Third Circuit Grants Standing for Intrusion Upon Seclusion When Payment Info Is Captured, Denies It for Mere Browsing

PHILADELPHIA (LN) — The Third Circuit on Monday reversed the dismissal of privacy claims by two shoppers who entered payment information on Bass Pro Shops and Cabela’s websites, but affirmed the dismissal of claims by six other plaintiffs who only browsed the sites.

The panel held that the surreptitious capture of complete credit card numbers by “Session Replay Code” constitutes a concrete injury analogous to the common-law tort of intrusion upon seclusion.

BPS Direct LLC and Cabela’s LLC embed the code on their retail websites to capture user interactions, including mouse movements, clicks, and text entries. The code activates whenever a user visits the site, allowing third-party providers to create video replays of the visit.

The providers store the data on their own servers and can aggregate it into unique “fingerprints” based on a user’s browser settings. If a user identifies themselves on one site, the provider can match that fingerprint to their identity and link their browsing history across other sites using the same provider.

Eight named plaintiffs sued BPS, alleging the code violated the Wiretap Act, the Computer Fraud and Abuse Act, and various state privacy laws. The cases were consolidated in the Eastern District of Pennsylvania.

The district court dismissed the complaint for lack of Article III standing, ruling that website users must allege the sharing of highly sensitive personal information, such as medical diagnoses or financial data from banks, to establish standing.

The Third Circuit reversed the dismissal for two plaintiffs, Heather Cornell and Peter Montecalvo, who made purchases on the BPS websites.

During checkout, Cornell and Montecalvo entered their names, addresses, and payment and billing information. The court interpreted “payment and billing information” to include complete credit or debit card numbers, expiration dates, and security codes.

The court held that the unauthorized interception of such sensitive information is closely analogous to the harm caused by intrusion upon seclusion, a tort that protects against unwelcome investigation or examination of private affairs.

“Just as one expects her private conversations, her mail, and the contents of her wallet or bank account to be free from unwelcome ‘investigation or examination,’ one expects her complete credit card or debit card number to be free from prying eyes,” the opinion said.

The court distinguished the case from Cook v. GameStop, Inc., where it previously ruled that session replay code did not create standing because the plaintiff did not enter personal information.

The remaining six plaintiffs—Brian Calvert, Timothy Durham, Marilyn Hernandez, Greg Moore Jr., Arlie Tucker, and Brittany Vonbergen—browsed the sites but made no purchases and entered no personal information.

The court held their injuries were not concrete because their browsing for quotidian items was no more private than physical browsing in a brick-and-mortar store.

The court also rejected the argument that the providers’ ability to aggregate data into fingerprints created standing for the six plaintiffs, noting they did not allege the providers actually used this functionality on the BPS sites.

The district court had dismissed the six plaintiffs’ claims with prejudice. The Third Circuit modified the order to dismiss those claims without prejudice, as dismissals for lack of standing should generally not be with prejudice.

The case is remanded for further proceedings consistent with the opinion.