On May 9, 2024, the First Circuit became the first federal appellate court to address whether national retail websites’ use of session replay code creates specific personal jurisdiction for wiretapping claims allowing website users to hale retailers into court in any state where they visited these websites. The First Circuit concluded that it does not. It held that a website user failed to demonstrate that Ohio-based Bloomingdales.com intentionally targeted its website and its accompanying use of session replay software at users in Massachusetts and, therefore, failed to establish specific personal jurisdiction over Bloomingdales.com for alleged violations of the Massachusetts Wiretapping Act and Massachusetts Invasion of Privacy Statute. Rosenthal v. Bloomingdales.com, LLC, No. 23-1683, 2024 WL 2074685 (1st Cir. May 9, 2024).
Plaintiff, a Massachusetts resident, alleged that Bloomingdale’s embedded session replay code on its website to unlawfully “look[] over the shoulder” of each website visitor—intercepting and recording website visitors’ communications with its website for analysis. The district court held that it lacked specific personal jurisdiction over Bloomingdale’s because the retailer did not “initiate contact” with Massachusetts. On appeal, the First Circuit affirmed, finding the plaintiff failed to show that Bloomingdale’s “purposefully availed itself of what Massachusetts has to offer” as he did not establish that Bloomingdale’s knew it was targeting him in Massachusetts. Although the plaintiff showed that Bloomingdale’s intentionally targeted him when he happened to be in Massachusetts, he did not affirmatively prove that Bloomingdale’s knew it was targeting him in Massachusetts.
In a fairly unusual move, First Circuit Judge Thompson issued a concurrence dubitante, in which she agreed with the court’s conclusion under existing law but expressed concern that the law of specific personal jurisdiction has not kept up with 21st century technology. Perhaps, she suggested, the Supreme Court will offer additional guidance. There are plenty of cases winding their way through the courts in which plaintiffs seek to test theories of specific personal jurisdiction, rather than suing in states where the defendants are incorporated or have their principal place of business (which would create general jurisdiction).
In late April, a Third Circuit panel heard arguments on whether Papa Johns’s or Mattress Firm’s websites “expressly aimed” their use of session replay software in Pennsylvania and whether a “website itself” creates personal jurisdiction in Pennsylvania for website users’ wiretapping claims arising out of the companies’ use of session replay software in the state. Schnur v. Papa John's Int'l, Inc., No. 2:22-CV-1620-NR, 2023 WL 5529775 (W.D. Pa. Aug. 28, 2023), appeal docketed, No. 23-2573 (3d Cir. Aug. 30, 2023); Hasson v. FullStory, Inc., No. 2:22-CV-1246, 2023 WL 4745961 (W.D. Pa. July 25, 2023), appeal docketed, No. 23-2535 (3d Cir. Aug. 31, 2023). While the judges seemed to reject the argument that brick-and-mortar pizza stores established personal jurisdiction in Pennsylvania for website users’ claims, they grappled with the nature of the technology, including who initiated contact and how any response from the session replay code related to Pennsylvania. The Third Circuit’s decision on this matter is still pending.
Plaintiffs’ firms continue to file variations of state law wiretapping lawsuits over the use of website tools including “session replay” code in various jurisdictions. While companies may rely on personal jurisdiction and standing as defenses to wiretapping claims, companies can also take steps to protect themselves from these lawsuits by carefully examining how their website software is used, what information they and their vendors are collecting from website users, and what disclosures or consents may be necessary under applicable law.