Earlier this month, a Pennsylvania federal judge held that users of Bass Pro Shops’ and Cabela’s websites lacked Article III standing to sue the retailers for use of “session replay” software, where the users failed to allege that the software captured their personal information, such as financial data or medical diagnosis information. In Re: BPS Direct, LLC, and Cabela’s, LLC, Wiretapping, No. 2:23-md-03074 (E.D. Pa. Dec. 5, 2023).
Website users alleged that the outdoor retailers’ websites tracked the users’ conduct in violation of federal and state wiretapping statutes, as well as a variety of common law privacy-related torts. Specifically, these website users claimed, session replay software embedded into the retailers’ websites captured “mouse clicks and movements, keystrokes, search terms, substantive information they inputted, pages they viewed, scroll movements, and copy and paste actions” and sent them to session replay providers. The website users claimed that neither Bass’ nor Cabela’s website prompted visitors to view or agree to the Privacy Policy or Terms of Use, and that neither website included a pop-up informing users that third-party session replay providers were recording their interactions with the website.
The retailers challenged the website users’ claims on the grounds that the website users did not plead any concrete harm arising from their website visits. The court agreed. Citing the U.S. Supreme Court’s guidance in TransUnion v. Ramirez, the court considered whether the kind of information the retailers allegedly intercepted through the use of session replay software on their websites constituted an invasion of privacy interests that have historically been protected. The court concluded that the information collected was “no different than what Bass and Cabela’s employees would have been able to observe if the [w]ebsite [u]sers had gone into a brick-and-mortar store and began browsing the inventory.” It further explained that “[w]ebsite [u]sers do not have a personal privacy interest in their shopping activity.”
The court dismissed most of the proposed class action lawsuits’ claims with prejudice, finding that six website users could not plead after two attempts that they made purchases or entered any personal information on the websites. The court also dismissed the claims of three other website users with leave to amend their Complaints if they can allege that Bass and Cabela’s collected non-anonymized and unencrypted sensitive personal information, such as bank or credit card information, during their purchases.
Although the court’s holding in BPS Direct is consistent with that of other courts in the Third Circuit that have considered the issue, courts differ on what types of information are sufficiently personal to support standing. Just a month earlier, a California federal court, citing Ninth Circuit precedent, found website users sufficiently asserted that their personal information had been intercepted where the software allegedly collected “specific web pages viewed, search terms entered, and purchase behavior.” James v. Walt Disney Company, No. 23-cv-02500 (N.D. Cal. Nov. 8, 2023). Notably, in James, the website users alleged that the collected information was not anonymized. Setting data anonymization aside, however, the BPS Direct court explicitly disagreed with the James court’s reasoning to the extent it suggested that “viewing activity, search activity, and purchase behavior” is sufficiently personal to confer Article III standing.
Plaintiffs’ firms continue to file variations of federal and state law wiretapping lawsuits over “session replay” and similar software applications in various jurisdictions. These wiretapping claims threaten substantial penalties. While the case law in this area is still evolving, companies can take steps to protect themselves from these lawsuits by carefully examining how their website software is being used, what information they and their vendors are collecting from website users (including whether they share sensitive medical or financial or credit card information with vendors and whether the data they share is anonymized), and what disclosures or consents may be necessary, including a thorough review of the website’s privacy policy and the manner in which it is presented to users.