In In re BPS Direct, LLC; Cabela’s, LLC Wiretapping Litig., No. 23-3235 (3d Cir. May 11, 2026), the Third Circuit holds that customers whose allege that their visits to retail websites were surreptitiously captured by session replay code (SRC), which thereby saved their personally identifying information, plead a sufficient injury-in-fact under Article III standing to seek damages for invasion of privacy.
Defendant retailers allegedly embedded SRC (JavaScript computer code) on their websites, which allowed them to intercept, record, and map customers’ electronic communications “The code activates anytime a user visits one of these websites, allowing it to surreptitiously intercept nearly every action a user takes on the site, including ‘all mouse movements, clicks, scrolls, zooms, window resizes, keystrokes, [and] text entries.’” . This code was not disclosed to the customers, and they had no opportunity to consent or opt out of such surveillance.
Third-party vendors called session replay providers or SRPs (Providers) aggregate and store users’ data under identifiers called “fingerprints,” data that then becomes available across other retail platforms. “If a user identifies herself on one of these websites (by filling out a form, for example), a Provider can match that user’s ‘fingerprint’ with her identity. That Provider can then connect that user’s identity with her prior web browsing activity from sites that use the same Provider’s Session Replay Code, including from websites where the user intended to remain anonymous by, for instance, enabling private browsing.”
Eight individuals sued the retailers alleging violations of the Wiretap Act, 18 U.S.C. § 2510 et seq.; the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 et seq.; and state and common-law causes of action. Two plaintiffs (Cornell and Montecalvo) made purchases and provided names, addresses, and other personally identifying information. Six other plaintiffs browsed the sites but made no purchases. The district court held that none of the plaintiffs had Article III standing because they did not allege the sharing of “highly sensitive personal information such as a medical diagnosis or financial data from banks or credit cards.”
The Third Circuit reverses in part. “The plaintiffs here argue that their injuries are analogous to the harms recognized by two common-law torts: (1) public disclosure of private facts and (2) intrusion upon seclusion. As explained below, no plaintiffs have alleged injuries analogous to those caused by a public disclosure of private facts, and only Montecalvo and Cornell have alleged injuries analogous to those caused by an intrusion upon seclusion.”
The six plaintiffs who did not make purchases lacked standing, the Third Circuit holds. While the SRC allegedly “captured the ‘mouse clicks and movements, keystrokes, search terms,’ . . . . that information was neither sensitive nor linked to these plaintiffs’ identities.” Thus, those plaintiffs could not plausibly allege “embarrassment or humiliation’ by the disclosure.
But the two plaintiffs who did share such information suffered an injury analogous to intrusion on seclusion.
“Cornell and Montecalvo entered their ‘payment and billing information’ to make purchases on BPS’s websites, and online purchases typically require a complete credit or debit card number to finalize the transaction. A complete credit card number grants access to a line of credit that the credit card holder must repay. And a complete debit card number allows individuals and companies to withdraw funds directly from a person’s bank account. That information is highly sensitive. We have little trouble concluding that the unauthorized disclosure of a complete credit card or debit card number would cause harm analogous to that vindicated by common-law public disclosure of private facts.”
“Just as one expects her private conversations, her mail, and the contents of her wallet or bank account to be free from unwelcome ‘investigation or examination’ . . . one expects her complete credit card or debit card number to be free from prying eyes. So when [defendants] permitted . . . [the] Providers to surreptitiously record Cornell’s and Montecalvo’s complete credit card or debit card numbers, it caused those plaintiffs harm closely analogous to that vindicated by the intrusion upon seclusion tort.”
“Thus, Cornell and Montecalvo have standing based on their allegations that BPS embedded Session Replay Code in its websites, allowing the Providers to surreptitiously record their billing and payment information absent consent.”
Paul Mollica's Federal Courts Blog 