Many commercial websites have adopted the use of “session-replay” technology, by which embedded code on a website records the visitor’s communications within that website, including their mouse movements, clicks, keystrokes, and pages visited. Businesses can then use this information in deciding how and whether to tweak their websites, and gain other consumer data.
In Popa v. Microsoft, decided by the Ninth Circuit today, a consumer sued Microsoft, the owner and operator of session-replay technology deployed on a pet supply website, and the pet supply company, arguing that the use of the technology violated the Pennsylvania wiretapping statute and constituted an invasion of privacy under Pennsylvania common law.
The Ninth Circuit affirmed the dismissal of those claims finding the consumer had failed to allege a concrete injury for purposes of Article III standing. Applying Spokeo and Transunion, the court found that the harms alleged were not sufficiently similar to the common-law privacy torts of intrusion upon seclusion or public disclosure of private facts, and rejecting the argument that an infringement of the right to privacy generally gives rise to standing as a categorical matter, distinguishing prior cases and holding others did not survive TransUnion.
