Courts in California, Florida and Pennsylvania have handled most of the session replay code privacy claims since their rise in popularity in the past few years, said a Husch Blackwell analysis Wednesday. Florida courts have been "most critical" of these claims, repeatedly saying plaintiffs’ complaints failed to state a claim under the Florida state law "because the complaints alleged un-sanctioned recording of behavior and not the content of communications covered by the law," it said. "Where session replay technology is used to capture chat-based communications, however, Florida courts have allowed the claims to proceed beyond the pleading stage." California courts have been "less favorable" to session replay code defendants than Florida courts, said Husch Blackwell. The 9th U.S. Circuit Court of Appeals overturned a Northern District of California dismissal of a plaintiff’s California Invasion of Privacy Act claim after saying the plaintiff consented to the recording but did so only after using the website for some time, it said. The 9th Circuit concluded the California Supreme Court would interpret Section 631(a) of CIPA, California’s wiretapping statute, to require the prior consent of all parties to a communication. On remand, however, the case was again dismissed, this time under the statute of limitations. A new class action in San Diego is seeking to thwart Spirit Airlines from “wiretapping” the electronic communications of visitors to its website, in violation of the CIPA (see 2302080044).

A new class action in San Diego is seeking to thwart Spirit Airlines from “wiretapping” the electronic communications of visitors to its website, in violation of the California Invasion of Privacy Act (CIPA). Spirit hires third-party vendors, such as FullStory, to embed snippets of JavaScript computer code, called “session replay code,” in the visitor’s internet browser, alleged the complaint Tuesday (docket 3:23-cv-00233) in U.S. District Court for Southern California. The code then intercepts and records the visitor’s activity, right down to their mouse movements, clicks, keystrokes and URLs of web pages they visit, it said. The vendors use the captured website communications to create a video replay of the user’s behavior on the website and provide it to Spirit for analysis, said the complaint. Secretly deploying the session replay code results in the electronic equivalent of “looking over the shoulder” of each visitor to the Spirit website “for the entire duration of their website interaction,” it said. Session replay code works by inserting computer code into the various “event handling routines that web browsers use to receive input from users,” said the complaint. When a website delivers the code to a user’s browser, that browser will follow the code’s instructions by sending responses in the form of event data to a designated third-party server, it said. The server receiving the event data typically is controlled by the third-party vendor that wrote the code, rather than the owner of the website where the code is installed, it said. Spirit’s procurement and use of FullStory’s session replay code is a wiretap in violation of California statutory and common law, alleged the complaint. Plaintiff Kayla Mandeng visited spirit.com on her computer and smartphone to book flights, only to fall victim to Spirit’s unlawful monitoring and recording of her website activity, it said. Mandeng seeks statutory, compensatory and punitive damages and restitution of profits “unlawfully obtained,” plus injunctive relief enjoining Spirit from the illegal practices described in her complaint. Spirit and FullStory didn’t respond Wednesday to requests for comment.

Defendant Epic Games neither admits nor denies any of the allegations in the FTC’s complaint that the Fortnite creator violated children’s privacy law and used dark patterns to trick millions of gamers into making unintentional purchases (see 2212190064), said a stipulated order Tuesday (docket 5:22-CV-00518) signed by the parties and by U.S. District Judge Terrence Boyle for Eastern North Carolina in Elizabeth City. A permanent injunction enjoins Epic from “failing to make reasonable efforts” to be sure a parent “receives direct notice” of Epic’s practices on the collection, use or disclosure of personal information from children, said the order. The order requires Epic at least once every 12 months to “assess the sufficiency” of any safeguards in place to address the internal and external risks to the privacy of covered information, and to modify the privacy program “as needed based on the results,” it said.

The FTC filed a notice of supplemental authority Monday (docket 2:22-cv-00377) in U.S. District Court for Idaho (docket 2:22-cv-00377) in support of its opposition to Kochava’s motion to dismiss the agency privacy complaint (see 2212050061). The agency is seeking a permanent injunction enjoining Kochava from acquiring consumers’ precise geolocation data and selling it in a format that allows entities to track their movements to and from sensitive locations. Kochava asserts the agency may not seek injunctive relief under Section 13(b) of the 1914 Federal Trade Commission Act because that would exceed the scope of powers that can be constitutionally vested in an agency whose members are not removable at will by the president. But the FTC's notice said the Southern District of New York issued an order Feb. 1 “rejecting this same argument” in FTC v. Roomster, said the commission. The case against Kochava supports the FTC’s argument “that its authority to bring this action under Section 13(b) is constitutional,” it said. Though the FTC recognizes the Roomster opinion is "not binding" on the Idaho district court, the agency believes the court “may find its discussion informative and its reasoning persuasive,” it said.

The Illinois Supreme Court ruled in a Feb. 2 decision that all claims under Section 15 of the state’s Biometric Information Privacy Act (BIPA) have a “catchall” five-year statute of limitations, said an Ogletree Deakins analysis Monday. The decision partially overturned an appellate court ruling that said claims under two subsections of the BIPA were governed by a one-year limitations period under Illinois law for defamation and privacy claims, it said. The case is the latest to review the bounds of the statute, as employers “are increasingly using biometric technology to improve efficiency in the workplace,” it said. If the court ruled the one-year limitation applied to claims under Section 15 of the BIPA, “it could have substantially reduced the overall number of potential class members” in pending and future BIPA lawsuits. As a result of the decision, employees and consumers will have five years to file claims for violations of the collection, retention and dissemination of their biometric information.

The six plaintiff-appellants who are appealing the district court’s granting of summary judgment to Google in a Chrome privacy case don't dispute that the lower court’s evidence preservation orders require Google “to expend extraordinary amounts of money and human resources to preserve an enormous quantity of data,” the company said Monday. Google filed a reply brief in the 9th U.S. Circuit Appeals Court (docket 22-16993) in support of its motion for a limited remand so the district court can “reassess” those evidentiary orders. The appellants are Chrome users who allege Google improperly collects the personal information of users who opt not to “sync” their browsers to their Google accounts (see 2212290037). The quantity of data preserved in evidence “grows every day this appeal is pending,” said Google. The lower court said the appellants’ claims “lack merit because they expressly consented to the data collection they challenge,” it said. “In light of that finding, it makes perfect sense to reassess whether enormous quantities of data that only Appellants want preserved should continue to be preserved at the same scale -- and if so, whether Google alone should bear the cost,” it said. The appellants oppose the motion, but “do not identify any prejudice they will face from a limited remand,” said Google. The motion involves preserved data “that is not part of the discovery record and is indisputably irrelevant to the merits of their appeal,” it said.

In the 11th class action filed against T-Mobile for its November data breach, three plaintiffs from California and Pennsylvania allege T-Mobile was “clearly on notice and aware of its data security failures,” when the carrier suffered its eighth data breach since 2017. T-Mobile failed to comply with data security industry standards, said the privacy suit (2:23-cv-00172) in U.S. District Court for Western Washington in Seattle. Plaintiffs Robin Dollson of Bucks County, Pennsylvania; Candy Howard of San Mateo County, California; and Leonardo Figueroa of Los Angeles County had their personal identifiable information disclosed without authorization, said the complaint. As a result of the breach, which T-Mobile disclosed to users in a banner ad on its website and in a Jan. 19 8-K filing, plaintiffs have to expend additional time to review their credit reports and monitor their accounts for fraud or identity theft, it said. Data breach notices to customers were “woefully deficient” and “highly misleading,” the complaint said. It cited a comment from Chester Wisniewski, field chief technology officer at security company Sophos, saying the data stolen in the breach is “ideal for SIM swapping attacks and other forms of identity theft.” The November breach was “directly attributable to T-Mobile’s repeated history of security failures,” the complaint said. Plaintiffs claim negligence, breach of contract, unjust enrichment and violation of the Washington Consumer Protection Act, the Pennsylvania Unfair Trade Practices and Consumer Protection Law and three California laws: the Unfair Competition Law, Consumers Legal Remedies Act and Consumer Privacy Act. Plaintiffs seek an injunction requiring T-Mobile to employ adequate security protocols consistent with law and industry standards to protect customers’ information, plus statutory and treble damages, reasonable attorneys’ fees and additional relief to be determined by the court.

U.S. District Judge Harvey Bartle for Eastern Pennsylvania signed an order Thursday (docket 2:23-cv-00070) granting defendant Apple’s unopposed motion to transfer plaintiff Joaquin Serrano’s privacy class action to Northern California. Serrano’s complaint is one of several that allege Apple unlawfully records and uses consumers’ personal information and activity on its consumer mobile devices and apps, even after consumers explicitly indicate through Apple’s device settings that they don’t want their data and information shared. The first-filed rule and section 1404(a) support transfer on the grounds that a substantially similar case, Libman v. Apple (docket 5:22-cv-07069), was filed in Northern California nearly two months before Serrano’s complaint, said Apple’s Jan. 31 motion (see 2302020009).

U.S. District Judge Anthony Battaglia for Southern California in San Diego set an in-person hearing for April 20 at 2 p.m. PDT on Educational Credit Management Corp.’s (ECMC) motion to dismiss plaintiff Cynthia Lepur’s privacy class action for failure to state a claim, said Battaglia’s text-only order Thursday (docket 3:23-cv-00014). Lepur’s written opposition to the motion is due Feb. 16, ECMC’s reply brief Feb. 23, said the order. Sur-replies won't be accepted, it said. Lepur alleges ECMS, a student loan servicer, recorded its phone conversations with her without her consent, in violation of the California Invasion of Privacy Act (see 2301050046). ECMC’s motion to dismiss labels her complaint as “an improper attempt to step in and save an already-failed class action,” in defiance of binding case law and the first-to-file rule (see 2302020029).

Apple seeks to transfer a privacy class action, Serrano v. Apple, to U.S. District Court for Northern California from Eastern Pennsylvania under the first-filed rule, said its unopposed motion Tuesday (docket 2:23-cv-00070). Libman v. Apple (docket 5:22-cv-7069), filed Nov. 10, involves “substantially similar” subject matter, said the motion. The cases assert invasion of privacy and unjust enrichment claims.