
    Mike HARRIS and Jeff Dunstan, Plaintiffs, v. COMSCORE, INC., Defendant.
    No. 11 C 5807.
    United States District Court, N.D. Illinois, Eastern Division.
    April 2, 2013.
    
      Jay Edelson, Ari Jonathan Scharg, Benjamin Scott Thomassen, Chandler Randolph Givens, Rafey S. Balabanian, Edelson LLC, Chicago, IL, for Jeff Dunstan and Mike Harris.
    Andrew H. Sehapiro, Robyn M. Bowland, Stephen A. Swedlow, Quinn, Emanuel, Urquhart & Sullivan, LLP, Amanda S. Williamson, K & L Gates, LLP, Mark William Wallin, Paul F. Stack, Stack & O’Connor Chartered, Chicago, IL, for comScore, Inc.
   MEMORANDUM OPINION AND ORDER

JAMES F. HOLDERMAN, Chief Judge:

In their Second Amended Complaint, plaintiffs Mike Harris and Jeff Dunstan allege, as individuals and on behalf of a class of similarly situated individuals, that comScore, Inc. (“comScore”) improperly obtained and used personal information from their computers after they downloaded and installed eomScore’s software. (Dkt. No. 169.) They assert violations of the Stored Communications Act (“SCA”), 18 U.S.C. § 2701(a)(1), (2) (Count I), the Electronic Communications Privacy Act (“ECPA”), 18 U.S.C. § 2511(l)(a), (d) (Count II), and the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030(a)(2)(C) (Count III). They also assert a claim for common law unjust enrichment (Count IV). Currently pending before the court is plaintiffs’ motion for class certification (Dkt. No. 152), which requests that the court certify the following class and subclass:

Class: All individuals who have had, at any time since 2005, downloaded and installed comScore’s tracking software onto their computers via one of comSeore’s thii’d pai’ty bundling partners.
Subclass: All Class members not presented with a functional hyperlink to an end user license agreement before installing comSeoi’e’s softwai’e onto their computers.

For the reasons explained below, that motion is gi’anted in part and denied in pai’t.

BACKGROUND

Defendant comScore, Inc. collects data about the activities of consumers on the internet, analyzes the data, and sells it to its clients. (Dkt. No. 140, at 2.) ComScox-e gath-ex’s its data thi’ough a progi’am called OS-SProxy, which, if installed on a computer, constantly collects data about the activity on the computer and sends it back to comS-core’s servers. (Dkt. No. 155, Ex. C, at 3-6.) The OSSPi’oxy software collects a vai’iety of infoi’mation about a consumer’s computer, including the names of every file on the computer, information entered into a web browser, including passwords and other confidential infoi’mation, and the contents of PDF files. (Id.) ComSeoi’e has been using OSSPi’oxy in its cui’rent foi’m, aside from immaterial valuations, since 2005. (See Dkt. No. 155, Ex. A, at 194:8-195:16 (explaining that in 2005 comScoi’e stopped routing the information from the consumei’s’ computers through proxy servers).)

One primary way that comScore distributes OSSPi’oxy is through cooperation with “bundlers” who provide free digital products to consumers on the internet. (Dkt. No. 155, Ex. D, at 6.) During the process of downloading the bundlers’ free software, the consumer has the opportunity to download OSSProxy. (See id.) The process by which OSSProxy is presented to the consumer is “materially identical,” regardless of which bundler provides the digital product the consumer is downloading. (Id.) Specifically, during the installation of the free digital product, the consumer is presented with a short statement (“the Downloading Statement”) regarding OSSProxy under one of several brand names, including “RelevantKnowledge, Pre-mierOpinion, PermissionResearch, Opi-nionSquare, and MarketScore.” (Id. at 9-10; Dkt. No. 180 ¶ 34.) A representative Downloading Statement reads as follows:

In order to provide this free download, RelevantKnowledge software, provided by TMRG, Inc., a comScore, Inc. company, is included in this download. This software allows millions of participants in an online market research community to voice their opinions by allowing their online browsing and purchasing behavior to be monitored, collected, aggregated, and once anonym-ized, used to generate market reports which our clients use to understand Internet trends and patterns and other market research purposes. The information which is monitored and collected includes internet usage information, basic demographic information, certain hardware, software, computer configuration and application usage information about the computer on which you install RelevantKnowledge. We may use the information that we monitor, such as name and address, to better understand your household demographics; for example, we may combine the information that you provide us with additional information from consumer data brokers and other data sources in accordance with our privacy policy. We make commercially viable efforts to automatically filter confidential personally identifiable information and to purge our databases of such information about our panelists when inadvertently collected. By clicking Accept you acknowledge that you are 18 years of age or older, an authorized user of the computer on which you are installing this application, and that you have read, agreed to, and have obtained the consent of all computer and TV users to the terms and conditions of the Privacy Statement and User License Agreement.

(Id. at 10.) In general, underneath that message, the consumer is offered a link to the “Privacy Statement and User License Agreement” (the “ULA”) and two boxes reading “Accept” and “Decline.” (Id.) The consumer must check either “Accept” or “Decline” before he may click “Next” to proceed with downloading the free digital product. (Id.) OSSProxy will download and install on the consumer’s computer only if the consumer checks “Accept.” (Id.) The free digital product will download and install regardless of which box the consumer checks, although that fact is not apparent to the consumer. (Id.)

The ULA, which is materially identical regardless of which bundler provides the digital product the consumer is downloading, contains terms governing which information OSSProxy will collect from the consumer’s computer and how that information will be used. (Dkt. No. 155, Ex. A, at 127:10-12; 134:6-18.) Significantly, the ULA indicates that it is an agreement between the consumer and a “sponsor”—usually another company connected in some way with comScore— but, in most cases, also states that comScore will use the information collected. (See Dkt. No. 155, Ex. I, at 1, 6.) The plaintiffs allege that comScore has exceeded the scope of the consumer’s consent to monitoring in the ULA by, among other things:

• designing its software to merely “fuzzify” or “obscure” confidential information collected, rather than “mak[ing] commercially viable efforts to automatically filter” that information (Dkt. No. 154, at 13-14);
• failing to “make commercially viable efforts to purge” confidential information that it does collect from its database (Dkt. No. 154, at 15-16);
• intercepting phone numbers, social security numbers, user names, passwords, bank account numbers, credit card numbers, and other demographic information (Dkt. No. 155, Ex. C, at 2-6);
• intercepting the previous 25 websites accessed by a consumer before installation of comScore’s software, the names of every file on the consumer’s computer, the contents of iPod playlists on the computer, the web browsing history of smart-phones synced with the computer, and portions of every PDF viewed by the user during web browsing sessions (Id.);
• selling the data collected from the consumer’s computer (Dkt. No. 154, at 24.)

(See also Dkt. No. 169 ¶¶ 35-63.)

Named plaintiffs Jeff Dunstan and Mike Harris each downloaded and installed OS-SProxy onto their computers after downloading a free digital product offered by one of comSeore’s bundlers. (Dkt. No. 155, Ex. P, No. 1; Dkt. No. 155, Ex. Q, No. 1.) Harris downloaded OSSProxy on March 9, 2010, immediately noticed it, and tried to remove it. (Dkt. No. 176, Ex. P, at 83:14-16; 98:18-99:15; 103:24-104:10.) Harris asserts that he downloaded OSSProxy from the website macupdate.com. (Dkt. No. 176, Ex. P, at 71:15-18.) Harris’s profile on that website indicates that he never downloaded any programs (Dkt. No. 176, Ex. Q (listing the number of downloads as zero)), but he may have downloaded the program without logging into his account (See Dkt. No. 185 ¶¶ 5-8). Harris no longer has the computer he used to download the OSSProxy software. (Dkt. No. 176, Ex. P, at 43:19-44:4.)

Dunstan downloaded comScore’s OS-SProxy software in September of 2010. (Dkt. No. 176, Ex. S, No. 6.) Dunstan alleges that OSSProxy caused his computer to lock up and interfered with his internet access. (Id.) Dunstan used a program called “PC Tools Spyware Doctor” to remove OSSProxy within about one day of downloading it. (Id.; Dkt. No. 176, Ex. T, No. 6.) Dunstan’s computer may have been infected by viruses at the time that he downloaded OSSProxy, which may also have contributed to his computer problems. (See Dkt. No. 176, Ex. U.) Dunstan’s wife had access to his computer at the time of the download, and may have been the one who initiated the download. (Dkt. No. 176, Ex. V., at 26:7-18.)

LEGAL STANDARD

The plaintiffs bear’ the burden of demonstrating that class certification is appropriate. Oshana v. Coca-Cola Co., 472 F.3d 506, 513 (7th Cir.2006). Class certification under Rule 23 involves two steps. First, the plaintiffs claim must satisfy the numerosity, commonality, typicality, and adequacy of representation requirements of Rule 23(a). Id. In addition to the four explicit requirements listed in Rule 23(a), during the first step “[t]he plaintiff must also show that the class is indeed identifiable as a class,” a requirement known as the “ascertainability” requirement. Id. At the second step, the claim must meet one of the conditions of Rule 23(b). Id. Here, the plaintiffs are proceeding under Rule 23(b)(3), which provides that a class action may be maintained if “the court finds that the questions of law or fact common to class members predominate over any questions affecting only individual members, and that a class action is superior to other available methods for fairly and efficiently adjudicating the controversy.” Fed.R.Civ.P. 23(b)(3).

ANALYSIS

For the reasons explained below, the court determines that the plaintiffs proposed Class and Subclass cannot be certified with respect to the plaintiffs’ claims for state law unjust enrichment. See Fed.R.Civ.P. 23(c)(4) (allowing the court to certify a class action with respect to only particular issues). Specifically, the unjust enrichment claims do not satisfy the requirement of Rule 23(b)(3) that a class action be superior to other available methods for fairly and efficiently adjudicating the controversy. The court will first explain why the common law unjust enrichment claims cannot be certified, before explaining why the remaining claims can be certified for class treatment.

I. Unjust Enrichment

As many courts in this district have recognized, unjust enrichment claims are generally unsuitable for class actions because they “pose insurmountable choice-of-law problems.” In re Aqua Dots Prods. Liab. Litig., 270 F.R.D. 377, 386 (N.D.Ill.2010) (Coar, J.). The cause of those problems is that “the law of unjust enrichment varies too much from state to state to be amenable to national or even to multistate class treatment.” Id.; see also Vulcan Golf, LLC v. Google Inc., 254 F.R.D. 521, 533 (N.D.Ill. 2008) (Manning, J.) (collecting cases). As a result, “federal courts have generally refused to certify a nationwide class based upon a theory of unjust enrichment.” Thompson v. Jiffy Lube Int’l, Inc., 250 F.R.D. 607, 626 (D.Kan.2008).

The choice-of-law problem is present here, because the proposed Class and Subclass are not limited by geography and likely include plaintiffs from all 50 states, and even some foreign countries. The plaintiffs propose no solution to allow the court to manage the variety of laws that may be applicable to the Class, other than to suggest that the court certify two subclasses under California and Illinois law. (Dkt. No. 184, at 19.) That solution is plainly inadequate in light of the geographical diversity of the plaintiffs and the variation in applicable law. Accordingly, the court determines that the plaintiffs have not met their burden of establishing that a class action is the superior method for fairly and efficiently adjudicating this controversy. See Fed.R.Civ.P. 23(b)(3). The court therefore denies the class certification motion with respect to the unjust enrichment claims.

II. Certification of the Federal Statutory Claims

Each of the other three claims alleged in Counts I, II, and III of plaintiffs’ Second Amended Complaint rely on federal statutes that provide protection against the unauthorized interception of information from the plaintiffs’ computers. As relevant here, the SCA provides a private action against any person who

(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or
(2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system.

18 U.S.C. § 2701(a). The ECPA does the same with respect to any person who

(a) intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication; [or]
(d) intentionally uses, or endeavors to use, the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subsection

18 U.S.C. § 2511(l)(a). Finally, the Computer Fraud and Abuse Act creates a private right of action against “[w]hoever ... intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ... information from any protected computer.” 18 U.S.C. § 1030(a)(2)(C). Each of the three statutes provides an exception to liability if the person obtaining the information has the consent of the computer user. See 18 U.S.C. § 2701(c); 18 U.S.C. § 2511(2)(e); 18 U.S.C. § 1030(e)(6).

The court will now address in turn each of the requirements for class certification of those federal statutory claims.

A. Numerosity

Rule 23(a)(l)’s requirement that the class be “so numerous that joinder of all members is impracticable is plainly met here. The total number of computers reporting data to comScore each year with the OSSProxy program has run into the hundreds of thousands each year since 2008. (Dkt. No. 155, Ex. B, No. 7.) In addition, evidence shows that OS-SProxy was installed on millions of computers between 2008 and 2011. (Id.) ComScore does not dispute that the number of potential class members easily satisfies the numerosity requirement.

B. Commonality

Next, the plaintiffs must satisfy Rule 23(a)(2)’s requirement that “there are questions of law or fact common to the class.” The plaintiffs need not establish multiple common questions at this stage, because “for purposes of Rule 23(a)(2) even a single common question will do.” Wal-Mart Stores, Inc. v. Dukes, — U.S. —, 131 S.Ct. 2541, 2556, 180 L.Ed.2d 374 (2011) (citation, quotation marks, and alterations omitted). In addition, “what matters to class certification is not the raising of common ‘questions’—even in droves—but, rather the capacity of a class-wide proceeding to generate common answers apt to drive the resolution of the litigation.” Id. at 2551 (citation, quotation marks, and alteration omitted).

Here, the plaintiffs raise a variety of common questions that can be resolved on a classwide basis. Most obviously, each Class member agreed to a form contract (made up of the ULA and the Downloading Statement), as has each Subclass member (the Downloading Statement only). It is well established that “claims arising from interpretations of a form contract appear to present the classic case for treatment as a class action.” Keele v. Wexler, 149 F.3d 589, 594 (7th Cir.1998) (citation and quotation marks omitted); accord Lifanda v. Elmhurst Dodge, No. 99-cv-5830, 2001 WL 755189, at *3 (N.D.Ill. July 2, 2001) (Hibbler, J.) (“Courts in this Circuit have repeatedly held that ‘claims arising out of form contracts are particularly appropriate for class action treatment.’” (citations omitted)). Thus, for example, the question of whether comSeore is a party to the ULA and the Downloading Statement in light of the fact that it is not listed as a contracting party can be resolved consistently for the entire class. Similarly, the question of what rights comSeore has under the ULA and the Downloading Statement as a third-party beneficiary to use the information OSSProxy collects is common to the entire class. Yet another common question is the scope of the consent the plaintiffs granted to comSeore by agreeing to the ULA and the Downloading Statement.

ComSeore contends that the scope of consent will vary for each plaintiff depending on his subjective understanding of the agreement and the surrounding circumstances. (Dkt. No. 177, at 15.) In support, comSeore notes that at least under the ECPA, consent need not be explicit, but can also be implied from the surrounding circumstances. See Shefts v. Petrakis, 758 F.Supp.2d 620, 630 (C.D.Ill.2010) (citing Williams v. Poulos, 11 F.3d 271, 281 (1st Cir.1993)). But that rule has no place where a party manifested consent through the adoption of a form contract. See Nat’l Prod. Workers Union Ins. Trust v. Cigna Corp., 665 F.3d 897, 901 (7th Cir.2011) (“In assessing whether contracting parties have mutually assented to a contract, Illinois courts have long cautioned that the parties’ subjective intentions are irrelevant. Rather, courts must evaluate mutual assent based on the objective conduct of the parties.” (citation omitted)); Boundas v. Abercrombie & Fitch Stores, Inc., 280 F.R.D. 408, 413-14 (N.D.Ill. 2012) (Feinerman, J.) (“Where there are objective indicia of the contract’s terms ... the manner in which parties become aware of a contractual opportunity and their subjective perceptions of the resulting contract are not relevant.”). Here, each Class member engaged in a substantively identical process to download OSSProxy, as did each Subclass member (aside from not being presented with a link to the ULA). The scope of the plaintiffs’ consent here is determined by that identical process, the ULA, and the Downloading Statement, and is therefore common across the Class and Subclass, respectively.

Another common issue is whether OS-SProxy’s data collection violates the terms of the ULA and the Downloading Statement. The OSSProxy software operates in a substantively identical fashion on all computers, regardless of the brand name under which it is distributed or the operating system of the computer. (Dkt. No. 155, Ex. A, at 91:8-92:9; Dkt. No. 155, Ex. C, at 2.) Thus, the software attempts to collect the same information from all computers, and the question of whether that collection exceeds the scope of consent is common to all plaintiffs.

ComSeore points out that OSSProxy will not collect certain categories of data from plaintiffs who never input data in those categories into their computers. (Dkt. No. 177, at 16.) For example, OSSProxy will not collect credit card numbers from plaintiffs who never input credit card numbers into their computers, nor will it collect the contents of iTunes playlists from plaintiffs who do not use the iTunes software.

ComSeore is correct that the question of whether OSSProxy’s data collection exceeds the scope of consent in certain respects may depend on the behavior of each individual plaintiff. But other potential violations of the scope of consent are common to all plaintiffs regardless of individual behavior, such as the allegation that OSSProxy collects the names of every file located on a user’s computer and the names of the 25 websites the user visited prior to downloading OSSProxy, or the allegation that OSSProxy exceeds the scope of consent by selling the data it collects. Moreover, the plaintiffs need prove only one incident of OSSProxy exceeding the scope of the consent to establish violations of the ECPA, the SCA, and the CFAA. It is thus likely that this issue will also be resolved on a classwide basis. The plaintiffs have demonstrated ample issues common to the entire class to satisfy Rule 23(a)(2).

C. Typicality

Next, the plaintiffs must demonstrate that “the claims or defenses of the representative parties are typical of the claims or defenses of the class.” The typicality requirement is closely related to commonality, and a “plaintiffs claim is typical if it arises from the same event or practice or course of conduct that gives rise to the claims of other class members and his or her claims are based on the same legal theory.” Keele, 149 F.3d at 595. Here, the plaintiffs assert that both Dunstan and Harris downloaded the OSSProxy software onto their computers after downloading a free digital product from one of comSeore’s bundling partners. Both used a substantively identical process to download OSSProxy, except that Harris was not presented with a functioning hyperlink to the ULA, while Dunstan was. According to the plaintiffs, Harris’s claims are thus typical of the Subclass, while Dunstan’s are typical of the Class.

In response, comSeore provides a list of “unique problems” it believes arise in Harris’s and Dunstan’s eases, making them atypical. (Dkt. No. 177, at 28-29.) Most of those problems relate to the issue of whether Harris and Dunstan actually downloaded the OS-SProxy software. Specifically, despite Harris’s and Dunstan’s testimony that they downloaded OSSProxy, comSeore notes that neither Dunstan nor Harris specifically remembers downloading the free digital product accompanying OSSProxy. (Dkt. No. 176, Ex. P, at 85:24-86:25; 91:2-9; 95:16-96:6; Dkt. No. 176, Ex. V, at 26:7-9; 30:6-24; 33:9-22.) In addition, Harris no longer owns the computer he used to download OS-SProxy, and his account onmacupdate.com does not reflect the download, leaving no way to verify his testimony. (Dkt. No. 176, Ex. P, at 43:19-44:4; Dkt. No. 176, Ex. Q.) Dunstan, on the other hand, testified that his wife used the same computer he did (Dkt. No. 176, Ex. Y, at 26:10-18), and comSeore suggests that his wife may actually have downloaded the software, rather than him.

All of these arguments are based on speculation. ComSeore provides no actual evidence showing that Harris and Dunstan did not download OSSProxy. Harris’s and Dun-stan’s testimony that they downloaded OS-SProxy is thus unrefuted, and provides ample evidence that their claims are typical.

Next, comSeore points out that Harris had OSSProxy installed on his computer for only a short period. (Dkt. No. 176, Ex. P, at 103:24-104:10.) That fact is irrelevant to Harris’s ability to represent the class, however, for the ECPA, the SCA, and the CFAA do not require a violation to last for any particular length of time, and comSeore does not explain how the length of a violation might be relevant.

Finally, comSeore points to Dunstan’s and Harris’s testimony that they each had problems with their computers apart from the OSSProxy software (from virases or age), and that OSSProxy thus did not cause any decline in the performance of Dunstan’s and Harris’s computers. (Dkt. No. 176, Ex. P, at 109:12-25; Dkt. No. 176, Ex. V, at 40:16-22; 62:8-11.) That testimony is relevant, if at all, only to the question of damages, and does not significantly alter the typicality of Dun-stan’s and Harris’s claims. Radmanovich v. Combined Ins. Co. of Am., 216 F.R.D. 424, 432 (N.D.Ill.2003) (Alesia, J.) (stating that “the mere existence of factual differences will not preclude class certification” so long as “the class members share the same essential characteristics”).

D. Adequate Representation

The fourth requirement under Rule 23(a) is that the named plaintiffs will “fairly and adequately protect the interests of the class.” To meet that requirement, the plaintiffs must show that “(1) the representative does not have conflicting or antagonistic interests compared with the class as a whole; (2) the representative is sufficiently interested in the case outcome to ensure vigorous advocacy; and (3) class counsel is experienced, competent, qualified and able to conduct the litigation vigorously.” Matthews v. United Retail, Inc., 248 F.R.D. 210, 215 (N.D.Ill.2008) (Castillo, J.) (citation and quotation marks omitted).

ComScore does not dispute that the adequacy requirement is met. In addition, the court is not aware that Harris and Dunstan have any conflicting interests, Harris and Dunstan have vigorously participated in this case thus far, and class counsel are qualified to represent the class. The court determines that the adequacy requirement is met.

E. Aseertainability

In addition to the four explicit requirements listed in Rule 23(a), “[t]he plaintiff must also show that the class is indeed identifiable as a class.” Oshana, 472 F.3d at 513; see also Simer v. Rios, 661 F.2d 655, 669 (7th Cir.1981) (“It is axiomatic that for a class action to be certified a ‘class’ must exist.”). “An identifiable class exists if its members can be ascertained by reference to objective criteria.” Lau v. Arrow Fin. Servs., LLC, 245 F.R.D. 620, 624 (N.D.Ill.2007) (Guzman, J.) (citation and quotation marks omitted). The Third Circuit has explained the purposes of the aseertainability requirement:

The aseertainability requirement serves several important objectives. First, it eliminates serious administrative burdens that are incongruous with the efficiencies expected in a class action by insisting on the easy identification of class members. Second, it protects absent class members by facilitating the best notice practicable under Rule 23(c)(2) in a Rule 23(b)(3) action. Third, it protects defendants by ensuring that those persons who will be bound by the final judgment are clearly identifiable.

Marcus v. BMW of N. Am., LLC, 687 F.3d 583, 593 (3d Cir.2012) (citations and quotation marks omitted).

Here, the parties agree that eomScore possesses contact information, in the form of e-mail addresses, for some portion of the proposed Class and Subclass. (Dkt. No. 177, at 27; Dkt. No. 152, at 19 n. 27.) That portion of the proposed Class and Subclass, at least, is readily ascertainable. For the rest of the Class and Subclass, comSeore asserts that the only way to determine class membership is to require each alleged class member to submit an individual affidavit, which comSeore will be entitled to challenge. ComScore asserts that this process would be unwieldy.

ComScore is correct that it is sometimes improper to allow class membership to be established only by the assertion of alleged class members without the corroboration of any of the defendant’s records. Marcus, 687 F.3d at 594 (“We caution, however, against approving a method that would amount to no more than ascertaining by potential class members’ say so.”); Sadler v. Midland Credit Mgmt., Inc., No. 06 C 5045, 2008 WL 2692274, at *6 (N.D.Ill. July 3, 2008) (Pallmeyer, J.) (denying class certification when defendant “would be required to evaluate the individual facts of each account” in its records); see also Clavell v. Midland Funding LLC, No. 10-3593, 2011 WL 2462046, at *4 (E.D.Pa. June 21, 2011); In re Wal-Mart Stores, Inc. Wage & Hour Litig., No. C 06-2069, 2008 WL 413749, at *8 (N.D.Cal. Feb. 13, 2008); Deitz v. Comcast Corp., No. C 06-06352, 2007 WL 2015440, at *8 (N.D.Cal. July 11,2007). In cases in which the burden of an affidavit procedure is likely to be minimal, however, courts have allowed portions of a class to establish class membership by affidavit or claim form. Boundas, 280 F.R.D. at 417 (“[Ajnybody claiming class membership on that basis will be required to submit an appropriate affidavit, which can be evaluated during the claims administration process if Boundas prevails at trial.”); see also Carrera v. Bayer Corp., No. 08-4716, 2011 WL 6878376, at *4 (D.N.J. Nov. 22, 2011). As a leading treatise explains: “Methods of claim verification may also vary with the ease of documenting claims by individual members, and also with the size of the claims involved. A simple statement or affidavit may be sufficient where claims are small or are not amenable to ready verification.” Alba Conte & Herbert B. Newberg, 3 Newberg on Class Actions § 10:12 (4th ed. rev.2012).

Here, the bulk of the class membership will likely be determined by comScore’s records, making evaluation of any additional plaintiffs claiming membership by affidavit manageable. If further litigation reveals that the portion of the class asserting membership by affidavit is excessively large, the court can consider at that time whether to limit the class definition to only those whose downloading of OSSProxy is reflected in comScore’s records. See Shvartsman v. Apfel, 138 F.3d 1196, 1201 (7th Cir.1998) (appropriate for district court to limit definition of class).

F. Rule 23(b)(3): Predominance and Superiority

Finally, the plaintiffs here must establish that “the questions of law or fact common to class members predominate over any questions affecting only individual members, and that a class action is superior to other available methods for fairly and efficiently adjudicating the controversy.” Fed.R.Civ.P. 23(b)(3). Rule 23(b)(3) “tests whether proposed classes are sufficiently cohesive to warrant adjudication by representation,” and is “far more demanding” than Rule 23(a)’s commonality requirement. Amchem Prods., Inc. v. Windsor, 521 U.S. 591, 623, 117 S.Ct. 2231, 138 L.Ed.2d 689 (1997).

Most of the issues that comSeore alleges require individual adjudication and make administration of a class action infeasible have already been addressed. The issue of whether each individual plaintiff downloaded OSSProxy will be determined primarily by comScore’s records, and if substantial individual adjudication is necessary the court will consider appropriate class limitations. The issue thus presents no obstacle to class adjudication. In addition, the issues of whether plaintiffs consented to OSSProx/s data collection, the scope of that consent, and whether comSeore exceeded that consent can all be determined on a class basis, as described above.

ComSeore also asserts that the statutes of limitations present individual issues that preclude class certification. The CFAA, SCA, and ECPA all have two-year statutes of limitations that do not begin to run until a plaintiff discovers the potential violation. See 18 U.S.C. § 1030(g) (CFAA); 18 U.S.C. § 2707(f) (SCA); 18 U.S.C. § 2520(e) (ECPA). ComSeore argues that adjudication of most plaintiffs’ claims will thus require a case-by-case determination of when they discovered comScore’s violation.

In practice, however, the statute of limitations issue is unlikely to present significant difficulties. First, the issue only arises for plaintiffs who downloaded OSSProxy before August 23, 2009 (two years before this suit was filed). Second, comScore’s data collection is ongoing, so even among those plaintiffs, all those who still have OSSProxy installed on their computer (or who had it installed at any time after August 23, 2009) are within the limitations period. Third, it is unlikely that any of the remaining plaintiffs were sufficiently aware of OSSProxy’s operations to trigger the limitations period. Violations of the ECPA, SCA, and CFAA require only collecting information without the plaintiffs’ consent. No plaintiff would be aware of the information OSSProxy was collecting unless he analyzed the computer code of the program itself. Few potential class members likely fall into this category. The statute of limitations issue thus does not provide reason to deny class certification. Cf. In re Monumental Life Ins. Co., 365 F.3d 408, 420 (5th Cir.2004) (Smith, J.) (holding that the limitations issue does not preclude class certification in a civil rights ease when “[doubtless most class members ... remain unaware of defendants’ discriminatory practices” because “[t]o hold that each class member must be deposed as to precisely when, if at all, he learned of defendants’ practices would be tantamount to adopting a per se rule that civil rights cases involving deception or concealment cannot be certified outside a two— or three-year period”).

In addition, eomScore asserts that the issue of whether each individual plaintiff suffered damage or loss from comScore’s actions precludes certification. That argument has no applicability to the ECPA or SCA claims, both of which provide for statutory damages. 18 U.S.C. § 2520(c); 18 U.S.C. § 2707(e). The CFAA is different, however, in that it grants a civil action only to “[a]ny person who suffers damage or loss.” 18 U.S.C. § 1030(g). In addition, in this ease, the plaintiffs must satisfy the requirement of 18 U.S.C. § 1030(c)(4)(A)(i)(I) that each actionable offense lead to a “loss to 1 or more persons during any 1-year period ... aggregating at least $5,000 in value.”

The Seventh Circuit has recently reiterated that individual factual damages issues do not provide a reason to deny class certification when the harm to each plaintiff is too small to justify resolving the suits individually:

A class action is the more efficient procedure for determining liability and damages in a case such as this, involving a defect that may have imposed costs on tens of thousands of consumers yet not a cost to any one of them large enough to justify the expense of an individual suit. If necessary a determination of liability- could be followed by individual hearings to determine the damages sustained by each class member---- But probábly the parties would agree on a schedule of damages____The class action procedure would be efficient not only in cost, but also in efficacy, if we are right that the stakes in an individual case would be too small to justify the expense of suing, in which event denial of class certification would preclude any relief.

Butler v. Sears, Roebuck & Co., 702 F.3d 359, 362 (7th Cir.2012) That rationale is applicable here as well, where it is far more efficient to resolve all of the common issues in a single proceeding, and then to hold individual hearings on damages if necessary, than it would be to litigate all of the common issues repeatedly in individual trials. Id. at 363 (“The only individual issues—issues found in virtually every class action in which damages are sought—concern the amount of harm to particular class members. It is more efficient for the [common questions] to be resolved in a single proceeding than for [them] to be litigated separately in hundreds of different trials.... ”). The requirements of Rule 23(b)(3) are met as well.

CONCLUSION

For the reasons explained above, the plaintiffs’ motion for class certification (Dkt. No. 152) is granted in part and denied in part. The court hereby certifies the following Class and Subclass for purposes of resolving plaintiffs’ SCA, ECPA, and CFAA claims:

Class: All individuals who have had, at any time since 2005, downloaded and installed eomSeore’s tracking software onto their computers via one of eomScore’s third party bundling partners.
Subclass: All Class members not presented with a functional hyperlink to an end user license agreement before installing comScore’s software onto their computers.

The court denies class certification for purposes of resolving the plaintiffs’ common law unjust enrichment claims. A status hearing is set for 4/18/13 at 9:00 am to set further dates. 
      
      . The parties do not dispute the key facts relevant to the class certification motion, nor do they request an evidentiary hearing. The court therefore determines that an evidentiary hearing is unnecessary. See Fed.R.Civ.P. 43(c).
     
      
      . One of comScore's partners offering the free digital products failed to offer a link to the ULA for a short period of time. Consumers who downloaded that product are part of the proposed Subclass, which includes all downloaders of comScore’s tracking software who were not presented with a functional hyperlink to the ULA.
     
      
      . The plaintiffs do not contend that the class should be certified under one of the other provisions of Rule 23(b), so the court need not address them.
     
      
      . If litigation on the merits reveals that OS-SProxy has not exceeded the scope of the plaintiffs' consent in a way common to the entire class, and if the court finds it necessary to evaluate whether individual plaintiffs engaged in behavior subjecting them to OSSProxy's unauthorized collection of their information, the court may reevaluate its class certification decision. See Fed.R.Civ.P. 23(c)(1)(C) ("An order that grants or denies class certification may be altered or amended before final judgment.”).
     
      
      . As mentioned above, Harris need not have been logged in to download the software (see Dkt. No. 185 ¶¶ 5-8), so the absence of a record of the download associated with his account does not show that he did not download the software.
     
      
      . ComSeore also asserts that the SCA applies only to "a facility through which an electronic communication service is provided,” 18 U.S.C. § 2701(a)(1), and that personal computers are not such "facilities.” (Dkt. No. 177, at 26.) The plaintiffs concede that every member of the proposed Class and Subclass downloaded OSSProxy to his personal computer. (Dkt. No. 184, at 15.) The issue of whether personal computers are "facilities” under the SCA, which the court need not resolve at this time, is thus common to the entire class.
     
      
      . Under the CFAA, damage means “any impairment to the integrity or availability of data, a program, a system, or information,” 18 U.S.C. § 1030(e)(8), while loss refers to "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 18 U.S.C. § 1030(e)( 11).
     
      
      . 18 U.S.C. § 1030(g) provides that "[a] civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i).” Subclause (I) is the only subclause conceivably applicable. The court need not decide at this stage whether 18 U.S.C. § 1030(c)(4)(A)(i)(I) allows class plaintiffs to aggregate their damages to meet the $5000 requirement.
     
      
      . The Supreme Court recently reversed a grant of class certification where "[questions of individual damage calculations will inevitably overwhelm questions common to the class.” Comcast Corp. v. Behrend, - U.S. -, 133 S.Ct. 1426, 185 L.Ed.2d 515 (2013). The Supreme Court’s holding came from its assumption, uncontested by the parties, that Rule 23(b)(3) requires that damages must be measurable based on a common methodology applicable to the entire class in antitrust cases. That assumption, even assuming it is applicable to privacy class actions in some way, is merely dicta and does not bind this court. See id. at 1436 (Ginsburg and Breyer, JJ., dissenting) ("[T]the decision should not be read to require, as a prerequisite to certification, that damages attributable to a class-wide injury be measurable on a class-wide basis.” (citation and quotation marks omitted)).
     