As companies continue to be hit with privacy class actions over the use of session replay technology, lack of standing has emerged as a defense that courts are increasingly using to dismiss these claims. Session replay is an analytics service that captures data about visitors’ browsing activity on a website—and over the last few years, dozens of businesses have been sued under the theory that engaging a third-party vendor to deploy session replay services is a violation of state wiretapping laws.
While some of these lawsuits are still proceeding to discovery, courts are increasingly dismissing them at the motion to dismiss stage for lack of Article III standing. District courts in California, Delaware, Missouri, and, notably, Pennsylvania (which had become fertile ground for such lawsuits given a third-circuit decision limiting the Pennsylvania Wiretap Act’s party exception) have confirmed that a plaintiff must plausibly allege the interception of personal information to demonstrate a concrete injury. In Lightoller v. Jetblue, Adams v. PSP Group, and Cook v. GameStop (in which ZwillGen represented GameStop), for example, the courts found a lack of standing because the complaints contained no allegations that the plaintiff input information like name, address, or credit card numbers that could have been captured by the session replay technology.
Even where browsing activity can be linked to a specific visitor, some courts have suggested that it still must be information over which there is a reasonable expectation of privacy. The district court in the Western District of Pennsylvania in Cook, for example, concluded that information on a person’s product preferences as they browse a public retail website is not personal because it “is no different from what GameStop employees would have been able to observe if [the plaintiff] had gone into a brick-and-mortar store and began browsing the inventory.”
While the use of session replay software still creates litigation risk, these decisions suggest that at least some courts will closely parse the pleadings to determine what types of information the defendant is alleged to have intercepted for purposes of subject-matter jurisdiction. Businesses using session replay technology will want to continue evaluating what data they are capturing on website visitors, whether the data may be considered personal information, and the associated risks. They may also want to consider the types of notices they provide to disclose the use of session replay software and if there are certain jurisdictions where they want to refrain from using such software.
