While trends come and go, one that does not appear to be going away anytime soon are lawsuits that allege unauthorized use of session replay technology. As readers of this blog know, session replay technology is used by businesses to “record, save, and replay a website visitors’ interactions with a website.” Using session replay technology is useful for companies for several reasons, including that it allows businesses to track what consumers do while on their websites and see what their product preferences are.
On September 8, 2022, Ms. Amber Cook filed a lawsuit on behalf of herself and other similarly situated individuals in the Western District of Pennsylvania alleging that Defendant Gamestop, Inc., (“Gamestop”) used session replay technology to record her “mouse movements, clicks, keystrokes (such as text being entered into an information field or text box), URLs of web pages visited, and/or other electronic communications in real-time[.]”. Specifically, the complaint alleged that Gamestop used the session replay technology of various third-party providers on its site, including Microsoft’s proprietary Session Replay Code branded as “Clarity.”
Plaintiff argued that Gamestop’s conduct violated the Pennsylvania Wiretapping and Electronic Surveillance Control Act, 18 Pa.C.S. § 5701, et seq., constituting the tort of intrusion upon seclusion.
Gamestop moved to dismiss the complaint for lack of subject matter jurisdiction and failure to state a claim. Ultimately, the Court granted the motion to dismiss for lack of subject matter jurisdiction and found that it also had alternative grounds to dismiss for failure to state a claim. In doing so, the Court noted that it has joined an increasing number of courts that have ruled the same way on this wiretapping issue.
Lack of Standing for Session Replay Lawsuit
The Court’s decision turned on whether Plaintiff suffered an injury in fact; specifically, whether Plaintiff suffered a concrete and particularized injury.
In granting Defendant’s motion to dismiss, the Court found that the mere fact that Plaintiff alleged that GameStop collected any information about her visit was not enough of an injury to afford her standing to sue. Rather, the pleading merely alleged a bare and insufficient statutory violation.
In determining that Defendant did not intercept the kind of information that would constitute an invasion of privacy, the Court focused on the nature of the data collected by Clarity. According to the Court, the only information recorded of Plaintiff’s visit to Gamestop’s website was that of her: browsing different products for sale; using her mouse to hover and click on certain products; typing search words into the search bar; and selecting a product to add to her shopping cart by clicking the “add to cart” button. The Court concluded that such product preference and browsing data does not “involve personal information, personally identifiable information, or information over which a party has a reasonable expectation of privacy.” In fact, Plaintiff did not enter any personally identifying information or anything that could otherwise connect her browsing activity to her individually; She essentially remained anonymous. In sum, collection of such information does not amount to concrete injury, explained the Court.
Failure to State A Claim
The Court also found that even if Plaintiff had standing, she did not adequately state a claim under Pennsylvania’s Wiretap Act. The Pennsylvania Wiretap Act prohibits interception of electronic communications without prior consent.
Violation of the Wiretap Act often comes down to determining “whether the acquired information can best be characterized as either record information or the message conveyed by the communication.” (internal citations omitted). The Court concluded that because Plaintiff’s allegations were generalized and not specific to Gamestop, her complaint lacked sufficient detail to support a claim, for wiretapping.
Win for the Internet Marketing and Telemarketing Industry
This case reaffirms that the use of session replay technology is legal, and liability should not result from the collection of non-sensitive information, like name, address, phone number, and product preferences. Where companies often get into trouble is when they collect sensitive information, such as medical and financial information, without obtaining prior consent to do so.
Hiring experienced counsel for guidance on the standards for collecting various types of consumer data is critical to avoiding state and federal liability. The attorneys at Klein Moynihan Turco have years of experience in marketing and privacy law matters. If you need assistance with updating your practices and procedures with respect to use of website recording technology, please email us at email@example.com or call us at (212) 246-0900.
The material contained herein is provided for informational purposes only and is not legal advice nor is it a substitute for seeking legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.