Found Health, FullStory Website Wiretapping California Class Action

Wiretapping used to mean, primarily, listening in on telephone conversations. Now it has a new meaning: tracking a website visitor’s keystrokes, mouse movements, and so on, along with identifying the visitor when possible. The complaint for this class action alleges that FullStory, Inc. performed such wiretapping services at a website for Found Health, Inc. (FHI), recording and passing on information on visitors without their knowledge or consent, in violation of the California Invasion of Privacy Act (CIPA).

The class for this action is all California residents who visited the FHI website and whose electronic communications were intercepted or recorded by FullStory.

FHI’s website is Torchrx.com, which is focused on weight loss and “health coaching,” among other things. FHI has used FullStory’s Session Replay product, which is part of its marketing analytics offerings.

According to the complaint, wiretaps were embedded in the computer code for the website to allow FHI and FullStory “to secretly observe and record website visitors’ key strokes, mouse clicks, and other electronic communications, including the entry of Personally Identifiable Information (PII) and Protected Health Information (PHI).”

Plaintiff James Holden visited the website and entered his name, e-mail address, height, weight, gender, payment card information, and other PII and PHI. Holden claims that this information was intercepted in real time and were disclosed to FullStory without his knowledge or consent.

In addition to recording visitors’ movements, Session Replay allows website owners to “track the amount of time spent on the website, geographic location of the visitor, and other information[,]” the complaint says. The software also allows visitors to be tracked in real time, as they are browsing the site.

The complaint alleges that “FullStory’s software, as employed by FHI, functions as a wiretap.”

The complaint asserts that this kind of technology is not just highly intrusive: “A 2017 study by Princeton University found that session recording technologies were collecting sensitive user information such as passwords and credit card numbers. The research notes that this wasn’t simply the result of a bug, but rather insecure practices. Thus, session recording technologies such as FullStory’s can leave users vulnerable to data leaks and the harm resulting therefrom.”

Users of FHI’s website are never asked if they consent to being wiretapped by FullStory. “Therefore,” the complaint says, “these users never agree or are never given the option to agree to the Privacy Policy when using the Website, nor are they on notice of the Privacy Policy.” Even if they agree to the Privacy Policy, the complaint says, “FHI does not mention FullStory or its Session Replay feature in the Website’[s] Privacy Policy.”

Article Type: Lawsuit
Topic: Privacy

Most Recent Case Event

Found Health, FullStory Website Wiretapping California Complaint

October 2, 2020

Wiretapping used to mean, primarily, listening in on telephone conversations. Now it has a new meaning: tracking a website visitor’s keystrokes, mouse movements, and so on, along with identifying the visitor when possible. The complaint for this class action alleges that FullStory, Inc. performed such wiretapping services at a website for Found Health, Inc. (FHI), recording and passing on information on visitors without their knowledge or consent, in violation of the California Invasion of Privacy Act (CIPA).

Found Health, FullStory Website Wiretapping California Complaint

Case Event History

Found Health, FullStory Website Wiretapping California Complaint

October 2, 2020

Wiretapping used to mean, primarily, listening in on telephone conversations. Now it has a new meaning: tracking a website visitor’s keystrokes, mouse movements, and so on, along with identifying the visitor when possible. The complaint for this class action alleges that FullStory, Inc. performed such wiretapping services at a website for Found Health, Inc. (FHI), recording and passing on information on visitors without their knowledge or consent, in violation of the California Invasion of Privacy Act (CIPA).

Found Health, FullStory Website Wiretapping California Complaint
Tags: Your Privacy, wiretapping