Noom Wiretapping of Website Visitors Pennsylvania Class Action

Information is now the most-desired resource in the world, and companies have begun collecting all kinds of information on consumers—not just on their personal characteristics, but also on their engagement, behavior, and attitudes. The complaint for this class action alleges that Noom, Inc. gets detailed information through wiretapping, using Session Replay Code embedded in its website that intercepts and records visitors’ actions, in violation the Pennsylvania Wiretapping and Electronic Surveillance Control Act.

The class for this action is all natural persons in Pennsylvania whose website communications were captured in Pennsylvania through the use of Session Replay code embedded in the www.noom.com website.

How does Noom perform this wiretapping? The complaint alleges that it gets third parties, like FullStory, to put bits of JavaScript computer code—Session Replay code—in its website. These bits of code deploy into the browsers of visitors to the website, intercepting actions like mouse movements, clicks, keystrokes, and pages visited.

The complaint alleges that Session Replay Code “goes well beyond normal website analytics when it comes to collecting the actual contents of communications between website visitors and websites.” It gives instructions to the visitor’s browser, the complaint claims, so that the browser sends information to a server. “Typically,” the complaint alleges, “the server receiving the event data is controlled by the third-party entity that wrote the Session Replay Code, rather than the owner of the website where the code is installed.”

At a later time, the visitors’ sessions can be individually replayed for the website owner, the complaint claims, showing the entire visit to the website. The information may include what the complaint calls “a variety of highly sensitive information … captured in event responses from website visitors, including medical conditions, credit card details, and other personal information displayed or entered on webpages.”

In fact, the complaint claims that the code collects even information that the visitor decides not to provide to the website, for example, when the visitor enters information in a field but then does not click Submit.

The session and information may not remain anonymous. Session Replay can record visitors’ entry of personally identifying information, use cookies that link sessions to identified users, or create “fingerprints” comprised of settings that are unique to users.

These fingerprints can be linked back to all sites served by the Session Replay provider, and when visitors identify themselves to any one of these sites, the provider “can then back-reference all of that user’s other web browsing across other website previously visited, including on websites where the user had intended to remain anonymous—even if the user explicitly indicated that they would like to remain anonymous by enabling private browsing.”

All this is done, the complaint alleges, without obtaining the visitors’ consent or the visitors even being aware of these operations

According to the complaint, this violates the Pennsylvania Wiretapping and Electronic Surveillance Control Act.

Article Type: Lawsuit
Topic: Privacy
Tags: Recording Electronic Communications Without Consent, Sharing Personal Information with Third Parties, Your Privacy, wiretapping