Lululemon Website “Wiretapping” of Visitors’ Sessions California Class Action

California has its own California Invasion of Privacy Act (CIPA). This class action brings suit under this law against Lululemon USA, Inc. and Quantum Metric, Inc. (QM) for the “wiretapping” of visitors to the Lululemon website. The complaint alleges that code entered into the website by Quantum Metric allows the companies to “secretly observe and record website visitors’ keystrokes, mouse clicks, and other electronic communications, including the entry of Personally Identifiable Information (“PII”), in real time.

The class for this action is all California residents who visited the Lululemon website and whose electronic communications there were intercepted or recorded by QM.

QM is a software-as-a-service company that offers a Quantum Metric software for providing market analytics. Part of that software is something called Session Replay, which is intended to help companies improve website design and the experiences of customers who come to the site.

The complaint quotes QM as saying that Session Replay be used “to pull up any user who had visited [a] website and watch their journey as if [the company] was standing over their shoulder.” It lets them “see every click, every tap and exactly what the website responded with—an error, a success message, or nothing.” The function thus “capture[s] all the metadata behind the replay—like user platform, API calls, and network details—as well as dozens of out of the box events and errors, plus the custom ones you’ll configure in our UPI.”

The function collects data from visits to the Lululemon website and sends it back to QM.

The complaint alleges, “Technology like QM’s Session Replay feature is not only highly intrusive, but dangerous. A 2017 study by Princeton University found that session recording technologies were collecting sensitive user information such as passwords and credit card numbers. The research notes that this wasn’t simply the result of a bug, but rather insecure practices.” This kind of program can “leave users vulnerable to data leaks…”

In fact, the complaint claims, Lululemon admits to this kind of spying. It may send after-visit e-mails to visitors saying that the company “see[s] you looking…” The complaint reproduces one such message, which is headed “Make a Move” and which says in part, “Take another look at the pieces you’ve been eying.

Lululemon and QM are both responsible for the wiretapping, the complaint says, because Lululemon consented to the installation of QM’s software on its website. It says the software acts as a wiretap.

The complaint claims that “Lululemon does not ask users … whether they consent to being wiretapped by QM. Users are never actively told that their electronic communications are being wiretapped by QM, nor does Lululemon’s Privacy Policy disclose as much…” The complaint says they also do not consent to their communications recorded and shared with QM.

Article Type: Lawsuit
Topic: Privacy

Most Recent Case Event

Lululemon Website “Wiretapping” of Visitors’ Sessions California Complaint

November 19, 2020

California has its own California Invasion of Privacy Act (CIPA). This class action brings suit under this law against Lululemon USA, Inc. and Quantum Metric, Inc. (QM) for the “wiretapping” of visitors to the Lululemon website. The complaint alleges that code entered into the website by Quantum Metric allows the companies to “secretly observe and record website visitors’ keystrokes, mouse clicks, and other electronic communications, including the entry of Personally Identifiable Information (“PII”), in real time.

Lululemon Website “Wiretapping” of Visitors’ Sessions California Complaint

Case Event History

Lululemon Website “Wiretapping” of Visitors’ Sessions California Complaint

November 19, 2020

California has its own California Invasion of Privacy Act (CIPA). This class action brings suit under this law against Lululemon USA, Inc. and Quantum Metric, Inc. (QM) for the “wiretapping” of visitors to the Lululemon website. The complaint alleges that code entered into the website by Quantum Metric allows the companies to “secretly observe and record website visitors’ keystrokes, mouse clicks, and other electronic communications, including the entry of Personally Identifiable Information (“PII”), in real time.

Lululemon Website “Wiretapping” of Visitors’ Sessions California Complaint
Tags: Your Privacy, wiretapping