Summary
finding "definitional flaws 'can and often should be resolved by refining the class definition rather than flatly denying class certification on that basis'"
Summary of this case from Petersen v. Costco Wholesale Co.Opinion
No. C 11-03764 LB
06-16-2014
IN RE: HULU PRIVACY LITIGATION
ORDER DENYING WITHOUT
PREJUDICE PLAINTIFFS' MOTION
FOR CLASS CERTIFICATION
[ECF No. 111 ]
INTRODUCTION
In this putative class action, viewers of Hulu's on-line video content allege that Hulu wrongfully disclosed their video viewing selections and personal identification information to third parties such as metrics companies (meaning, companies that track data) and social networks, in violation of the Video Privacy Protection Act ("VPPA"), 18 U.S.C. § 2710. Second Amended Consolidated Class Action Complaint ("SAC"), ECF No. 83 at 7-8. In their class certification motion, Plaintiffs limit the third parties to comScore, a metrics company that analyzes Hulu's viewing audience and provides reports that Hulu uses to get media content and sell advertising, and the social network Facebook. See Motion For Class Certification, ECF No. 112.
Citations are to the Electronic Case File ("ECF") with pin cites to the electronic page number at the top of the document.
The VPPA prohibits a "video tape service provider" from knowingly disclosing "personally identifiable information of a consumer of the provider" to third parties except under identified exceptions that do not apply here. See 18 U.S.C. § 2710. "The term 'personally identifiable information' ["PII"] includes information that identifies a person as having requested or obtained specific video materials or services from a video tape service provider." Id. § 2710(a)(3). "Aggrieved" persons may sue for knowing disclosures of PII in violation of the statute. Id. § 2710(b)-(c). A court may award "actual damages but not less than liquidated damages in an amount of $2,500." Id. § 2710(c)(2).
In its early summary judgment motion, Hulu argued that it did not violate the VPPA because (I) it disclosed only anonymous user IDs and never linked the user IDs to identifying data such as a person's name or address; (II) it did not disclose the information "knowingly" and thus is not liable; and (III) Hulu users who are Facebook users consented to the disclosures because Facebook's terms of use permitted disclosure. Motion for Summary Judgment, ECF No. 125-4 at 1-2. On April 29, 2014, the court granted Hulu summary judgment as to the disclosures to comScore and denied the summary judgment as to the Facebook disclosures, holding that there were material issues of fact about whether there was a disclosure of PII to Facebook and whether Hulu knew what it was disclosing. See ECF No. 194 at 2, 20-26.
Given its grant of summary judgment to Hulu on the comScore disclosure, the court denies as moot Plaintiffs' motion for certification of a comScore class. Following a hearing on May 8, 2014, and supplemental briefing, see ECF Nos. 202 and 203, the court denies Plaintiffs' motion for class certification for the Facebook class primarily on the ground that the class is not ascertainable.
STATEMENT
I. THE PARTIES, THE PROPOSED CLASSES, AND THE RELIEF REQUESTED
Hulu provides on-demand, online access to television shows, movies, and other pre-recorded video content from networks and studios through its website, www.hulu.com. SAC ¶¶ 1, 17. It offers a free service that allows users to watch video content on their computers. See Yang Decl., ECF No. 125-6, ¶ 5. It also offers a paid service called "Hulu Plus" that has more content and allows viewers to watch Hulu content on other devices such as tablets and smart phones. Id. ¶¶ 2, 6.
Plaintiffs Joseph Garvey, Sandra Peralta, Paul Torre, Joshua Wymyczak, and Evan Zampella each are registered Hulu users. See SAC ¶¶ 1-6. Sandra Peralta, Evan Zampella, and Paul Torre became paying Hulu Plus subscribers in July 2010, June 2011, and July 2012, respectively. See id. ¶¶ 3-4, 6, 34. The SAC alleges that Hulu wrongfully disclosed Plaintiffs' video viewing selections and "personally identifiable information" to third parties comScore and Facebook, all in violation of the VPPA. See id. ¶¶ 51-63; Motion for Class Certification, ECF No. 112.
In their motion for class certification, Plaintiffs propose the following class definition for the Facebook Disclosure class:
All persons residing in the United States and its territories who, from April 21, 2010 through June 7, 2012, were registered users of hulu.com (including, but not limited to, paying subscribers, also known as Hulu Plus subscribers) while being members of Facebook and requested and/or obtained video materials and/or services on hulu.com during the Class Period. Excluded from the class are (i) any person who participated in Facebook connect with Hulu; (ii) judges to who this case was assigned and judicial staffs; and (iii) all current or former Hulu employees.Motion for Class Certification, ECF No. 112 at 15.
At the May 8, 2014 hearing, Plaintiffs limited their disclosure theory to disclosures of identifying information involving the c_user cookie. As discussed below, that cookie contains the logged-in Hulu user's Facebook ID, and the disclosure theory in effect limits the class to registered Hulu users who at least once during the class period watched a video on hulu.com having used the same computer and web browser to log into Facebook in the previous four weeks using default settings. See infra; Joint Statement of Undisputed Facts ("JSUF") #22, ECF No. 178; Calandrino Decl., ECF No. 160-5, ¶¶ 66-67.
Plaintiffs limit their claim to relief to statutory damages of $2,500 per plaintiff for one incident only. See RT 5/8/14, ECF No. 210 at 12:14-16. II. HOW HULU WORKS
The parties cite facts submitted in support of the summary judgment briefs and summarized in the summary judgment order at ECF No. 194. The order sets forth those facts in the next three sections and then adds in additional evidence submitted with the class certification briefs.
Hulu pays license fees to studios, networks, and other rights holders to obtain the video content that it offers to its users. See Yang Decl, ¶ 10. Hulu allows users to register for a free Hulu account. See id. ¶ 5. A Hulu user does not need to register for a Hulu account to watch videos on hulu.com using a personal computer. See id. ¶ 4. To register for a Hulu account, the user enters a first and last name, birth date, gender, and an email address. JSUF #1. Users are not required to provide their legal first and last name during registration. JSUF #2. In fact, Plaintiff Joseph Garvey registered for his Hulu account in a name other than his legal name. See JSUF #3. Hulu does not verify the accuracy of the identifying information but stores it in a secure location. Yang Decl. ¶ 6. To register for Hulu Plus, the user must provide the same information as a registered Hulu user, payment information, and a billing address. Id. ¶ 7. Hulu assigned each new registered Hulu user a "User ID," which is a unique numerical identifier of at least seven digits (e.g., 50253776). JSUF #6; see Tom Dep., Carpenter Decl. Ex. 7, ECF No. 157-11 at 37:9-38:12.
The videos on hulu.com are displayed on a video player that appears on a webpage. Hulu calls these webpages "watch pages." See Yang Decl. ¶ 3; JSUF #24. Hulu wrote and deployed the code for its watch pages. Tom Dep., Carpenter Decl. Ex. 7, ECF No. 157-11, at 108:23-109:8, 175:9-16; Wu Dep., Carpenter Decl. Ex. 2, ECF No. 157-6, at 80-84. The code downloaded to registered Hulu users' browsers when they visited a watch page so that the browser could display the requested web page or video content. Tom Dep., Carpenter Decl. Ex. 7, ECF No. 157-11 at 112:19-113:5. As described in more detail below, the code also allowed information to be transmitted to comScore and Facebook. Until June 7, 2012, the URL (uniform resource locator, meaning, the web address) of Hulu's watch pages included the name of the video on that page (e.g., http://www.hulu.com/watch/426520/saturday-night-live-the-californians-thanksgiving). JSUF #24 (the number in the URL, here 426520, is the video ID).
On or about March 12, 2009, Hulu began providing each registered user with a profile web page. JSUF #9. The first and last name the user provided during registration appeared on the page and in the page title. JSUF #10. Hulu did not allow registered users to decline to share their first and last names on their public profile pages. Until August 1, 2011, a user's profile page URL included the user's unencrypted Hulu User ID. JSUF #12. An example is http://www.hulu.com/profiles/u/[User ID], where "[User ID]" is the Hulu User ID. Id. After August 1, 2011, the Hulu User ID was encrypted. JSUF #13. An example is http://www.hulu.com/profiles/u/wxu2RqZLhrBtVjYKEC_R4. Id. Hulu did not provide a separate search function (for example, through a search box) to allow a user to use a Hulu User ID to find the profile page of another user. JSUF #11. On May 30, 2013, Hulu discontinued the user profile pages. JSUF #14.
Hulu makes money from advertising revenue and from monthly premiums paid by Hulu Plus members. Yang Decl., ¶ 11. Its main source of income is advertising revenue. Id. Advertisers pay Hulu to run commercials at periodic breaks during video playback. Id. ¶ 12. Advertisers pay based on how many times an ad is viewed. Id. ¶ 13. Hulu thus gathers information (or metrics) about its "audience size." Id. Advertisers require verified metrics, which means that Hulu needs to hire trusted metrics companies. Id. comScore is one of those companies. Id. ¶ 14.
comScore collects metrics on digital media consumption using its Unified Digital Measurement methodology. Carpenter Decl. Ex. 22, ECF No. 155-27 (comScore press release cross-referencing its 2012 SEC Form 10-K and its Q1 2013 SEC Form 10-Q), Ex. 32, ECF No. 155-32 (Addendum to Hulu-comScore contract). As of 2013, comScore captured 1.5 trillion digital interactions each month and had more than 2000 clients. Id. Ex. 22; see Harris v. comScore, Inc., 292 F.R.D. 579, 581 (N.D. Ill. 2013) (describing comScore's business).
III. HOW HULU INTERACTS WITH COMSCORE
The comScore disclosures are no longer part of this lawsuit, but the summary judgment order's fact section on the disclosures provide relevant context for the Facebook disclosures, particularly with regard to how Hulu transmits information to third parties such as Facebook.
According to Hulu, comScore gives it "reports containing metrics regarding the size of the audience for programming on hulu.com," and Hulu uses the reports to obtain programming and sell advertising. Yang Decl., ECF No. 125-6, ¶ 14. The reports never identify a user by name and instead present the data in an "aggregated and generalized basis, without reference even to User IDs." Id. Hulu uses the comScore metrics to show "other content owners . . . that the Hulu audience is a desirable outlet for their programming, and to convince advertisers of the value of reaching Hulu's audience." Id. Mr. Yang said in his deposition that he did not know why Hulu sent individual comScore user IDs (see below) if comScore provided only aggregate information, and he did not know whether comScore provided other reports with individual-level data. See Yang Dep., ECF No. 125-3 at 102-04, 108-11.
comScore uses "beacon" technology to track audience metrics. Id. ¶ 15. A "beacon" is triggered by defined events during the playing of a video such as when the video starts, when the advertisement starts, when it ends, and when the video re-starts. Id. The beacon, when triggered by an event, directs the user's browser to send a piece of HTTP programming code to comScore that contains certain defined "parameters" (meaning, pieces of data or information). Id. ¶ 16.
From March 27, 2010 through November 8, 2012, when a user watched a video on hulu.com, Hulu, which wrote the code to transmit the data, transmitted information to comScore by using a comScore "beacon" on the Hulu watch page. JSUF #4-5. The beacon included four pieces of information: (1) the Hulu user's unique numerical Hulu User ID; (2) the "GUID," a long alphanumeric string that Hulu used to differentiate between web browsers and that Hulu assigned at random to a browser when it accessed hulu.com; (3) the Hulu "Ad ID," a unique six-digit number that identifies only the advertisement; and (4) the name of the program and any season or episode number. JSUF #5-8. Hulu suspended sending the Hulu User ID on November 8, 2012. JSUF #4.
An example of a "GUID" is 767DE299767B4E577B787B40B5123C30. JSUF #7.
comScore's possession of the Hulu User ID allowed it to connect all information that was tied to that Hulu User ID. See Calandrino Decl., ECF No. 160-5, ¶¶ 30, 33-34, 47. Because the Hulu User ID was in the URL of users' profile page, comScore had the "key" to locating users' associated profiles, which revealed the names the users provided when they signed up for Hulu. Id. ¶¶ 35-37. The user profile pages were all in a standard format: http://www.hulu.com/profiles/u/[User ID]. As discussed above, the watch page contained the video title. The argument is that comScore could easily access the profile page and see the user's first and last names (or at least the names that the users gave when registering) and connect that to the user's viewing information. For Hulu Plus members, presumably the name would correspond to their billing and payment information (and thus likely reflected the users' true names).
The code Hulu wrote and included in each watch page caused a unique numeric or alphanumeric "comScore UID" for each registered user to be communicated from the registered user's browser to comScore. See Wills Decl., ECF No. 160-6, ¶¶ 36-37; JSUF #15, 17. The comScore UID is stored in a comScore cookie and identifies the specific copy of the web browser. JSUF #15-17. The comScore cookie enabled comScore to link the identified user and video choice information to other information it gained about the same user when the user visited websites where comScore collects data. Calandrino Decl., ECF No. 160-5, ¶¶ 48-56; Wills Decl. ECF No. 160-6, ¶ 36.
For context, a cookie is a file on a user's computer. Wu Decl., ECF No. 125-7, ¶ 13. Cookies contain information that identifies the domain name of the webserver that wrote the cookie (e.g., hulu.com, comScore.com, or facebook.com). Id. ¶ 18. Cookies have information about the user's interaction with a website. Id. Examples include how the website should be displayed, how many times a user has visited the website, what pages he visited, and authentication information. Id. ¶ 13.
Each web browser on a computer (e.g., Internet Explorer or Chrome) stores the cookies that are created during a user's use of the browser in a folder on the user's computer that is unique to that browser. Id. ¶ 14. When a user types a website address into the browser, the browser sends (a) a request to load the page to the webserver for that website address and (b) any cookies that are associated with the website (such as the cookies on the user's computer for "hulu.com" or "comScore.com"). Id. ¶ 15. The remote website server returns the requested page and can update the cookies or write new ones. Id. The only servers that can access a particular cookie are those associated with the domain that wrote the cookie. Id. ¶¶ 18, 21. That means that Hulu can read only hulu.com cookies, and it cannot read comScore.com cookies or facebook.com cookies.
That being said, according to Plaintiffs, Hulu hosts its vendors' JavaScript code on Hulu's domain so that when Hulu's web pages execute the vendor code, a vendor such as comScore obtains information through cookies that are set by hulu.com. See Carpenter Decl. Ex. 10, ECF No. 158-2 at HULU_GAR231508 (vendors need to set cookies on hulu.com for tracking; example given was google analytics); id. Ex 11, ECF No. 158-3 at HULU_GAR093686 (email from Hulu to Google; hulu user goes to hulu.com to watch a video; user's browser calls invite_media (presumably where content is); cookies from there will be passed on to Google; Google can set cookies on the user). More specifically as to comScore, Hulu's documents have examples of code that sets comScore identifiers, including its UID and UIDR cookies. See id. Exs. 11-15, ECF Nos. 158-3 to 158-7.
IV. HOW HULU INTERACTS WITH FACEBOOK
Facebook collects information and processes content "shared by its users," and it provides that information to marketers when it sells them its products (identified as "Facebook Ads," "Facebook Ad System," and "Ad Analytics and Facebook Insights"). See Carpenter Decl. Ex. 8, ECF No. 157-12 (Facebook 2012 SEC Form 10-K). Facebook shares its members' information with marketers so that marketers can target their ad campaigns. See id. Marketers can "specify the types of users they want to reach based on information that users choose to share." Id. Advertisement revenue is how Facebook makes money. See id.
Certain information was transmitted from hulu.com to Facebook via the Facebook "Like" button through June 7, 2012 (when Hulu stopped including the video title in the watch page URL). JSUF #18. During this time period, Hulu included a Facebook Like button on each hulu.com watch page. JSUF #18-19. Hulu wrote code for its watch pages that included code for where the "Like" button should be located on the page and where (from facebook.com) to obtain the code that loads and operates the button. JSUF #20. When the user's browser executed this code, the browser sent the request to Facebook to load the Like button. JSUF #21. The request included a "referer URL" value (the URL of the page from which the request issued) in the request headers and the query string. JSUF #21. That is how Facebook knows where to send code for the Like button so that it can be downloaded and used. Wu Decl., ECF No. 125-7, ¶¶ 16, 20. Until June 7, 2012, the URL for each watch page included the title of the video displayed on that watch page. See JSUF #18. The IP address of the Hulu registered user's computer also was sent to Facebook (although there are scenarios when the IP address might not be that of the users but instead of a proxy or intermediary). See Tom Depo., Carpenter Decl. Ex. 7, ECF No. 157-11 at 190:23-192:12.
Facebook also received the following cookies associated with the facebook.com domain: (1) a "datr" cookie, which identifies the browser; (2) a "lu" cookie, which "can contain the Facebook user ID [e.g., 286xxxx1] of the previous Facebook user to log in to Facebook via the browser and has a lifetime of 'two years;'" and (3) if the user had logged into Facebook using default settings within the previous four weeks, a "c_user" cookie, which contains the logged-in user's Facebook user ID. JSUF #22; Calandrino Decl., ECF No. 160-5, ¶ 71. Hulu did not send Facebook the Hulu User ID or the Hulu user's name when the user's browser executed the code to load the Like button. JSUF #23. This screen shot shows the default setting for logging into Facebook.
Image materials not available for display.
When the "remember me" box is checked, Facebook sets the c_user cookie. See 5/8/2014 Hearing Transcript, ECF No. 210 at 8-29. The importance of this is that Plaintiffs' disclosure theory is based on transmission of the c_user cookie back to Facebook. Id. This potentially would happen for Hulu users who watched a video on hulu.com having used the same computer and web browser to log into Facebook in the previous four weeks using default settings. See JSUF #22; Calandrino Decl. ¶¶ 66-67. As discussed below, according to Hulu's expert Peter Weitzman, the c_user cookie would be cleared if the "keep me logged in" box were not checked, if the user manually cleared cookies after the Facebook session and before the Hulu session, or if the user deleted or blocked cookies. See infra.
No evidence has been introduced that Facebook took any actions with the cookies described above. JSUF #25. That being said, Plaintiffs' expert opines that Hulu's disclosure to Facebook of cookie identifiers set by Facebook's domain enabled Facebook to link information identifying the user with the user's video choices. See Calandrino Decl., ECF No. 160-5, ¶¶ 57-81. In common web browsers, visiting a website out of Facebook's control will not result in the communication of information to Facebook absent a decision (directly or indirectly) by the party controlling the website to send information. Id. ¶ 57. It is straightforward to develop a web page that "yields no communication with Facebook." Id. When a Hulu watch page loaded with the Facebook Like button, the page prompted the user's web browser to transmit the watch page URL and Facebook cookies to Facebook-controlled servers. Id. ¶ 58. This happened with the initial Hulu-prompted request from the user's browser to Facebook before the receipt of any information from Facebook. Id. ¶ 59. Because the URL of the watch page specified the title of the video during the period from April 21, 2010 to June 7, 2012, the disclosure to Facebook included the title of the video being viewed. Id. ¶ 61. The c_user cookie would give the name of the currently-logged in Facebook user. Id. ¶ 66. The lu cookie might too. Id. ¶ 71. A user is logged out of Facebook by default after closing the browser, but Facebook also provides users with an option to remain logged in after closing the browser. Id. ¶¶ 72-73. The lu cookie clears after a user selects Facebook's log-out option. Id. ¶ 74.
V. SUMMARY OF ADDITIONAL EXPERT TESTIMONY
A. Plaintiffs' Expert Gary Wills
Craig Wills, Ph.D., an expert in web privacy, analyzed "'session captures' - recordings of actual data transmissions between a browser and Web pages on Hulu's Web site." Wills Decl. ¶ 26. Dr. Wills reviewed session captures he created that preceded the relevant period and that took place after April 2013. Id. ¶ 27. He also reviewed session captures between March 2011 and April 2013 that Plaintiffs' counsel provided "with the representation that they were captures of User-Hulu sessions conducted and recorded at the direction of [P]laintiffs' counsel." Id. ¶ 28. His review revealed that the following data were sent to Facebook from July 2011 to the present when Hulu users viewed video content on Hulu's website:
a. A facebook "datr" cookie value, which is set whether or not a user is logged into Facebook, that uniquely corresponds to a particular Facebook User and can be used to uniquely track User activity on Hulu as well as other Web sites and associate it with a User's Facebook profile information."Id. ¶ 42. This transmission occurred as part of the loading of the Like button (also described above). Id. ¶ 43a. Hulu inserted instructions in its watch pages so that whenever a Hulu user watched a video, the instructions caused the user's browser to retrieve Facebook JavaScript code that gathered information about the web page and the user and sent it to the Facebook server. Id. At the same time, the title (in 2011) and identifier of the video being wathed were sent via the HTTP referer header to a Facebook server. Id. ¶ 43b. The request also causedc the Facebook datr cookies and many other cookies (described in the summary judgment motion as including the lu and c_user cookies) to be transmitted to Facebook. Id. ¶ 43c. This happened without the user clicking on the Facebook Like button. Id. ¶ 45. In his July 2013 tests and analyses, Dr. Wills confirmed that these findings "apply to any User who is also a Facebook subscriber, regardless of whether the User is actively signed onto Facebook while watching video content on Hulu. Id. ¶ 46.
b. The URL of the web page, which until June 7, 2012, identified the name of the video displayed on the web page.
c. The numeric Video identifier of any video viewed by the User; and
d. The Video Series name for episodic videos such as television shows.
Dr. Wills concluded that "whenever a User selected a video for possible viewing or viewed a video on Hulu's Web site during the Relevant Period, the title of video selected or viewed was sent to comScore and Facebook, along with various identifiers uniquely associated with the User." Id. ¶ 32. "The exception to these conclusions would be for Users who implemented software, such as Adblock Plus, that may prevent the operation of some of the data transmissions triggered by Hulu's JavaScript code described in this section." Id. ¶ 35.
B. Plaintiffs' Expert Joseph Calandrino, Ph.D.
Dr. Calandrino is a computer scientist with Elysium Digital, LLC, "which provides consulting and expert witness services in connection with litigation having technology-related aspects." See Calandrino Decl., ECF No. 160-5 ¶ 1. Plaintiffs submitted his declaration in the summary judgment proceedings and cited it in their reply here (without objection by Hulu). Dr. Calandrino considered two declarations Hulu filed in support of its summary judgment motion, documents related to the operations of facebook.com, including detailed reports published by the Irish Data Protection Commissioner, a journal article on privacy, and Plaintiffs' class certification brief. Id. ¶ 3.
As discussed above, when a Hulu watch page with the Facebook Like button loaded, it prompted the user's web browser to transmit the web page URL and Facebook cookies to Facebook. Id. ¶ 58. Dr. Calandrino's remaining conclusions about the Hulu's disclosures to Facebook are predicated on the assumption "that a user does not manually delete cookies or enable any browser settings that otherwise cause automatic deletion of cookies prior to their expiration dates." Id. ¶ 63. Those disclosures generally are set forth above but are reiterated here because of the predicate assumption that the user did not delete cookies. Visiting a page with an embedded Facebook Like button while logged in to Facebook caused the user's web browser to transmit three cookies: "c_user," "lu," and "datr." Id. ¶ 64.
The "c_user" cookie contains the Facebook profile ID of the previously logged in Facebook user. Id. ¶ 66. This means that when a user was logged into Facebook and visited a Hulu watch page during the period that includes December 21, 2011 to May 2, 2012, Hulu prompted the user's browser to transmit to Facebook data specifying the user's Facebook ID and the title of the video viewed, meaning, it transmitted "details that uniquely identified a Facebook user along with details of the user's Hulu viewing activity." Id. ¶¶ 67-69.
The "lu" cookie has multiple uses, but it can contain the Facebook profile ID of the previous Facebook user to log in to Facebook in that browser and it has a lifetime of two years. Id. ¶ 71. A user is logged out of Facebook by default after closing the browser, but Facebook also provides users with the option to remain logged in after clearing the browser. Id. ¶¶ 72-73. The lu cookie clears after a user selects Facebook's log-out option. Id. ¶ 74. If a user logs out of Facebook by closing a web browser rather than explicitly logging out, then "transmission of the lu cookie prompted by visiting a Hulu watch page would enable Facebook to identify a unique Facebook user account and associate the account and other details of it (such as provided name) with Hulu viewing activity." Id. ¶ 76.
As discussed above and in the section summarizing Hulu's expert, the c_user cookie clears in the same way.
The datr cookie identifies the web browser used to connect to Facebook and lasts for two years. Id. ¶ 77. "Details in a datr cookie distinguish an individual to the extent that use of a given browser distinguishes that individual." Id. ¶ 78. "To the extent that use of a particular browser distinguished an individual during a period that includes December 21, 2011 to May 2, 2012, the Hulu-prompted transmission of the datr cookie and referer URL data to facebook would distinguish the individual and enable Facebook to aggregate that individual's viewing activity on Hulu." Id. ¶ 79.
C. Hulu's Expert Peter Weitzman
Mr. Weitzman is a manager of the Data Analytics group at Stroz Friedberg, "a firm specializing in critical areas of digital risk management." Weitzman Decl. ¶ 1, ECF No. 145 at 2. Mr. Weitzman summarizes Hulu's interactions with Facebook as follows:
Watching videos on hulu.com has separately caused the browser to send various unstructured and structured data elements to Facebook via the Facebook 'Like' button. Facebook received the URL of the page where the Facebook 'Like' button was to be uploaded, which before June 7, 2012, included the video title embedded within it. Hulu does not send Facebook the Hulu User ID or a user's name or other identifying information. There are and were many mechanisms available to Hulu users to prevent the Facebook 'Like' button from being downloaded from Facebook, and thereby prevent these transmissions from occurring, and also to block any cookies that Facebook may have set on users' browsers from being accessed by Facebook. Such mechanisms were freely available throughout the class periods, and would not prevent a user from watching content on hulu.comWeitzman Decl. ¶ 9.
When a person using the Internet browses to a website, the web page may include (a) integration with other websites via social features that allow the sharing of a website via a social network (which in this case would be the Facebook Like button), (b) advertisements, (c) embedded content such as videoclips hosted by third parties, and (d) tracking technologies used by third-party analytics providers such as comScore. Id. ¶ 11. Cookies can be viewed, removed, or blocked by a user of a web browser. Id. ¶ 12. Whenever a computer user's web browser requests any part of a web page, the cookies associated with the domain for that web server are sent to the web server with the request for the web page. See id. GUIDs (or globally unique identifiers) identify a specific copy of a web browser (as described above) to the website that set the GUID value for the browser, and they are important to identify a browser engaging in a series of transactions on a website (such as adding a number of items to an online shopping cart and then buying them). Id. ¶¶ 13-20.
To identify the types of data elements that a user's browser might transmit to Facebook, Mr. Weitzman reviewed network captures provided by Dr. Wills and network captures he generated or directed to be generated by his colleagues. See id. ¶ 21. He also reviewed Hulu's source code and changes to the code during the class period. Id. He identified and tested various approaches that a user might take to prevent transmissions to Facebook. Id. ¶ 22. Mr. Weitzman focused on tools that were available during all or part of the class periods and that are easy to install and configure. Id. ¶ 22. Mr. Weitzman created a "Microsoft Windows 7 virtual machine," which is a software-based computer that runs on a host computer's hardware that allowed him and his colleagues to "browse various Internet pages while capturing network traffic." Id. Then he could review the captured network traffic data to see exactly which data elements were transmitted by the browser and "deduce which ones were blocked." Id.
Due to "the complexity of interactions between the Facebook and Hulu websites," Mr. Weitzman "did not review all traffic sent between the user's browser and Facebook when a user views a Hulu page" and instead "focused on what happens when the Facebook 'Like' button is installed on a hulu.com webpage, before any user has clicked on the button." Id. ¶ 38. The Like button is generated on the Hulu watch pages as an "iframe," which acts as a small Facebook webpage embedded on hulu.com that is separate and apart from the parent web page hulu.com. Id. ¶ 39. "Hulu's sole involvement with respect to the Facebook 'Like' button is instructing the user's browser to request the Facebook 'Like' button from Facebook serves, and setting the parameters that tell Facebook how the 'Like' button should be configured." "When the browser requests the Facebook 'Like' button from Facebook servers, it sends the following data elements:
1. href parameter - The URL of the page of the [watch] page on which the 'Like' button will be placed . . . . [T]his URL may contain additional embedded information . . . . Before June 7, 2012, such information may have included the title of the video being watched. . . . The referrer URL also included the numerical ID of the video being watched on a watch page, or the series title on a Hulu Web page for a television series. . . .Id. ¶ 39 (also explains that "[i]f the Facebook user is no longer logged in, but was only logged out passively, such as by a timeout, then the lu cookie will still contain their Facebook numerical ID. The value will change if (1) they actively log out by selecting "Log Out" (then the lu value will be reset to "0") or (2) if another user logs into the facebook.com on the same browser.").
2. the Facebook datr cookie . . . [which] is only set when the user visits facebook.com . . . [and] identifies a specific instance of a web browser that has accessed facebook.com . . . . [paragraph contains additional information about how a datr cookie is and is not used]
3. the Facebook profile ID - a Facebook numerical ID associated with the Facebook user . . . [which] is sent to Facebook web servers via the 'lu' cookie when the browser makes the GET request for the Facebook 'Like' button. . . . If the user logs out of Facebook, the 'lu' cookie value is set to '0'. . . .
Similarly, logging out of Facebook clears the c_user cookie. See Gov't of Ir., Data Protection Commissioner, Facebook Ireland Ltd: Report of Re-Audit (21 Sept. 2012), ECF No. 146 at 86; Hulu Supplemental Filing, ECF No. 202 at 2 (citing record).
Browsers allow users to block and clear cookies (including by setting privacy settings to clear cookies automatically) and to install plugin browser enhancements to configure the browser in many ways, including blocking traffic to a specific web domain. Id. ¶ 40. During the class period of April 21, 2010 to June 7, 2012, Hulu users "could take simple steps to block data transmissions from their browsers to third parties, such as comScore and Facebook, when visiting hulu.com. Doing so would not have interfered with the user's ability to select and watch videos on hulu.com." Id. ¶ 41.
For example, Hulu users could take standard web-privacy measures to limit the active lifespan of cookies including (1) using their browsers in "incognito" mode, where no existing cookies from any websites can be accessed, and all cookies set during browsing sessions are deleted when the browser is closed (leading to the resetting of the datr cookie), and (2) deleting cookies either manually or by browser configuration, which has the same effect as browsing incognito. Id. ¶ 43.
Other tools available to Hulu users to block communications include three that Mr. Weitzman tested: Ghostery, AdBlock, and Adblock Plus. Id. ¶ 42. Mr. Weitzman tested these plugins (to the extent they were available) in five major web browsers to determine the effect on communications between the browser, comScore, and Facebook. His results are summarized in the following chart:
| Ghostery v5.0.0 & v3.1.0 (IE) | AdBlock | AdblockPlus | |
| Internet Explorer v10.0.9200.16521 | Blocked all comScore beacons and Facebook like buttons. Requires 32-bit IE and Administrator privileges. Not available for IE11. Some interactions with the pages caused the browser to freeze. | Not mentioned. | Available during class period apparently only for Firefox and Chrome. |
| Mozilla Firefox v25.0 | Blocked all comScore beacons and Facebook like buttons. | Not mentioned. | Blocked all comScore beacons and Facebook like buttons. |
| Google Chrome v31.0.1650.57 | Blocked all comScore beacons and Facebook like buttons. | Blocked all comScore beacons and Facebook like buttons. | Blocked all comScore beacons and Facebook Like buttons. |
| Apple Safari v534.57.2 (Windows) | Did not block comScore beacons and Facebook like buttons. | Did not block comScore beacons and Facebook like buttons. | Not available. |
| Opera v18.0.1284.49 | Blocked all comScore beacons and Facebook like buttons. | Blocked all comScore beacons and Facebook like buttons with extra options enabled. Did not block comScore beacons and Facebook like buttons with default installation. | Blocked all comScore beacons and Facebook Like buttons with extra options enabled. Did not block comScore beacons and Facebook like buttons with default installation. |
See Weitzman Decl. Ex. B.
At his deposition, Mr. Weitzman admitted that he tested only versions of the browsers and plugins that were current at the time of testing, not what was available during the class period.
Q. So do you have any personal knowledge as to whether any of these plugins blocked Facebook or comScore for any prior versions of these browsers?Weitzman Dep. 77:3-17, Tersigni Decl. Ex. 6.
Mr. Svirsky: Objection.
A. So, as I said, we did not test the configurations to cover the entirety of the class period or to cover the class period. We determined when the plugins became available and we tested current versions, because that was feasible to do so. So we didn't test the various plugins and the various browsers as they might have been during the class period, so no, I don't have any direct knowledge of that.
D. Hulu's Expert Hal Poret
Mr. Poret, Senior Vice President of ORC International, designed and conducted a consumer survey about Hulu users and how they interact with their Hulu accounts. See ECF No. 144. Mr. Poret holds B.S. and M.A. degrees in mathematics from Union College and S.U.N.Y. Albany, respectively, and a J.D. from Harvard Law School that he received in 1998. ECF No. 144-1 at 2. He worked at Foley Hoag & Elliot in Boston from 1998 to 2003, and has worked at ORC since 2004. Id.. He has "personally designed, supervised, and implemented approximately 600 surveys regarding the behaviors and opinions of consumers . . .[,] designed numerous studies that have been admitted as evidence in legal proceedings[,] and . . . been accepted as an expert in survey research on numerous occasions by U.S. District Court" and other tribunals. Id.
Mr. Poret conducted an online survey of "U.S. consumers age 18 and older who had a registered account at hulu.com during the class period of April 2010 to November 2012 and viewed content at hulu.com using a computer during that time." ECF No. 144 at 6. There were 700 respondents, which provided a margin of error for key statistics in the range of +/- 3.7% or less. Id.
The double-blind survey first asked respondents a series of screening questions to determine whether they met the appropriate criteria to qualify for the survey. Id. at 6-9, 64. The remaining survey "was comprised of several sections, each targeting one of the following topics regarding the practices of potential class members:
• Habits regarding how respondents have interacted with their Hulu accounts.Id. at 9-10. Some of the relevant lines of inquiry were as follows: (1) whether anyone else had access to the respondents' Hulu accounts during the class period; (2) whether those users also would have accessed Facebook from the same browser; (3) whether respondents used their real names to register for Hulu and/or Facebook; (4) how frequently respondents signed out of Facebook; (5) whether and how often they ever had cleared Facebook cookies; and (6) whether they cleared or blocked cookies or used ad-blocking software. Id at 10-61. The Poret report includes tables documenting the survey responses for each question. Id.
• Habits regarding how respondents have interacted with Facebook.
• Habits regarding respondents' computer behavior.
• Habits regarding respondents' Internet behavior.
• Browsers and operating systems used by respondents.
• Respondents' concerns and actions regarding privacy protection online."
The Poret report concludes "that there is significant variation among Hulu account holders from April 2010 to November 2012, in terms of their interaction with their Hulu account(s), as well as additional factors, such as:"
• How many Hulu account holders allowed others to access their Hulu account.Id. at 5. For example, over 50% use ad-blocking software, and over 60% use private browser settings that would block cookies. Id. at 47.
• How many Hulu account holders knew others were viewing content on their Hulu
account and how often.
• How many Hulu account holders admittedly did not use their real name to register for Hulu, and how many could not remember.
• How often Hulu account holders used Hulu while also logged into Facebook.
• How many Hulu account holders cleared Facebook cookies.
• How many Hulu account holders posted on Facebook about content watched on Hulu, and how often.
• Browsers used by Hulu account holders to access Hulu during [the] class period.
• Privacy actions taken by Hulu account holders (e.g., clearing cookies, using ad-blocking software).
VI. ADDITIONAL INFORMATION ABOUT HULU'S BLOCKING THE BLOCKERS
A comScore witness testified that from 2007 to the present, she could not recall a single instance where the data comScore received from Hulu was not paired with the comScore cookie, meaning, the cookies always came through. See Johnson Dep., Tersigni Decl. Ex. 3, ECF No. 169 at 80-81 (not sure about the Safari browser). Also, Hulu was able to defeat cookie-blocking technologies. See Tersigni Decl. Ex. 7, HULU_GAR203628 at 22 ("In our experience ad blockers are not yet an issue within video streams given that ads are much harder to block there. Our medium-term focus on the issue will be to ensure that our reporting and logic functions continue to work correctly in those cases where an ad is blocked."); Ex. 8 (Hulu applied fixes when new ad-blocking software affected its video technology); Ex. 9, HULU_GAR196877 (Hulu communication to vendor that "[w]e are able to drop cookies in the player without an issue" and "[t]his has been done with pretty much all our vendors").
VII. ADDITIONAL INFORMATION ABOUT NAMED PLAINTIFFS' BROWSER USE
The named plaintiffs Joseph Garvey, Evan Zampella, Paul Torre, and Josh Wymyczak submitted declarations about their browser use. See ECF Nos. 113-13 to 113-16. All are Facebook users who have used Facebook on the same computer that they used when watching videos on hulu.com, none linked their Hulu and Facebook accounts, and they do not use ad-blocking software on devices where they watched videos on Hulu and do not clear cookies regularly or have not cleared cookies in some time. See Garvey Decl. ¶¶ 6-7; Zampella Decl. ¶¶ 6-7; Torre Decl. ¶¶ 6-7; Wymyczak Decl. ¶¶ 6-7.
In his deposition, Mr. Torre said that he used a program that can block cookies and that he had manually cleared cookies. Torre Dep., Robison Decl. Ex. A, ECF No. 150-4 at 64. Plaintiffs admitted to posting on Facebook about videos they watched on Hulu. See Garvey Dep., Robison Decl. Ex. C at 89:12-17; Torre Dep., Robison Decl. Ex. A at 181:7-12, 183:19-24; Wymyzczak Dep., Robison Decl. Ex. D at 95:3-19.
ANALYSIS
I. EVIDENTIARY ISSUES
Plaintiffs argue that the Poret report and survey are irrelevant and unreliable under Daubert v. Merrell Dow Pharms., Inc., 509 U.S. 579, 592-93 (1993). Reply, ECF No. 168 at 14, n.12.
A qualified expert may testify in the form of an opinion or otherwise if (A) the expert's scientific, technical, or other specialized knowledge will help the trier of fact understand the evidence or to determine a fact in issue, (B) the testimony is based on sufficient facts or data, (C) the testimony is the product of reliable principles and methods, and (D) the expert has reliably applied the principles and methods to the facts of the case. See Fed. R. Evid. 702. Under Daubert, the court acts as a "gatekeeper" to ensure that an expert's opinion rests on a reliable foundation and is relevant. 509 U.S. at 592; Kumho Tire Co. v. Carmichael, 526 U.S. 137, 145, 147-49 (1999). "Daubert does not require a court to admit or exclude evidence based on its persuasiveness; rather it requires a court to admit or exclude evidence based on its scientific reliability and relevance." Ellis v. Costco Wholesale Corp., 657 F.3d 970 (9th Cir. 2011) (applying Daubert standard to motion for class certification); see also Wal-Mart Stores, Inc. v. Dukes, 131 S. Ct. 2541, 2553-54 (2011) (implying that district court must ensure that any expert testimony complies with Daubert standard at class certification stage).
Plaintiffs' first objection is that the survey's conclusions about consumer behavior do not demonstrate that these behaviors prevented Hulu's disclosure of PII. Thus, the survey results are not relevant. Reply, ECF No. 168 at 14, n.12. This argument is predicated on Plaintiffs' argument that regardless of what Hulu's experts concluded about consumer habits or user ad-blocking capabilities, they were not aware that Hulu's technology circumvents ad-blocking. See id. at 14-15, n.12. This goes to weight, not relevance, given that Hulu argues that clearing cookies or using blocking technologies is relevant to whether a VPPA violation occurred and thus is relevant to typicality and predominance. See Opp'n, ECF No. 150-3 at 16, 21-23.
The second objection is that Mr. Poret lacked familiarity with the survey topics, especially consumers' usage of technologies to prevent web tracking. See Reply, ECF No. 168 at 14, n.12. For example, Plaintiffs allege that Mr. Poret was not familiar with whether "do not track" tools were available during the survey, when ad-blocking software was introduced into the U.S. marketplace, whether browsers could be set to automatically delete cookies as of November 2012, whether browsers offered a tool to automatically clear or delete cookies as of April 2010, and whether it is possible to clear Facebook cookies from the browser without clearing the other cookies. Id. This relevance argument is more about Mr. Poret's explanation not being sufficient and does not establish that it is not relevant.
The third objection is that Mr. Poret failed to adequately validate the survey results. Id. For example, the Poret report states that 65.3% of survey respondents used ad-blocking software, but Plaintiffs cite another report stating that as of May 2012, fewer than 10% of U.S. internet users employed ad-blocking tools. Id. (citing Ad-Blocking, Measured, ClarityRay, May 2012, at 4, Tersigni Decl. Ex. 18, ECF No. 169-18). This is about the sufficiency of the report, not about its relevance or the reliability of the methodology or results. It is standard territory for expert disagreement, and Plaintiffs could - as they do - challenge the weight that the court ought to accord to it. They could have put in other expert testimony, but they did not.
The Poret report discusses its methodology, which included a sampling plan, double-blind interviewing, third-party data collection and processing, and validation and quality control questions. See ECF No. 144 at 62-66. On this record and at this stage of the case, the court finds Mr. Poret qualified to render his opinions, and the Poret report relevant and sufficiently reliable.
II. THE VIDEO PRIVACY PROTECTION ACT AND DISCLOSURES OF USER IDS
The VPPA is titled "Wrongful disclosure of video tape rental or sales records." 18 U.S.C. § 2710. It "'protect[s] certain personal information of an individual who rents [or otherwise obtains] video materials from disclosure.'" See Dikes v. Borough of Runnemede, 936 F. Supp. 235, 238 (D.N.J. 1996) (quoting S. Rep. 100-599, 2d Sess. at 16 (1988)). The protected information is "information which identifies a person as having requested or obtained specific video materials." 18 U.S.C. § 2710(a)(3).
"Aggrieved" persons may sue for knowing disclosures of information in violation of the statute. See 18 U.S.C. § 2710(b)-(c). Under the statute, a "court may award - (A) actual damages but not less than liquidated damages in an amount of $2,500; (B) punitive damages; (C) reasonable attorneys' fees and other litigation costs reasonably incurred; and (D) such other preliminary and equitable relief as the court determines to be appropriate." 18 U.S.C. § 2710(c)(2).
Plaintiffs seek to represent a class of "aggrieved persons." As consumers of Hulu's video content, they allege that Hulu transmitted their identifying information and the videos they watched to comScore and Facebook. The court granted summary judgment to Hulu as to the comScore transmissions. See ECF No. 194. The remaining issue is whether the information transmitted to Facebook is "information which identifies a person as having requested or obtained specific video materials." 18 U.S.C. § 2710(a)(3). If it is, then the transmission violates the VPPA. See id. & 2710(b). As to the Facebook disclosures, the court held that there are material issues of fact about whether the disclosure of the video name was tied to an identified Facebook user such that it was a prohibited disclosure under the VPPA. See ECF No. 194 at 2. Also, the court could not rule as a matter of law whether Hulu knowingly disclosed information or whether Hulu users consented to the disclosures. See id.
II. CLASS CERTIFICATION
Plaintiffs here seek to certify a class for damages under Rule 23(b)(3).
A threshold requirement is that Plaintiffs must establish a definable class. See Rule 23(c)(1)(B) ("[a]n order that certifies a class action must define the class and the class claims, issues, or defenses"); Mazur v. Ebay Inc., 257 F.R.D. 563, 567 (N.D. Cal. 2009). A party seeking class certification then must show the following prerequisites of Rule 23(a): numerosity, commonality, typicality, and adequacy of representation. A court may certify a class under Rule 23(b)(3) if the court finds that questions of law or fact common to class members predominate over any questions affecting only individual members and a class action is superior to other available methods for fairly and efficiently adjudicating the controversy. See Fed. R. Civ. P. 23(b)(3).
"Certification is proper only if the trial court is satisfied, after a rigorous analysis, that the prerequisites of Rule 23(a) have been satisfied." Dukes, 131 S. Ct. at 2551 (internal quotation marks and citation omitted). The "rigorous analysis" often will "entail some overlap with the merits of the plaintiff's underlying claim." Id. at 2551. More specifically:
[A] party seeking to maintain a class action 'must affirmatively demonstrate his compliance' with Rule 23. The Rule does not set forth a mere pleading standard. Rather, a party must not only be prepared to prove that there are in fact sufficiently numerous parties, common questions of law or fact, typicality of claims or defenses, and adequacy of representation, as required by Rule 23(a). The party must also satisfy through evidentiary proof at least one of the provisions of Rule 23(b). . . . [I]t may be necessary for the court to probe behind the pleadings before coming to rest on the certification question, and . . . certification is proper only if the trial court is satisfied, after a rigorous analysis, that the prerequisites of Rule 23(a) have been satisfied. Such an analysis will frequently entail overlap with the merits of the plaintiff's underlying claim. That is so because the class determination generally involves considerations that are enmeshed in the factual and legal issues comprising the plaintiff's cause of action. The same analytical principles govern Rule 23(b).Comcast, 133 S. Ct. at 1432 (quotation marks and citations omitted). Still, "Rule 23 grants no license to engage in free-ranging merits inquiries at the certification stage. Merits questions may be considered to the extent - but only to the extent - that they are relevant for determining whether the Rule 23 prerequisites for class certification are satisfied." Amgen Inc. v. Conn. Ret. Plans & Trust Funds, 133 S. Ct. 1184, 1194-95 (2013). If a court concludes that the moving party has met its burden of proof, then the court has broad discretion to certify the class. Zinser v. Accuflix Res. Inst., Inc., 253 F.3d 1180, 1186, amended by 273 F.3d 1266 (9th Cir. 2001).
A. Ascertainable and Definite Class
A class should be sufficiently definite and "clearly ascertainable" by reference to objective criteria "so that it is administratively feasible [for a court] to determine whether a particular person is a class member" and thus "bound by the judgment." Shepard v. Lowe's HIW, Inc., No. C 12-3893 JSW, 2013 WL 4488802 (N.D. Cal. Aug. 19, 2013) (collecting cases); Deitz v. Comcast Corp., No. C 06-06352 WHA, 2007 WL 2015440, at *8 (N.D. Cal. July 11, 2007) (proposed class of cable subscribers who owned cable-ready televisions or related equipment not ascertainable where the defendant did not maintain records to identify those customers, rendering it "impossible to determine without significant inquiry which subscribers owned such devices"); see also Newberg on Class Actions § 3:3 (5th Ed. 2013) ("Administrative feasibility means that identifying class members is a manageable process that does not require much, if any, individual factual inquiry."); Annotated Manual for Complex Litigation (Fourth) § 21.222 (2013) ("Because individual class members must receive the best notice practicable and have an opportunity to opt out, and because individual damage claims are likely, Rule 23(b)(3) class actions require a class definition that will permit identification of individual class members"). Still, "the class need not be so ascertainable that every potential member can be identified at the commencement of the action." Ortiz v. CVS Caremark Corp., No. C-12-05859 EDL, 2013 WL 6236743 (N.D. Cal. Dec. 2, 2013) (quotation omitted).
The first issue is whether the class can be defined or identified at all. The summary judgment order narrowed the class harm to the transmission of Facebook ID cookies with the Hulu/Facebook user's Hulu watch page and video title when the Facebook Like button loaded. Thus, the class is comprised of users of both Facebook and Hulu during the class period. Both services require provision of an email address when a user registers. Presumably email addresses submitted to Facebook and Hulu could be cross-referenced, which would result in the identification of a group that used both services. But Plaintiffs did not propose cross-referencing Hulu and Facebook records or address any burden of doing so.
Assuming that cross-referencing is possible, then it would provide a feasible way to notify and communicate with the potential class members. See Brewer v. Salyer, No. 1:06cv1324 AWI DLB, 2010 WL 1558413, at *1 (E.D. Cal. April 19, 2010) (approving over-inclusive class as the best practicable notice under the circumstances). This does not end the ascertainability inquiry, however, because class members are those who actually had their PII transmitted to Facebook. That inquiry turns on whether the c_user cookie was sent to Facebook, which depends on a number of variables (including whether the user remained logged into Facebook, cleared cookies, or used ad-blocking software).
The order addresses these issues below in the analysis of Rule 23(b)(3) predominance requirement by considering whether the issues can be resolved by refining the class definition or designating subclasses. See Messner v. Northshore Univ. HealthSystem, 669 F.3d 802, 825 (7th Cir. 2012) (class definition is "more of an art than a science," and definitional flaws "can and often should be resolved by refining the class definition rather than by flatly denying class certification on that basis"). The court concludes there that possibly subclasses could be defined (even though there are issues with that approach). For example, a possible class definition is registered Hulu users who at least once during the class period watched a video on hulu.com having used the same computer and web browser to log into Facebook in the previous four weeks using default settings. See supra Statement (discussing class definition); JSUF #22; Calandrino Decl. ¶¶ 66-67. Subclasses might be users who use the "keep me logged in" box checked (or do not log out at all). Possibly subclasses could account for whether the user manually clears cookies, sets browser settings to clear cookies, or uses software to clear cookies. See infra.
This approach might define the class, but the question is, how does one ascertain who is in the class or subclasses. The only way is self-reporting, an issue addressed at the May 8, 2014 hearing and in the parties' supplemental briefing. See ECF Nos. 202, 203, 208, 210.
In Harris v. comScore, the court certified a class for transmission of personal information in violation of the Stored Communications Act, the Electronic Communications Privacy Act, and the Computer Fraud and Abuse Act. See 292 F.R.D. at 587-88. Putative class members downloaded comScore's OSSProxy program as part of bundled free software. Id. In allowing reporting by affidavit, the Harris court observed that at least some portion of the class was known by email address. Id. It recognized that it can be improper to allow class membership to be established only by assertion of the class members without any corroboration by the defendant's records, but nonetheless allowed submission of affidavits because the "bulk" of the class membership would be determined by comScore's own records, and the burden of an affidavit process was minimal. Id. at 587-88 (collecting cases, including cases where courts allow "portions of a class" to be established by affidavit or claim form when burdens are minimal) (citations omitted). The court also said that if the portion of the class asserting membership by affidavit only was excessively large, it could consider whether to limit the class to members with downloads of OSSProxy that could be ascertained from comScore's records. Id. at 588.
This case is different than comScore: cross-referencing email records here would identify a large pool of users with only a subset of the pool suffering any injury. Plaintiffs have offered no way to identify individual class members other than broad notice and a self-reporting affidavit.
Proof by affidavit does not necessarily defeat ascertainability. The reason is that if consumers always had to prove purchases, then that would defeat many consumer class actions. See McCrary v. The Elations Co., LLC, No. EDCV 13-00242 JGB, 2014 WL 1779243, at *7 (E.D. Cal. Jan. 13, 2014) (certifying a class of purchasers of a dietary drink marketed to have joint health benefits) (citing Ries v. Arizona Beverages USA LLC, 287 F.R.D. 523, 525 (N.D. Cal. 2012), where the court certified a class that was required to self-identify whether they purchased the iced tea during the class period). That being said, and as the Harris court noted, reliance on affidavits can be problematic. 292 F.R.D. at 587-88.
One factor to consider in whether to allow affidavits is ease of documentation and burden. See id. An administrator here could handle claims notices and affidavits electronically, by simple form, and probably without substantial burden, which militates in favor of the affidavit process. See id. (citing Newberg on Class Actions § 10.12 (4th ed. 2012)).
Other factors are the size of the claims or the difficulty of verifying them: "[a] simple statement or affidavit may be sufficient where the claims are small or are not amenable to ready verification." Id. (quoting Newberg on Class Actions § 10.12 (4th ed. 2012)). In cases where the dollar amounts are small, and class members do not have proof of purchase of a defective product, courts (including those in this district) allow proof by affidavit. See, e.g., McCrary, 2014 WL 1779243, at *7 (joint supplements); Lanovaz v. Twinings North America, Inc., No. C 12-02646, 2014 WL 1652338, at *3 (N.D. Cal. April 24, 2014) (misbranded teas) (collecting cases); Forcellati v. Hyland's, Inc., No. CV 12-1983-GHK, 2014 WL 1410264, at *5 (C.D. Cal. April 9, 2014) (cold and flu products); Boundas v. Abercrombie & Fitch Stores, Inc., 280 F.R.D. 408, 417-18 (N.D. Ill. 2012).
By contrast, when dollar amounts are higher, some form of verification is appropriate beyond just an affidavit. See Saltzman v. Pella Corp., 257 F.R.D. 471, 476 (N.D. Ill. 2012) (class action for products defect in windows with wood rot; consumers without sales records could self-identify and provide verification in the form of photographs); Red v. Kraft Foods, Inc., No. Cv10-1028-GW, 2012 WL 8019257 (C.D. Cal. April 12, 2012). And in any event, objective criteria (such as corroboration by reference to a defendant's records or provision of some proof of purchase) are important to establishing class membership as opposed to relying only on potential members' say-so and subjective memories that may be imperfect. See Harris, 292 F.R.D. at 587; accord Xavier v. Philip Morris USA Inc., 787 F. Supp. 2d 1075, 1089 (N.D. Cal. 2011) (requiring objective criteria to identify a class). In Xavier, for example, the district court denied class certification to a class of smokers who smoked Marlboro cigarettes for at least 20 "pack-years" (one pack a day for 20 years or the equivalent) on the ground that the putative class members' subjective estimates of their long-term smoking habits were not reliable. See 787 F. Supp. 2d at 1089-90.
Here, the claims apparently are not amenable to ready verification. And at $2,500 per class member, they are not small. As Hulu points out, this amount creates incentives for claimants. In addition, on this record, the court cannot tell how potential class members reliably could establish by affidavit the answers to the potential questions: do you log into Facebook and Hulu from the same browser; do you log out of Facebook; do you set browser settings to clear cookies; and do you use software to block cookies? The affidavit seems prone to the same subjective memory problems identified in Xavier. See 787 F. Supp. 2d at 1090 (attesting to the number of cigarettes smoked over decades is categorically different than swearing that "I have been to Paris"). The possibility of substantial pecuniary gain affects this analysis too. Accord id. That incentive and the vagaries of subjective recollection makes this case different than the small-ticket consumer protection class actions that this district certifies routinely.
Whether these issues could be resolved by narrowing the class definition, by defining subclasses, by reference to objective criteria, by a damages analysis that addresses pecuniary incentives, or otherwise, the undersigned cannot tell. But on this record, Plaintiffs have not defined an ascertainable class.
Because the court denies class certification on this ground without prejudice, the order addresses the remaining Rule 23 requirements.
B. Rule 23(a)'s Requirements
Plaintiffs must show the following prerequisites of Rule 23(a): numerosity, commonality, typicality, and adequacy of representation.
1. Numerosity
Rule 23(a)(1) requires that, for a class to be certified, it must be "so numerous that joinder of all members is impracticable." Hulu does not challenge certification based on the numerosity element. See Opp'n, ECF No. 150-3 at 15, n.4 ("Hulu does not dispute numerosity, although . . . their class definitions are overbroad"). Plaintiffs have satisfied this element.
2. Commonality
Under Rule 23(a)(2), a class cannot be certified unless Plaintiffs establish that "there are questions of law or fact common to the class." Rule 23(a)(2) does not require Plaintiffs to show that each class member's claim is based on identical factual and legal issues: "The existence of shared legal issues with divergent factual predicates is sufficient" to meet the requirements of Rule 23(a)(2)." Parra v. Bashas', Inc., 536 F.3d 975, 978 (9th Cir. 2008) (quoting Hanlon v. Chrysler Corp., 150 F.3d 1011, 1019 (9th Cir. 1998)). Under Rule 23(a)(2), "even a single common question will do." Dukes, 131 S. Ct. at 2556 (quotation omitted). "Commonality requires the plaintiff to demonstrate that class members have suffered the same injury. This does not mean merely that they have all suffered a violation of the same provision of law." Id. at 2551. The common question "must be of such a nature that it is capable of classwide resolution - which means that determination of is truth or falsity will resolve an issue that is central to the validity of each one of the claims in one stroke." Id. "What matters to class certification . . . is not the raising of common 'questions' - even in droves - but rather the capacity of a classwide proceeding to generate common answers apt to drive resolution of the litigation. Dissimilarities within the proposed class are what have the potential to impede the generation of common answers." Id. (quotation omitted).
Plaintiffs argue that the common factual and legal questions are as follows:
1. Whether the Facebook c_user cookie provided to Facebook for each class member "identifies a person" to Facebook under the VPPA;
2. Whether the URLs provided to Facebook identify "specific video materials or services" under the VPPA;
3. Whether Hulu obtained Class Members' "informed, written consent" under the VPPA to disclose their personally identifiable information to Facebook, at the time Hulu made such disclosure;
4. Whether, as a result of Hulu's conduct the Class is entitled to equitable relief and/or other relief, and if so the nature of such relief; and
5. Whether, as a result of Hulu's conduct the Class is entitled to damages, including statutory and/or punitive damages.
Defenses Raised By Hulu
1. Whether Hulu's disclosures were incident to Hulu's debt collection activities, order fulfillment, request processing, or transfer of ownership;Motion, ECF No. 112 at 14; see Summary Judgment Order, ECF No. 194 at 11-12 (holding that transmissions were not in Hulu's ordinary course of business, which is defined in 18 U.S.C. § 2710(a)(2) as "only debt collection activities, order fulfillment, request processing, and the transfer of ownership").
2. Whether Hulu's disclosures were in Hulu's ordinary course of business.
As discussed in the summary judgment order, the theory of the VPPA disclosure to Facebook is that to load the Like button, Hulu sent Facebook the title of the watched video and the Facebook ID cookies, which are the datr cookie (identifying the browser), the lu cookie (identifying the previous Facebook user to log into Facebook) (with a lifetime of three years), and the c_user cookie (identifying any user logged into Facebook using the default setting in the last four weeks). See Summary Judgment Order, ECF No. 194 at 19-20. By resolving the issues about whether transmission of the Facebook cookies (now limited to the c_user cookie) identified a consumer and whether the URLs conveyed video titles, the court can resolve issues central to the viability of the class members' common statutory claim that Hulu violated the VPPA by disclosing their PII to Facebook. Plaintiffs' common questions of law and fact satisfy Rule 23(a)(2). See In re Netflix Privacy Litig., No. 5:11-CV-00379 EJD, 2012 WL 2598819, at *3 (N.D. Cal. July 5, 2012) (in the context of its final approval of a class action settlement, the district court found that Netflix's uniform policy of retaining and disclosing PII and viewing histories of subscribers established common statutory claims under the VPPA; the resulting common factual and legal claims met Rule 23(a)'s commonality requirement).
Plaintiffs' motion for class certification relied only on the datr cookie, asserting that it was "an identifier unique for each Facebook user." See Motion for Class Certification, ECF No. 112 at 13. That analysis changed by the summary judgment motion, where everyone acknowledged that the datr cookie alone was not a unique identifier on its own.
--------
Hulu nonetheless argues that the claims are not common because each member's claim turns on individual evidence, such as whether he or she used ad-blocking software, watched a video while logged into Facebook, or cleared browser cookies before accessing Hulu. See Opp'n, ECF No. 150-3 at 17. These assertions do not change the determination that Plaintiffs have established common issues of law and fact. These also are not potentially disparate questions underlying each putative class member's claim that prevent Plaintiffs from establishing the commonality requirement. Cf. Dukes, 131 S. Ct. at 2548, 2554-56 (potentially disparate questions about each class member's discrimination claim - given no evidence about a general policy of discrimination or the exercise of discretion by the company's managers in a common way resulting in a common injury - meant that plaintiffs did not satisfy the commonality requirement). The alleged common injury of disclosure of PII to Facebook by transmission of Facebook ID cookies and the name of the watched video is different than the individualized discrimination claims that the Supreme Court identified in Dukes.
To the extent that these fact issues affect the similar but more demanding analysis under Rule 23(b)(3)'s predominance requirement, the order discusses them below. In the context of the commonality analysis, at best, they are differences in proof that might be amenable to addressing by subclasses. They do not affect the conclusion that Plaintiffs allege the same claim of wrongful disclosure by Hulu to Facebook of their PII and watched videos.
3. Typicality
Rule 23(a)(3) requires, as a prerequisite to class certification, that "the claims or defenses of the class representatives [must be] typical of the claims or defenses of the class." "[R]epresentative claims are typical if they are reasonably co-extensive with those of absent class members; they need not be substantially identical." Hanlon v. Chrysler Corp., 150 F.3d 1011, 1020 (9th Cir. 1998) (internal quotation marks and citation omitted). "Typicality refers to the nature of the claim or defense of the class representative, and not to the specific facts from which it arose or the relief sought." Ellis v. Costco Wholesale Corp., 657 F.3d 970, 984 (9th Cir. 2011). "The test of typicality is whether other members have the same or similar injury, whether the action is based on conduct which is not unique to the named plaintiffs, and whether other class members have been injured by the same course of conduct." Hanon v. Dataproducts Corp., 976 F.2d 497, 508 (9th Cir. 1992) (citation and internal quotation marks omitted). "The purpose of the typicality requirement is to assure that the interest of the named representative aligns with the interests of the class. . . . [C]lass certification is inappropriate when a putative class representative is subject to unique defenses which threaten to become the focus of the litigation." Id.
The claims are typical. Plaintiffs' claims involve the same statutory violation and the same injury: disclosure of their PII (in the form of the Facebook ID cookies) and the name of the video.
Hulu again points to differences in each member's claim, such as whether he or she used ad-blocking software, watched a video while logged into Facebook, integrated Hulu and Facebook accounts, made posts on Facebook about videos viewed, or cleared browser cookies before accessing Hulu. See Opp'n, ECF No. 150-3 at 16 (citing Hulu's consumer survey that 50% of Hulu users use ad-blocking technology and 60% use browser settings that block cookies). They also point to Joseph Garvey's use of a pseudonym to register as a Hulu user. Id.
These differences do not change the conclusion.
First, Plaintiffs exclude participants in Facebook Connect (the service that connects Hulu and Facebook users and allows sharing of views across the two platforms) on the ground that including them would present sufficiently different questions of law and fact to preclude a cohesive class. See Motion, ECF No. 112 at 15, n.8. This disposes of any concern regarding integration of Hulu and Facebook accounts.
Second, a plaintiff's independent posting on Facebook is not a defense. Consent to a disclosure under the VPPA in effect during the class period required the "informed, written consent of the consumer given at the time the disclosure is sought." 18 U.S.C. § 2710(b)(2)(B). What is at issue here is Hulu's alleged independent transmission to Facebook - without any consent by the Hulu/Facebook user - of the Facebook ID and the video title as part of the process of loading the code for the Like button. Being logged into Facebook similarly is not obviously consent under VPPA. As discussed in the summary judgment order, there is no evidence in the record that Facebook's data policies affect this analysis or are the informed, written consent required by the VPPA. See ECF No. 194 at 26.
Third, Joseph Garvey's use of a pseudonym does not alter the issues here: his being identified to Facebook. As discussed in the summary judgment order, there are material issues of fact about whether the transmission of the Facebook cookies with the video title was an electronic transmission of the Hulu user's actual identity on Facebook and the video that the Facebook user was watching. See ECF No. 194 at 20-22. The Facebook ID personally identifies a Facebook user. See id. (material issue of fact exists about whether the transmission to Facebook was sufficient to identify individual consumers); see also In Re: Zynga Privacy Litig., No. 11-18044, 2014 WL 1814029, at *9 (9th Cir. May 8, 2014) (discussing how a Facebook ID is personally identifiable information under 18 U.S.C. § 2702(c) of the Electronic Communications Privacy Act). Joseph Garvey's use of a pseudonym on Hulu does not affect the inquiry about whether Hulu knowingly sent his Facebook ID to Facebook together with the titles of his watched videos.
Finally, to the extent that fact issues about ad blockers or clearing browser cookies affect the analysis under Rule 23(b)(3), the court discusses them below in the section on the predominance requirement. As to the defenses, they are not the kinds of defenses that typically defeat class certification by the need for substantial cross-examination on negative facts. Moreover, they are not the kinds of defenses that pose "a danger that absent class members will suffer if their representative is preoccupied with defenses unique to it." Hanon, 976 F.3d at 508.
4. Adequacy of Representation
Rule 23(a)(4) requires that, before a court may certify a class, it must find that "the representative parties will fairly and adequately protect the interests of the class." The requirement applies to the class representative and class counsel and requires resolution of two questions: "(1) do the named plaintiffs and their counsel have any conflicts of interest with other class members, and (2) will the named plaintiffs and their counsel prosecute the action vigorously on behalf of the class?" Hanlon, 150 F.3d at 1020. Rule 23(g)(4) also specifies that class counsel "must fairly and adequately represent the interests of the class." Under Rule 23(g)(1)(A), the court must consider the following criteria in appointing class counsel: (i) counsel's work "in identifying or investigating potential claims in the action"; (ii) "counsel's experience in handling class actions, other complex litigation, and the types of claims asserted in the action"; (iii) "counsel's knowledge of the applicable law"; and (iv) "the resources that counsel will commit to representing the class." Rule 23(g)(1)(B) permits the court to "consider any other matter pertinent to counsel's ability to fairly and adequately represent the interests of the class."
Defendants do not dispute the adequacy of Plaintiffs' counsel. Plaintiffs retained counsel with significant experience in prosecuting large consumer class actions. See Parisi Decl., ECF No. 113, Exs. 10-12. Counsel have worked vigorously to identify and investigate the claims in this case, and, as this litigation has revealed, they understand the applicable law and have represented their clients effectively. See In re Netflix Privacy Litigation, 2012 WL 2598819, at *3.
As to the adequacy of the named Plaintiffs, the requirement is meant to evaluate whether "the named plaintiff's claim and the class claims are so interrelated that the interests of the class members will be fairly and adequately protected in their absence." Gen. Tel. of Sw. v. Falcon, 457 U.S. 147, 158, n.13 (1982). Plaintiffs' counsel asserted, and Hulu does not dispute, that Plaintiffs have worked actively with counsel to prepare and "vigorously" prosecute the case. See Fed. R. Civ. P. 23(a)(4); Parisi Decl.; ECF No. 114, Exs. 10-12; Torre Decl. ¶ 9; Wymyczak Decl. ¶ 9; Garvey Decl. ¶ 9; Zampella Decl. ¶ 9; see Opp'n, ECF No. 150-3 at 15, n.4. Given their common claims and shared interests with the class, the named Plaintiffs adequately represent the class's interests under Rule 23(a)(4). Accord In re Netflix Privacy Litigation, 2012 WL 2598819, at *3 (reaching the same conclusion in a VPPA case based on similar facts).
Hulu's only argument against this result is that Plaintiffs are not adequate representatives under Rule 23(b)(3). Opp'n, ECF No. 150-3 at 15, n. 4. The order addresses Rule 23(b) in the next section.
C. Rule 23(b)(3) Requirements
Under Rule 23(b)(3), a class action is maintainable if "the court finds that questions of law or fact common to class members predominate over any questions affecting only individual members, and that a class action is superior to other available methods for fairly and efficiently adjudicating the controversy." Rule 23(b)(3) thus requires two inquiries: (1) do the common questions of law or fact "predominate" over questions over questions affecting only individual class members, and (2) is class treatment "superior" to alternative methods for adjudicating the controversy?
1. Predominance of Common Questions
The Rule 23(b)(3) predominance inquiry involves weighing and evaluating the common and individual issues in the case. See Dukes, 131 S. Ct. at 2556. It involves consideration of the same principles that guide the Rule 23(a) commonality analysis, but it "is even more demanding than Rule 23(a). See Comcast Corp. v. Behrend, 133 S. Ct. 1426, 1432 (2013). The Rule 23(a)(2) inquiry is only whether the plaintiff shows the existence of a common issue of law or fact. See Dukes, 131 S. Ct. at 2556. The predominance inquiry looks at those common questions, "focuses on the relationship between the common and individual issues," Hanlon, 150 F.3d at 1022, and requires the court to weigh the common issues against the individual issues. See Dukes, 131 S. Ct. at 2556. Class certification under Rule 23(b)(3) is proper when common questions represent a significant portion of the case and can be resolved for all members of the class in a single adjudication. Hanlon, 150 F.3d at 1022.
"Considering whether 'questions of law or fact common to class members predominate' begins, of course, with the elements of the underlying cause of action." Erica P. John Fund, Inc. v. Halliburton Co., 131 S. Ct. 2179, 2181 (2011). "In determining whether common questions predominate, the Court identifies the substantive issues related to plaintiff's claims (both the causes of action and affirmative defenses); then considers the proof necessary to establish each element of the claim or defense; and considers how these issues would be tried." Gaudin v. Saxon Mortgage Servs., Inc., No. 11-CV-01663-JST, 2013 WL 4029043 (N.D. Cal. Aug. 5, 2013) (citing Cal. Prac. Guide Fed. Civ. Pro. Before Trial Ch. 10-C § 10:412). The predominance analysis is a pragmatic one: it is not a numerical analysis and instead is a qualitative assessment of overriding issues in the case, despite the existence of individual questions. See Newberg on Class Actions, § 4.51; Butler v. Sears, Roebuck & Co., 727 F.3d 796, 801 (7th Cir. 2013) (finding a single, central issue of liability in a class action involving defects in washing machines; the two central defects were mold and the control unit; those differences could be addressed by subclassing; differences in damages can be addressed in individual hearings, in settlement negotiations, or by creation of subclasses), cert. denied, 134 S. Ct. 1277 (2014).
As discussed in the section on commonality, Plaintiffs allege a common claim and the same injury: disclosure of their PII by the transmission of the Facebook ID cookies and their watched videos in violation of the VPPA, 18 U.S.C. § 2710. Hulu argues that there can be no predominance of that common claim over individual issues because each plaintiff must prove that his or her identity was "reversed engineered" from the data sent to Facebook. See Opp'n, ECF No. 150-3 at 17. But as narrowed in the summary judgment order, the theory of disclosure to Facebook is not a reverse engineering theory and instead is a theory of direct disclosure to Facebook of its users' actual identities on Facebook and their watched videos. See ECF No. 194 at 19-21. Indeed, the court agreed with Hulu (and granted summary judgment to Hulu on the comScore disclosure) that disclosure of anonymous information was not the linking of a specific, identified person to his video watching habits that would violate the VPPA. See id. at 18-19. By contrast, Hulu's transmission of the Facebook ID cookies and the title of the watched video possibly is information that identified the Hulu user's actual identity on Facebook. See id. at 19-21. There is a material issue of fact about whether this was sufficient to identify consumers and thus violate the VPPA. See id. at 21-23. Moreover, there are material issues of fact about whether Hulu knew it was disclosing PII in violation of the VPPA. See id. at 22-23. If it knew, then (depending on the facts) there might be a VPPA violation. See id. If it did not, then there would not be a VPPA violation.
Hulu also argues that issues that defeat predominance are whether class members (1) registered with a pseudonym, (2) watched videos while logged into Facebook, (3) disclosed their choices to Facebook voluntarily, (4) allowed others to use their Hulu account, and (5) installed ad-blocking software, cleared browser cookies before watching videos, or set browsers to block third-party cookies.
First, as to registering with a pseudonym, this does not defeat predominance (just as it did not defeat typicality). The use of a pseudonym on Hulu does not affect the inquiry about whether Hulu knowingly sent a Hulu user's Facebook ID to Facebook together with the titles of his watched videos.
Second, as to Hulu users' watching videos while logged into Facebook, Hulu's argument is that this is consent to disclosure. See Opposition, ECF No. 150-3 at 23. But the issue is Hulu's alleged unauthorized disclosure. Absent the informed, written consent required by the VPPA "given at the time the disclosure is sought," a disclosure of PII violates the VPPA. See 18 U.S.C. § 2710(a)(b)(2) (2012) (later amended in 2013 to broaden the consent provisions). It is one thing to acknowledge the placement or use of cookies. It is another to interpret a data policy as the informed, written consent that the VPPA required during the class period. As the summary judgment order concluded, there is no evidence in the record that Facebook's data policies affect this analysis or are informed, written consent under the VPPA. See ECF No. 194 at 26.
Third, and similarly, as discussed above, the record does not allow the court to conclude that a plaintiff's independent posting on Facebook is an informed, written consent under the VPPA. Moreover, the claims here are about Hulu's alleged unauthorized disclosure of PII during the loading of the Like button when a Hulu user launched the watch page. A user's independent actions do not alter the analysis of whether Hulu knowingly disclosed PII.
Fourth, allowing someone else to use one's Hulu account does not mean that a Hulu user cannot complain about Hulu's disclosure of the user's PII. Limiting the injury to one disclosure avoids proof issues that might exist with multiple disclosures and tying a disclosure to a particular user.
Fifth, the main issue with predominance is cookie clearing or blocking. As described above, the remaining theory of disclosure is the transmission of the c_user cookie, which includes the Facebook ID. That cookie was transmitted only when a Hulu user watched a video on hulu.com having used the same computer and web browser to log into Facebook in the previous four weeks using default settings. See JSUF #22; Calandrino Decl. ¶¶ 66-67. Also, according to Hulu's expert Peter Weitzman, the c_user cookie is cleared if the Facebook "keep me logged in" box is not checked, if the user manually cleared cookies after the Facebook session and before the Hulu session, or if the user used cookie-blocking or ad-blocking software that prevented disclosures. See supra Statement.
Plaintiffs point out that Mr. Weitzman tested only current versions of blockers and ad-blocking tools, not those in effect during the class period. See Weitzman Dep., Tersigni Decl. Ex. 6, ECF No. 170 at 77:3-17. It may be that this does not matter, but the record is silent on this point.
Plaintiffs also argue that Mr. Weitzman relied only on incomplete versions of their session captures regarding the loading of the Like button and the disclosure of the user's Facebook ID in the non-cookie portion of Hulu's request to Hulu to load the Like button. See Plaintiff's Reply, ECF No. 168 at 13. In support of this argument, the brief cites the Wills Decl., ECF No. 160, ¶ 47. One cannot tell from the Wills Declaration whether the disclosure of the Facebook ID is in a cookie or non-cookie portion of Hulu's request to load the Like button. But Plaintiffs' expert Joseph Calandrino's declaration refers to a transmission of the Facebook ID of the currently-logged-in Facebook user via the c_user cookie or the lu cookie. Calandrino Decl., ECF No. 160-5, ¶¶ 66, 71. The record does not contain any dispute that (1) the relevant disclosure is the transmission of the c_user cookie, and (2) if the c_user cookie is cleared, then it cannot be transmitted to Facebook when the Like button loads.
Hulu also employed technology to block attempts to block ad blockers, and Plaintiffs' inference is that there is no evidence that ad blockers were effective. Plaintiffs' Reply, ECF No. 168 at 10. Plaintiffs point to comScore's testimony that its cookies always came through. Johnson Dep., Tersigni Decl. Ex. 3, ECF No. 169, at 80-91.
Finally, Plaintiffs dispute the reliability of Mr. Weitzman's survey result that 65.3% of respondents used ad-blocking software and cite a different study that as of May 2012, the percentage of Internet users in the U.S. using ad-blocking software was under ten percent. Id. at 14 n.12 (citing Tersigni Decl. Ex. 18, Ad-Blocking, Measured, ClarityRay, May 2012, at 4).
In the end, the substantial issues about remaining logged into Facebook and clearing and blocking cookies mean that the court cannot conclude on this record that the common issues predominate over the individual ones. Perhaps subclasses could address the use (or lack of use) of ad-blockers or browser technologies, or whether users stayed logged into Facebook. Plaintiffs have not proposed that subclassing. Given that even the court's best guess at subclassing would not address the issues about ascertainability and identify the class members, the court finds on this record that common issues do not predominate.
2. Rule 23(b)(3) Superiority
Rule 23(b)(3) requires a court to assess whether class treatment is "superior to other available methods for the fair and efficient adjudication of the controversy." Factors to consider in assessing superiority include the following: (A) the class members' interests in individually controlling the prosecution or defense of separate actions; (B) the extent and nature of any litigation concerning the controversy already begun by or against class members; (C) the desirability or undesirability of concentrating the litigation of the claims in the particular forum; and (D) the likely difficulties in managing a class action. Fed. R. Civ. P. 23(b)(3). Aggregation in a class action can be efficient when many individuals have small damages because absent a class suit, it is unlikely that any of the claimants will be accorded relief. See Amchem Prods., Inc. v. Windsor, 521 U.S. 591, 619 (1997).
Here, the factors supporting the superiority of a class action are the small individual statutory damages and the putative class's common theory of liability. Either Hulu transmitted PII by its policy and practice regarding the loading of the Like button, or it did not. But based on the court's holding that a class is not ascertainable on this record, class treatment is not superior.
III. HULU'S DUE PROCESS ARGUMENT
Hulu argues that certifying the class would result in statutory damages of $2,500 per class member, without any evidence that a class member was injured, for a total damages award of billions of dollars. Opposition, ECF No. 150-3 at 29. That award is wildly disproportionate to any adverse effects class members suffered, and it shocks the conscience. Id. (citing Kline v. Coldwell Banker & Co., 508 F.2d 226, 234-35 (9th Cir. 1974)). Kline is a case where the Ninth Circuit upheld the district court's refusal to certify a case involving $750 million in statutory treble damages, noting that each claim involved only minimal damages.
It can be a legitimate concern that the potential for a devastatingly large damages award, out of proportion to the actual harm suffered by members of the plaintiff class, may raise due process issues. Parker v. Time Warner Entertainment Co., 331 F.3d 13, 22 (2nd Cir. 2003) (addressing claims for transmission of personally-identifiable subscriber information in violation of the Cable Consumer Protection Act and state consumer protection laws). The aggregation of statutory damages claims potentially distorts the purpose of both statutory damages and class actions, and if it does, it creates a potentially enormous aggregate recovery for plaintiffs that in turn may induce an unfair settlement. Id. In a sufficiently serious case, a defendant might invoke the Due Process clause to reduce the statutory award. Id. The Second Circuit has held that a defendant might invoke the Due Process clause, "not to prevent certification, but to nullify that effect and reduce the aggregate damage award." Id.
Another approach to the calamitous damages problem is to certify a class, allow it to proceed, and then invoke the Due Process clause to cap damages within a reasonable realm if Plaintiffs prevail. Newburg on Class Actions, § 4.83. In a putative class action against a potential creditor for accessing consumers' credit history without permission, the Seventh Circuit has held that such "constitutional limits are best applied after a class has been certified." Murray v. GMAC Mortg. Corp., 434 F.3d 948, 954 (7th Cir. 2006). "Then a judge may evaluate the defendant's overall conduct and control its total exposure. Reducing recovery by forcing everyone to litigate independently - so that constitutional bounds are not tested, because the statute cannot be enforced by more than a handful of victims - has little to recommend it." Id.; accord Bateman v. American Multi-Cinema, Inc., 623 F.3d 708 (9th Cir. 2001) (in a class action against a movie theater chain for violations of the Fair and Accurate Credit Transactions Act, court acknowledged possibility of due process concerns by noting that "reserv[ing] judgment as to whether a district court may reduce damages award as unconstitutionally excessive" but held that "it is not appropriate to evaluate the excessiveness of the award [at the class certification stage] . . . . Because we do not know what amount of damages [plaintiffs] will seek nor how many plaintiffs will ultimately claim the benefit of any damages awarded should plaintiffs prevail, any evaluation of AMC's potential liability at this stage is unduly speculative.").
Given its denial of class certification on this record, the court does not reach this issue. That being said, likely it is one best addressed after a class is certified.
CONCLUSION
The court denies Plaintiffs' motion for class certification without prejudice and denies Plaintiffs' motion for appointment of the class representatives and class counsel as moot.
This disposes of ECF No. 111.
IT IS SO ORDERED.
__________
LAUREL BEELER
United States Magistrate Judge