Communications Litigation Today was a Warren News publication.
'Clandestinely Deployed'

Plaintiff Brings Another Privacy Class Action Over Session Replay Codes

JetBlue’s use of FullStory’s session replay codes during user browser sessions constitutes “looking over the shoulder” of website visitors, a violation of the California Invasion of Privacy Act, said a Friday class action (docket 3:23-cv-00361) in U.S. District Court for Southern California in San Diego.

California plaintiff Anne Lightoller brought a similar suit this month against Cheesecake Factory, saying JavaScript code deploys on website visitors’ internet browsers for the purpose of “intercepting and recording” their electronic communications (see 2302150008).

The “clandestinely deployed code” gives online marketers and website designers insights into the user experience by recording visitors “as they click, scroll, type or navigate across different web pages,” said the complaint against Jet Blue, citing a 2018 Mopinion blog post. Typically, the server receiving the event data is controlled by the third-party entity that wrote the session replay “rather than the owner of the website where the code is installed,” the complaint said.

Events captured by session replay varies but can include all mouse movements, clicks, scrolls, zooms, window resizes, keystrokes and text entries. To be able to reconstruct a user’s visit accurately, the code has to be capable of capturing the events at “hyper-frequent intervals, often just milliseconds apart,” the complaint said.

Unless specifically masked by the website owner, some visible contents of the website may be transmitted to the session replay provider, who can view a “visual reenactment of the user’s visit, usually in the form of a video,” the complaint said. Unlike analytics services that provide aggregate statistics, the session replay scripts are "intended for the recording and playback of individual browsing sessions,” it said.

Most session replay codes default to capture the maximum number of user-initiated events, meaning highly sensitive information, including medical conditions and credit card details, can be captured, the complaint said. The code may capture data the user changed before submitting, and it doesn’t necessarily “anonymize” user sessions, it said.

Session replay providers often create “fingerprints” unique to a user’s computer and browser settings and other detectable information; the fingerprints are collected across all sites the session replay provider monitors, the complaint said. When a user fills in an online form, the provider can associate the fingerprint with the user identity and “back-reference all of that user’s other web browsing across other websites previously visited,” even if users specified they wanted to remain anonymous by enabling private browsing, it said.

The complaint cited a 2019 Air Canada data breach that exposed 20,000 profiles. The breach resulted from the airline’s iPhone app that “wasn’t properly masking the session replays,” exposing “unencrypted credit card data and password information,” it said.

The plaintiff is seeking statutory, actual, compensatory, consequential, punitive and nominal damages, plus restitution and/or disgorgement of profits “unlawfully obtained.” She also seeks attorneys' fees and legal costs, said the complaint.