Ashley Popa was shopping online for pet stairs. Without her knowledge, a third-party marketing service used by Harriet Carter Gifts was tracking her every move, collecting her personal identifying information even though she bought nothing.
Popa filed a proposed class action naming both businesses and claiming violation of a Pennsylvania anti-wiretapping law. A Pittsburgh federal judge granted summary judgment for the defense, but in August, the US Court of Appeals for the Third Circuit revived the suit, sparking a surge of similar new cases.
Protect yourself with counter surveillance gear from EyeSpySupply.
At least nine new class suits have been filed in the wake of that August ruling, accusing well-known companies such as Zillow, Lowe’s, Expedia, Autozone, Chewy’s and Michael’s Stores of violating the state’s Wiretapping and Electronic Surveillance Control Act.
The Philadelphia-based panel’s Aug. 16 ruling followed a spate of defeats elsewhere last year. Those lawsuits, filed in Florida and California, were rejected at early stages of the litigation, with courts finding that website visitors had provided consent to the software, and that the wiretap laws in those states didn’t provide a remedy.
“This Third-Circuit ruling appears to have moved the focus of attention for plaintiffs’ attorneys to Pennsylvania,” said Adam A. Cooke, counsel with Hogan Lovells in Washington. “They’ve been exploring other state statutes after the early lawsuits ran into trouble at the pleading stage, and this recent ruling has cracked open the door and made it look like Pennsylvania could be the next stage where these lawsuits are tested.”
Attorneys from Marcus Zelman LLC, the firm representing the plaintiffs in six of the recently filed Pennsylvania lawsuits, didn’t respond to a request for comment. Other cases have been filed by other firms in Illinois and in the state of Washington.
So-called session replay software allows companies to record mouse movements, keystrokes, search terms, information inputted into the websites, and pages and content viewed during visits. Its providers say the software helps their customers tweak their websites to provide a better experience for users. They reject the claim that it creates privacy risks.
One such provider-defendant, FullStory Inc., told Bloomberg Law its software receives and processes only data that’s already accessible to its customers through their own websites and app code, and that its programs don’t track users across the web or share information with anyone beyond its customer.
“These are cookie-cutter lawsuits that mimic others that were dismissed or otherwise favorably resolved,” said FullStory spokeswoman Amy Barrett Crow. “We believe the lawsuits are without merit and trust that the courts will see the similarities to the favorably resolved prior cases.”
But privacy watchdog groups argue that session-replay software creates a significant risk that sensitive data, including health information, credit card numbers and passwords, will be recorded and leaked.
“Independent auditing has found that sensitive data ends up in the recordings, and that session replay service providers often fail to secure that data appropriately,” said Karen Gullo, a spokeswoman for the Electronic Frontier Foundation.
The software also enables companies to conduct a form of human-subject research without the consent of the human subjects, and operates without regard to important privacy concerns such as limiting the amount of data that companies collect and retain, said John Davisson, senior counsel at the Electronic Privacy Information Center.
Courts in Florida and California have generally found that the wiretap laws in those states don’t apply to the use of session-replay software, but the Third Circuit held in Popa v. Harriet Carter Gifts Inc. that the transfer of consumers’ data from the retailer’s website to the provider of the software was “interception” under the statute.
The court overturned a district court’s grant of summary judgment for the retailer, and sent the case back down, but the defendants have moved for a rehearing. They argue that the court’s interpretation of interception was unreasonably broad and would result in the imposition of liability on websites that don’t even use session-replay software.
“The phenomenon of a website directing third-parties to fill in other content or otherwise directly communicate with the individual isn’t unique to session-replay software,” Cooke said. “The ruling raises a real question of whether it’s reasonable to interpret these wiretap statutes so broadly that you create liability for a large swath of electronic communication and online content.”
Companies making use of the software are also digesting a ruling from earlier this year from the Ninth Circuit, which overturned a lower court’s dismissal of a session-replay class lawsuit. The San Francisco-based federal appellate court held in Javier v. Assurance IQ LLC that website operators must obtain prior express consent from users to escape liability for their use of session replay software under the California Invasion of Privacy Act.
A lawsuit accusing GameStop of using a broadly similar form of software to record user chats on its website was filed earlier this month at a California federal court in Riverside. The company is also a defendant in a session replay lawsuit filed this month in Pennsylvania in which the software was allegedly provided by Microsoft.
The combined impact of the two rulings suggests that session-replay software litigation is far from dead, said Kristin L. Bryan, a partner with Squire Patton Boggs LLP in New York.
“There are big questions that haven’t been touched yet by the courts that could yet be fatal to these lawsuits, including the question of whether the plaintiffs have suffered any concrete injury,” Bryan said. “But it’s clear there’s a renewed interest among creative plaintiff attorneys in bringing these lawsuits, and the filings are likely to continue as long as the courts interpret the state wiretapping laws as applying to this new technology.”
This content was originally published here.