In a mixed ruling, a federal judge has allowed a Pennsylvania resident to proceed with a claim that the retailer Harriet Carter Gifts and marketing tech company NaviStone violated a state wiretap law by using tracking technology that allegedly captures keystrokes.
But U.S. District Court Judge William Stickman IV in the Western District of Pennsylvania also threw out a claim that the companies engaged in “intrusion upon seclusion” -- a concept often defined as intention and offensive privacy intrusions.
The lawsuit, brought as a potential class-action by Laurence County, Pennsylvania resident Ashley Popa, centers on allegations that Harriet Carter's retail site uses NaviStone's code, which allegedly captures keystrokes and IP addresses that can be used to identify people.
If people type their email or home addresses while on a retailer's site, those addresses are recorded by NaviStone's keystroke-logging capabilities -- even if the users never hit the "enter" button, according to a 2017 Gizmodo report.
“NaviStone’s wiretap (procured by Harriet Carter) intercepted every mouse click and every keystroke of plaintiff and the putative class members,” Popa alleged in an amended complaint filed in July. “The wiretap recorded and disclosed all search queries, all Harriet Carter web-pages visited, and all information typed into forms on Harriet Carter’s website.”
A NaviStone spokesperson says the company does not log keystrokes. “NaviStone neither learns nor shares with its clients the identity of any anonymous website visitors,” the spokesperson states.
Stickman said in a ruling issued Friday that it isn't yet clear whether Pennsylvania's wiretap law applies to the companies, given the companies' locations.
Pennsylvania, where Harriet Carter Gifts is located, is one of 11 states that requires both parties to consent to the interception of electronic communications. But Navistone is headquartered in Ohio, which only requires the consent of one party.
Stickman said he hasn't yet been provided with “factual and technical background necessary to determine where the allegedly actionable conduct occurred.”
But, handing Popa a partial defeat, Stickman dismissed the claim that the companies engaged in “intrusion upon seclusion.”
“The act of collecting Popa's keystrokes, mouse clicks, and PII [personally identifiable information] is simply not the type of highly offensive act to which liability can attach,” the judge wrote.
That portion of the ruling appears to be at odds with a decision issued recently by a federal judge in California, who allowed web users to proceed with claims that NaviStone and the retailer Moosejaw violated a California state law that allows for lawsuits over “highly offensive” privacy violations.
“The complaint also alleges that NaviStone’s code scanned Revitch’s computer for files that revealed his identity and browsing habits,” U.S. District Court Judge Vince Chhabria in the Northern District of California wrote in that case. “A jury could conclude that this intrusion, which allegedly allowed NaviStone to associate Revitch’s browsing habits with his identity, is a highly offensive breach of norms.”
NaviStone and retailers have prevailed in other lawsuits. In July of 2018, a federal judge in New York dismissed claims that NaviStone and three retailers -- Moosejaw, mattress startup Casper, clothing retailer Tyrwhitt -- violated the federal wiretap law and New York's consumer protection laws.