I recently had a chance to learn about and speak with folks from a company called comScore. Essentially, this company offers free stuff to consumers in exchange for tracking all their web browsing activity. And they can get very detailed information about one’s buying habits. This can be very good for research, and potentially socially useful in other ways (advertising, etc).
However, collecting that much personal browsing information about so many consumers (millions) seems very very risky. I’ll even go so far as to suggest a ticking timebomb of liability because of the concern of a data breach (i.e. some one hacking into the company stealing all this information). As it turns out, that liability is coming from consumer concerns that the company collected and sold data without the consumers’ consent. (now, I’m not really sure how people would be unaware of that, given that this is the company’s business model).
I’ve examined privacy litigation in previous work (here: http://ssrn.com/abstract=1986461) and based on our work, that the class was certified in this current laswuist suggests bad news for comScore. We found that class certification was very strongly correlated with settlement. I don’t know how big the class will finally be, but if it does get into the millions, multiply that by the statutory damages from their ECPA and SCA claims and yikes!