult to identify, such as a friend of a lessee or a babysitter who may have used the computer only for a short time.
The court agreed and observed that plaintiff did not provide any conceivable method – let alone an administratively feasible one – for identifying the class members. The court added that defendants had the right to raise contradictory arguments to plaintiff’s two class definitions because plaintiff bears the burden of proving his class is ascertainable. “Defendants may point out the flaws in the alternative class definition, regardless of their arguments as to the first definition.”
Defendants also objected to certification of either of plaintiff’s class definitions because common questions did not predominate as required by Rule 23(b)(3). They argued that state law variations in the elements of common law invasion of privacy, the applicable statute of limitations, and recoverable damages would swamp any common issues and defeat predominance. In addition, defendants argued that to determine whether an invasion of privacy occurred, the jury would have to look at the particular circumstances under which each class member used the computer to evaluate his or her own expectations of privacy during such use. Finally, defendants argued that their affirmative defense of consent would require an individualized, fact-specific inquiry based on Aspen’s evidence that some customers knew the spyware was installed.
After performing an extensive choice of law analysis, the court agreed with defendants on the state law variations. The court also reasoned that the differences between PCRA and Detective Mode would require a case-by-case inquiry into each class member’s claim to determine what, if any, offensive invasions occurred with due consideration for each member’s particularized privacy expectations based on his or her individual computer use patterns. Likewise, while recognizing that individualized damages calculations and individual affirmative defenses generally do not defeat predominance, the court relied on the exception, applicable here, that where such calculations and defenses are accompanied by significant individualized inquiries on liability, common issues do not predominate.
Finally, the court explained that these numerous individualized issues in plaintiff’s proposed class would create a manageability problem for the court such that a class action is not superior to other available methods of adjudicating the controversy.