Pizza retailer Papa John’s is facing a class-action lawsuit over allegations that it used privacy-violating trackers on its website.
Customer David Kauffman filed a lawsuit against the pizza delivery giant under the Federal Wiretap Act and California Invasion of Privacy Act, alleging an illegal level of data collection on customers using its website via session replay tools.
Cyber security in the retail sector
Retailers need to ensure their business operations and internal data aren't breached
Such tools are commonly used on websites but were described in the lawsuit as tantamount to spyware given the amount and type of data they monitor and comunicate back to Papa John's.
Session replay scripts are often deployed for data analytics purposes but the lawsuit alleged that the volume and type of data collected far exceeds what is reasonably expected from a pizza-ordering website.
The scripts track a range of actions made by users on a website, including how long they stay on each page, what was clicked, and even mouse cursor movements are tracked and anonymised. These are often studied for advertising purposes, as well as to investigate buggy or broken website features.
However, the lawsuit argued that in failing to properly to notify users of the scripts, Papa John’s has violated the Federal Wiretap Act which penalises any entity who “intentionally intercepts, endeavours to intercept, or procures any other person to intercept or endeavour to intercept, any wire, oral, or electronic communication.” The CIPA also sets out punishment for anyone who attempts to intercept communications without the consent of all involved parties.
“Plaintiff and Class Members reasonably expected that visits to Defendant’s website would be private, and that Defendant would not be intercepting, tapping, connecting with, or otherwise attempting to understand their communications with Defendant’s website, particularly because Defendant failed to present Plaintiff and Class Members with a pop-up disclosure or consent form alerting Plaintiff that the visits to the website were monitored and recorded by Defendant,” the lawsuit read.
Firms such as Yandex and Clicktale provide session replay for their customers, as third-party services. The Freedom to Tinker group at Princeton’s Center for Information Technology Policy found evidence of session recording on the websites of companies such as HP, Comcast and Intel.
However, data protection regulations such as the Data Protection Act 2018, General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) lay out strict boundaries on how personal data can be collected, and used to profile or identify individuals.
“The technology not only allows the tapping and unauthorised connection of a visitor’s electronic communication with a website, but also allows the user to create a detailed profile for each visitor to the site,” the lawsuit claimed.
The plaintiff is seeking damages of $10,000 or $100 per day and violation, whichever of the two is greater. Within the lawsuit, it is proposed that the class number of affected customers is “in the hundreds of thousands” and that the damages could therefore exceed $5,000,000.
Previous concerns around session replay technology have centred around the inadequate measures deployed by analytics service Glassbox to censor fields containing sensitive data such as passwords or payment information within session replay recordings.
IT Pro has approached Papa John’s for comment.
