Home Depot Wiretaps Website Users California CIPA Class Action

This class action brings suit against Home Depot, Inc. for using “session replay” software to track the movements of visitors at its website. Is this wiretapping? The complaint claims that it is and that it violates the California Invasion of Privacy Act (CIPA).

The class for this action is California residents who visited the Home Depot website, whose electronic communications were intercepted or recorded by Quantum Metric on behalf of Home Depot, without their prior consent.

The complaint alleges that Home Depot has hired Quantum Metric, Inc. (QM), a software-as-a-service company, to provide software for its website. The QM software is embedded in a company’s website to offers market analytics, including a feature known as session replay.

The complaint quotes QM’s own website as saying, “Session reply is the reproduction of a user’s interactions on web or native mobile applications. Session replay captures things like mouse movements, clicks, typing, scrolling, swiping, tapping, etc.” It lets companies “pull up any user who ha[s] visited [a] website and watch their journey as if [the company] was standing over their shoulder.”

The data is captured as the user navigates and uses the website, then encrypted and sent to the QM cloud service.

According to the complaint, “The purported use of session replay technology is to monitor and discover broken website features. However, the extent and detail of the data collected … far exceeds the stated purpose” or the expectations of visitors to the website: It also allows the company to develop a profile for each visitor.

It quotes “a well-known session replay provider” admitting this in a patent dispute, saying that the “software computes billions of touch and mouse movements and transforms this knowledge into profitable actions that increase engagement, reduce operational costs, and maximize conversion rates…”

Another problem is that the information collected may leak to other parties. The complaint refers to a 2017 Princeton University study that found that such software collects passwords and credit card numbers as part of the recording of a session. “The research notes that this was not simply the result of a bug, but rather insecure practices. Thus, technologies such as QM’s leave users vulnerable to data leaks and the harm resulting therefrom.”

The complaint also provides a list of other online articles about session replay and privacy.

The complaint alleges, “As currently deployed, QM’s software, as employed by Home Depot, functions as a wiretap.”

It claims that visitors to the website “did not consent to being wiretapped on the Website, nor to having their communications recorded and shared with QM and [Home Depot]. Any purported consent that was obtained was ineffective because (i) the wiretapping began from the moment [the visitor] accessed the Website; (ii) the privacy policy did not explicitly disclose the wiretapping or QM; and (iii) the hyperlink [to] the privacy policy is inconspicuous and therefore insufficient to provide notice.”

Article Type: Lawsuit
Topic: Privacy
No case events.
Tags: Recording Electronic Communications Without Consent, Your Privacy, wiretapping