IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Papa John's faces class-action lawsuit for alleged misuse of session tracking scripts

Session replay tools are used on a variety of websites for analytics purposes, but the pizza retailer faces claims it is engaged in unreasonable profiling

Pizza retailer Papa John’s is facing a class-action lawsuit over allegations that it used privacy-violating trackers on its website.

Customer David Kauffman filed a lawsuit against the pizza delivery giant under the Federal Wiretap Act and California Invasion of Privacy Act, alleging an illegal level of data collection on customers using its website via session replay tools.

Related Resource

Cyber security in the retail sector

Retailers need to ensure their business operations and internal data aren't breached

Whitepaper cover with title and logoFree Download

Such tools are commonly used on websites but were described in the lawsuit as tantamount to spyware given the amount and type of data they monitor and comunicate back to Papa John's. 

Session replay scripts are often deployed for data analytics purposes but the lawsuit alleged that the volume and type of data collected far exceeds what is reasonably expected from a pizza-ordering website.

The scripts track a range of actions made by users on a website, including how long they stay on each page, what was clicked, and even mouse cursor movements are tracked and anonymised. These are often studied for advertising purposes, as well as to investigate buggy or broken website features.

However, the lawsuit argued that in failing to properly to notify users of the scripts, Papa John’s has violated the Federal Wiretap Act which penalises any entity who “intentionally intercepts, endeavours to intercept, or procures any other person to intercept or endeavour to intercept, any wire, oral, or electronic communication.” The CIPA also sets out punishment for anyone who attempts to intercept communications without the consent of all involved parties.

“Plaintiff and Class Members reasonably expected that visits to Defendant’s website would be private, and that Defendant would not be intercepting, tapping, connecting with, or otherwise attempting to understand their communications with Defendant’s website, particularly because Defendant failed to present Plaintiff and Class Members with a pop-up disclosure or consent form alerting Plaintiff that the visits to the website were monitored and recorded by Defendant,” the lawsuit read.

Firms such as Yandex and Clicktale provide session replay for their customers, as third-party services. The Freedom to Tinker group at Princeton’s Center for Information Technology Policy found evidence of session recording on the websites of companies such as HP, Comcast and Intel.

However, data protection regulations such as the Data Protection Act 2018, General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) lay out strict boundaries on how personal data can be collected, and used to profile or identify individuals.

“The technology not only allows the tapping and unauthorised connection of a visitor’s electronic communication with a website, but also allows the user to create a detailed profile for each visitor to the site,” the lawsuit claimed.

The plaintiff is seeking damages of $10,000 or $100 per day and violation, whichever of the two is greater. Within the lawsuit, it is proposed that the class number of affected customers is “in the hundreds of thousands” and that the damages could therefore exceed $5,000,000.

Previous concerns around session replay technology have centred around the inadequate measures deployed by analytics service Glassbox to censor fields containing sensitive data such as passwords or payment information within session replay recordings.

IT Pro has approached Papa John’s for comment.

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download

Recommended

US federal agency breached by Iranian state-backed hackers via Log4Shell exploit
Security

US federal agency breached by Iranian state-backed hackers via Log4Shell exploit

17 Nov 2022
TSMC set to invest further $12 billion into Arizona fab
components

TSMC set to invest further $12 billion into Arizona fab

10 Nov 2022
CISA issues fresh orders to polish security vulnerability detection in federal agencies
Security

CISA issues fresh orders to polish security vulnerability detection in federal agencies

6 Oct 2022
Micron to invest historic $100 billion in NY semiconductor site
components

Micron to invest historic $100 billion in NY semiconductor site

5 Oct 2022

Most Popular

Empowering employees to truly work anywhere
Sponsored

Empowering employees to truly work anywhere

22 Nov 2022
Salesforce co-CEO Bret Taylor resigns with cryptic parting message
Business operations

Salesforce co-CEO Bret Taylor resigns with cryptic parting message

1 Dec 2022
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022