PITTSBURGH – A Pennsylvania woman who filed class action litigation against video game retailer GameStop – charging that it violated a state wiretap law and invaded its customers’ privacy when it allegedly intercepted and recorded the electronic communications of visitors to its website – has appealed the dismissal of her case to the U.S. Court of Appeals for the Third Circuit.
Amber Cook (individually and on behalf of all others similarly situated) of Lawrence County first filed suit in the U.S. District Court for the Western District of Pennsylvania on Aug. 16, 2022 versus GameStop, Inc. of Grapevine, Texas.
“GameStop operates the website www.GameStop.com. GameStop is an online and brick-and-mortar retailer for gaming consoles, games, and accessories. However, unbeknownst to the millions of individuals perusing GameStop’s products online, GameStop intentionally procures and embeds various Session Replay Codes from Session Replay Providers on its website to track and analyze website user interactions with www.GameStop.com. One such Session Replay Provider that GameStop procures is Microsoft,” the suit said.
“Microsoft is the owner and operator of a Session Replay Code titled Clarity, which provides basic information about website user sessions, interactions, and engagement, and breaks down users by device type, county, and other dimensions. GameStop’s procurement and use of Microsoft Clarity’s Session Replay Code, and procurement and use of other Session Replay Codes through various Session Replay Providers, is a wiretap in violation Pennsylvania statutory and common law.”
The suit added the named plaintiff visited www.GameStop.com on her computer while in Pennsylvania and during a visit to GameStop’s website, she fell victim to the defendant’s “unlawful monitoring, recording, and collection of plaintiff’s website communications with www.GameStop.com.”
“Unknown to plaintiff, GameStop procures and embeds Session Replay Code on its website. During the website visit, plaintiff’s Website Communications were captured by Session Replay Code and sent to various Session Replay Providers. For example, when visiting www.GameStop.com, if a website user searches for a certain product, such as a video game, console or accessory, that information is captured by the Session Replay Codes embedded on the website. The wiretapping by the Session Replay Codes is ongoing during the visit and intercepts the contents of these communications between plaintiff and GameStop with instantaneous transmissions to the Session Replay Provider, as illustrated below, in which only 30 milliseconds were required to send a packet of even response data, which would indicate whatever the website user had just done,” the suit stated.
“The Session Replay Codes operate in the same manner for all putative Class members. Like plaintiff, each Class member visited www.GameStop.com with Session Replay Code embedded in it, and those Session Replay Codes intercepted the Class members’ Website Communications with www.GameStop.com by sending hyper-frequent logs of those communications to Session Replay Providers. Even if GameStop masks certain elements when it configures the settings of the Session Replay Code embedded on its website, any operational iteration of the Session Replay Code will, by its very nature and purpose, intercept the contents of communications between the website’s visitors and the website owner. For example, even with heightened masking enabled, Session Replay Providers will still learn through the intercepted data exactly which pages a user navigates to, how the user moves through the page (such as which areas the user zooms in on or interacted with), and additional substantive information.”
GameStop answered the class action suit on Nov. 3, 2022, arguing that the complaint failed to state a claim upon which relief could be granted.
“Despite the complaint’s repeated incantations of ‘privacy’ violations, it pleads no facts showing that GameStop actually collected any information that was personal or private within the common law understanding of a privacy right. Nor do any other alleged injuries establish standing. The complaint’s assertions of mental anguish and suffering are unsupported by any facts showing such harm – which makes sense since what is alleged is the collection of information about browsing on a video retailer’s public website. The claim that GameStop deprived Cook of the monetary value of her personal information is likewise insufficient because she does not allege she provided any personal information and, even if she did, courts routinely reject such a theory of standing,” according to the company’s answer.
“Second, even if she could establish Article III standing, Cook’s Pennsylvania Wiretap Act claim fails because she fails to allege that GameStop intercepted or procured the interception of any communications ‘contents’, a prerequisite for a violation. It is well-settled that mouse movements, mouse clicks and URLs are non-content information under state and federal wiretapping laws. As to ‘keystrokes,’ she does not actually allege she entered any keystrokes on GameStop’s website, let alone that GameStop collected those keystrokes. Third, to the extent any interception of content occurred, Cook consented to it. GameStop’s website Privacy Policy disclosed that GameStop may collect ‘usage information’ which it described as ‘information about your product searches, browsing behavior, clickstream information, use of our services, and date/time stamps’ – precisely the information Cook complains about. Because a link to the Privacy Policy generally appears on every page of GameStop’s website, Cook reasonably should have known about any collection and consented to it, by persisting to navigate to the website.”
Lastly, GameStop argued the complaint’s “common law intrusion upon seclusion claim fails as a matter of law because its allegations fall far short of the ‘extreme’ and ‘highly offensive’ conduct demanded by this claim” and that “the case law is clear that GameStop’s alleged collection of browsing information on its website does not come close to meeting this standard.”
UPDATE
On Aug. 28, U.S. District Court for the Western District of Pennsylvania Judge J. Nicholas Ranjan issued a memorandum opinion which granted GameStop’s motion and dismissed the case, finding that Cook had not demonstrated legitimate harm to confer standing, nor did she plead proper fact to support her claims associated with violation of the Wiretap Act.
“Here, Ms. Cook alleges that she has suffered the intangible harm of an ‘invasion of privacy,’ and analogizes that harm to ‘the age-old common law prohibitions and protections from and against invasion of privacy.’ According to her, the Court need not analyze ‘the sensitivity of the information’ that she alleges GameStop intercepted because there has been historical protection against ‘the idea of somebody eavesdropping on you, somebody intruding on your privacy, regardless of what the intrusion yields them. Put simply, the mere fact that GameStop recorded any information about Ms. Cook’s visit to GameStop’s website is injury enough to give her standing to sue. But that circular reasoning simply folds back onto a bare statutory violation, which the Supreme Court has clarified cannot be the basis for standing,” Ranjan said.
“The information that GameStop allegedly intercepted does not clear this threshold. Ms. Cook alleges that GameStop intercepted data regarding her ‘mouse movements, clicks, keystrokes (such as text being entered into an information field or text box), URLs of web pages visited, and/or other electronic communications in real-time.’ More specifically, Ms. Cook claims that during a visit to GameStop’s website, she ‘browsed for different products for sale,’ ‘communicated with GameStop’s website by using her mouse to hover and click on certain products and typing search words into the search bar[,]’ and ‘selected a product to add to her shopping cart by clicking ‘add to cart.’ Perhaps more notable than what she allegedly did on GameStop’s website is what she did not do. Ms. Cook did not enter any personally identifying information at any point during her interaction. Not her name. Not her address. Not her credit card information. Nothing that could connect her browsing activity to her. She also doesn’t allege that GameStop did anything to figure out who she was, either. In effect, everything Ms. Cook did on GameStop’s website was completely anonymous. So, her allegations do not set forth a concrete harm.”
Ranjan added that “product preference information is not personal information”, and no different from what GameStop employees would have been able to observe if Ms. Cook had gone into a brick-and-mortar store and began browsing the inventory.” Ranjan further remarked, “Ms. Cook certainly doesn’t have a reasonable expectation of privacy in this kind of public shopping behavior in the physical world, and she doesn’t have it in the digital world, either.”
According to Ranjan, Cook did not state violations of the Wiretap Act, either.
“First, Ms. Cook’s allegations lack sufficient detail to support a claim. Paragraph 1 comes the closest to giving the Court a starting point for determining whether Ms. Cook has pled the elements of her wiretap claim, but even the allegations in that paragraph come up short. In Paragraph 1, Ms. Cook alleges that the code captured her ‘mouse movements, clicks, keystrokes (such as text being entered into an information field or text box), URLs of web pages visited and/or other electronic communications in real-time.’ This allegation, though, lacks critical necessary details for the Court’s analysis of the type of information allegedly captured by GameStop’s Session Replay Code. What mouse movements? What did she hover over? What did she click? Which keystrokes did she enter? What kind of webpages did she visit? All this information should be available to Ms. Cook; after all, she is the one who allegedly browsed GameStop’s website. But it is absent from the amended complaint,” Ranjan said.
“The allegations in several of the other paragraphs cited by Ms. Cook are [also] problematic because they aren’t specific to GameStop. For example, the allegations in Paragraph 25 set forth claims about how Session Replay Code works ‘in general’ – notably absent are any specific allegations about whether GameStop’s code operated in the manner described. The same is true for Paragraphs 46 and 51, which merely describe the capabilities of Clarity. Missing are allegations about how GameStop implemented Clarity. It’s not enough for Ms. Cook to allege the potential capabilities of the Session Replay Code. Rather, she needed to allege that GameStop, in fact, harnessed the capabilities she describes, and it had the result of capturing the contents of specific communications. But she did not do that.”
The very same day of Ranjan’s ruling, Aug. 28, plaintiff counsel moved for the case to be appealed to the U.S. Court of Appeals for the Third Circuit.
For counts of violating the Pennsylvania Wiretap Act and invasion of privacy (intrusion upon seclusion), the plaintiffs are seeking the following reliefs:
• Certifying the class and appointing plaintiff as the class representative;
• Appointing plaintiff’s counsel as class counsel;
• Declaring that defendant’s past conduct was unlawful, as alleged herein;
• Declaring defendant’s ongoing conduct is unlawful, as alleged herein;
• Enjoining defendant from continuing the unlawful practices described herein, and awarding such injunctive and other equitable relief as the Court deems just and proper;
• Awarding plaintiff and the class members statutory, actual, compensatory, consequential, punitive and nominal damages, as well as restitution and/or disgorgement of profits unlawfully obtained;
• Awarding plaintiff and the class members pre-judgment and post-judgment interest;
•Awarding plaintiff and the class members reasonable attorneys’ fees, costs, and expenses; and
• Granting such other relief as the Court deems just and proper.
The plaintiffs are represented by Gary F. Lynch and Jamisen A. Etzel of Lynch Carpenter, in Pittsburgh.
The defendant is represented by Adam T. Petrun and William J. Wyrick of Cafardi Ferguson Wyrick Weis & Gabriel in Sewickley, plus Jeffrey G. Landis and Sheri B. Pan of ZwillGen, in Washington, D.C. and New York, N.Y.
U.S. Court of Appeals for the Third Circuit case 23-2574
U.S. District Court for the Western District of Pennsylvania case 2:22-cv-01292
From the Pennsylvania Record: Reach Courts Reporter Nicholas Malfitano at nick.malfitano@therecordinc.com