Website browsing surveillance lawsuit erupts after appeal ruling

Ashley Popa was shopping for pet stairs online. Unbeknownst to her, a third-party marketing service used by Harriet Carter Gifts was tracking her every move, collecting her personally identifying information even though she wasn’t buying anything.

Popa submitted a proposal class action naming the two companies and alleging violation of a Pennsylvania anti-wiretapping law. A federal judge in Pittsburgh granted summary judgment for the defense, but in August the United States Court of Appeals for the Third Circuit revived the suittriggering a wave of new similar cases.

At least nine new class action lawsuits have been filed as a result of that August ruling, accusing well-known companies such as Zillow, Lowe’s, Expedia, Autozone, Chewy’s and Michael’s Stores of violating state law on telephone tapping and monitoring of electronic surveillance.

The Philadelphia-based panel’s Aug. 16 decision followed a string of losses elsewhere last year. These lawsuits, filed in Florida and California, were dismissed in the early stages of litigation as the courts found that website visitors had consented to the software and that the wiretap laws of those states did not provide of appeal.

“This Third Circuit decision appears to have focused the attention of plaintiffs’ attorneys on Pennsylvania,” said Adam A. Cooke, counsel to Hogan Lovells in Washington. “They explored other state laws after the first lawsuits ran into issues at the pleading stage, and this recent decision opened the door and gave the impression that Pennsylvania could be the next step where these lawsuits are tested.”

Attorneys for Marcus Zelman LLC, the firm representing plaintiffs in six of the lawsuits recently filed in Pennsylvania, did not respond to a request for comment. Other cases have been filed by other firms in Illinois and Washington State.

Consumer monitoring

So-called session replay software allows businesses to record mouse movements, keystrokes, search terms, information entered on websites, and the pages and content viewed during visits. Its vendors claim that the software helps their clients fine-tune their websites to provide a better user experience. They reject the claim that it creates privacy risks.

One such vendor-defendant, FullStory Inc., told Bloomberg Law that its software only receives and processes data already available to its customers through their own websites and application code, and that its programs do not does not track users around the web or share information with anyone beyond its client.

“These are cookie-cutter lawsuits that mimic others that have been dismissed or otherwise favorably resolved,” FullStory spokeswoman Amy Barrett Crow said. “We believe the lawsuits are without merit and hope the courts will see the similarities to previous cases favorably resolved.”

But privacy watchdog groups say session replay software creates a significant risk that sensitive data, including health information, credit card numbers and passwords, will be recorded and leaked.

“An independent audit found that sensitive data ends up in the recordings, and session replay service providers often fail to secure this data appropriately,” said Karen Gullo, spokesperson for the Electronic Frontier Foundation.

The software also allows companies to conduct a form of research on human subjects without the consent of the human subjects, and operates without regard to important privacy issues such as limiting the amount of data companies collect and retain, said John DavisonSenior Counsel at the Electronic Privacy Clearinghouse.

Data interception

Courts in Florida and California have generally found that the wiretap laws of those states do not apply to the use of session replay software, but the Third Circuit tenuous in Popa vs. Harriet Carter Gifts Inc. that the transfer of consumer data from the retailer’s website to the software provider was an “interception” within the meaning of the law.

The court overturned a district court’s summary judgment grant for the retailer and dismissed the case, but the defendants requested a rehearing. They argue that the court’s interpretation of the interception was unreasonably broad and would result in the imposition of liability on websites that don’t even use session replay software.

“The phenomenon of a website asking third parties to fill in other content or communicate directly with the individual is not unique to session replay software,” Cooke said. “The decision raises a real question of whether it is reasonable to interpret these wiretap laws so broadly that you create liability for a wide swath of electronic communications and online content.”

Companies that use the software also digest a decision from earlier this year from the Ninth Circuit, which overturned a lower court’s dismissal of a session-replay class action lawsuit. The San Francisco-based Federal Court of Appeals held Javier v Insurance IQ LLC that website operators must obtain prior express consent from users to avoid liability for their use of session replay software under the California Invasion of Privacy Act.

A lawsuit accusing GameStop of using a largely similar form of software to record user conversations on its website was filed earlier this month in California federal court in Riverside. The company is also a defendant in a session replay lawsuit filed this month in Pennsylvania in which the software was allegedly provided by Microsoft.

The combined impact of the two rulings suggests that the session replay software litigation is far from dead, said Kristin L. Bryanpartner of Squire Patton Boggs LLP in New York.

“There are big questions that have yet to be addressed by the courts that could yet be fatal to these lawsuits, including whether the plaintiffs suffered concrete harm,” Bryan said. “But it’s clear there’s renewed interest among creative plaintiffs’ attorneys to bring these lawsuits, and the filings will likely continue as long as the courts interpret state wiretapping laws as if applying this new technology.”

Comments are closed.