Earlier this month, a Pennsylvania federal judge held that users of Bass Pro Shops’ and Cabela’s websites lacked Article III standing to sue the retailers for use of “session replay” software, where the users failed to allege that the software captured their personal information, such as financial data or medical diagnosis information. In Re: BPS Direct, LLC, and Cabela’s, LLC, Wiretapping, No. 2:23-md-03074 (E.D. Pa. Dec. 5, 2023).
The retailers challenged the website users’ claims on the grounds that the website users did not plead any concrete harm arising from their website visits. The court agreed. Citing the U.S. Supreme Court’s guidance in TransUnion v. Ramirez, the court considered whether the kind of information the retailers allegedly intercepted through the use of session replay software on their websites constituted an invasion of privacy interests that have historically been protected. The court concluded that the information collected was “no different than what Bass and Cabela’s employees would have been able to observe if the [w]ebsite [u]sers had gone into a brick-and-mortar store and began browsing the inventory.” It further explained that “[w]ebsite [u]sers do not have a personal privacy interest in their shopping activity.”
The court dismissed most of the proposed class action lawsuits’ claims with prejudice, finding that six website users could not plead after two attempts that they made purchases or entered any personal information on the websites. The court also dismissed the claims of three other website users with leave to amend their Complaints if they can allege that Bass and Cabela’s collected non-anonymized and unencrypted sensitive personal information, such as bank or credit card information, during their purchases.
Although the court’s holding in BPS Direct is consistent with that of other courts in the Third Circuit that have considered the issue, courts differ on what types of information are sufficiently personal to support standing. Just a month earlier, a California federal court, citing Ninth Circuit precedent, found website users sufficiently asserted that their personal information had been intercepted where the software allegedly collected “specific web pages viewed, search terms entered, and purchase behavior.” James v. Walt Disney Company, No. 23-cv-02500 (N.D. Cal. Nov. 8, 2023). Notably, in James, the website users alleged that the collected information was not anonymized. Setting data anonymization aside, however, the BPS Direct court explicitly disagreed with the James court’s reasoning to the extent it suggested that “viewing activity, search activity, and purchase behavior” is sufficiently personal to confer Article III standing.