Cabela’s Session Replay Wiretapping of Website Visitors Pennsylvania Class Action

The complaint for this class action quotes an article in The Economist as saying that the “world’s most valuable resource is no longer oil, but data.” Companies want information on consumers, and the complaint alleges that Cabela’s, LLC gets it by an unlawful wiretapping, through embedding code in its website that intercepts and records visitors’ actions, in violation the Pennsylvania Wiretapping and Electronic Surveillance Control Act.

The class for this action is all natural persons in Pennsylvania whose website communications were captured in Pennsylvania through the use of Session Replay code embedded in www.cabelas.com.

The complaint alleges that Cabela’s has third-party vendors, like Microsoft, put snippets of JavaScript code into its website, which deploy into visitors’ browsers and cause the intercepting and recording of visitors’ actions at the website, including their mouse movements, clicks, keystrokes, and pages visited. This Session Replay code then allows the visitors’ activities at the website to be played back.

The complaint alleges, “Cabela’s procurement of the Session Replay Providers to secretly deploy the Session Replay Code results in the electronic equivalent of ‘looking over the shoulder’ of each visitor to the Cabela’s website for the entire duration of their website interaction.” The complaint cites in particular a Microsoft Session Replay code called Clarity.

Session Replay code “goes well beyond normal analytics” in its collection of information, the complaint alleges, collecting data that visitors did not intend to give to the website, for example, when they enter information in a field but do not click Submit.

The visitor’s browser follows instructions from the Session Replay Code, the complaint claims, sending information to a third-party server. “Typically,” the complaint alleges, “the server receiving the event data is controlled by the third-party entity that wrote the Session Replay Code, rather than the owner of the website where the code is installed.”

At a later time, the visitors’ sessions can be individually replayed for the website owner, including what the complaint calls “a variety of highly sensitive information … captured in event responses from website visitors, including medical conditions, credit card details, and other personal information displayed or entered on webpages.”

This information may not remain anonymous. Session Replay providers can offer cookies that that permit linking sessions to identified users, or can create “fingerprints” for visitors, the complaint alleges, made up of things like browser settings, screen configuration, and other details that rarely change.

The provider “can then back-reference all of that user’s other web browsing across other website previously visited, including on websites where the user had intended to remain anonymous—even if the user explicitly indicated that they would like to remain anonymous by enabling private browsing.”

All this is done, the complaint alleges, without obtaining the visitors’ consent or the visitors even being aware of these operations

Article Type: Lawsuit
Topic: Privacy
Tags: Intercepting Electronic Communications, Sharing Personal Information with Third Parties, Your Privacy, wiretapping