• by Wendy Davis  @wendyndavis, November 16, 2020

Visitors to Harriet Carter Gifts' website had no “reasonable expectation of privacy” in data they generated because they failed to block cookies, Harriet Carter and marketing tech company NaviStone are telling a federal judge.

Harriet Carter and NaviStone make that argument in response to a lawsuit claiming the companies violated a Pennsylvania wiretap law by allegedly using tracking technology. The lawsuit, brought as a potential class-action by Laurence County, Pennsylvania resident Ashley Popa, centers on allegations that Harriet Carter's retail site uses NaviStone's code, which allegedly captures data about people's activity on the site for ad purposes. 

The lawsuit is one of several cases brought against NaviStone and retailers after Gizmodo reported in 2017 that NaviStone's technology can capture any data people type on retailers' sites, incuding email or home addresses. 

NaviStone denies logging keystrokes. The company says in court papers that it worked with ad-tech company Neustar to obtain mailing addresses for some consumers, but that it did so without learning those people's names.

Popa, who alleged she visited NaviStone in 2018, initially claimed NaviStone and Harriet Carter violated Pennsylvania's wiretap law, and were engaged in “intrusion upon seclusion” -- a concept often defined as intentional and offensive privacy intrusions.

Last December, U.S. District Court Judge William Stickman IV in the Western District of Pennsylvania dismissed the “intrusion upon seclusion” claim, but allowed Popa to proceed with her wiretap claim.

On Friday, Harriet Carter and NaviStone filed papers seeking summary judgment on the wiretap allegations. The companies make several arguments, including that Popa consented to the data collection. Pennsylvania's wiretap law prohibits companies from intercepting communications without parties' consent.

The companies argue that Harriet Carter's previous privacy policy (in effect from August 2016 through late March of 2019) disclosed that the company might collect “anonymous” data, which would be shared with third party vendors for ad purposes. That privacy policy -- which was provided to the judge in May -- also told users that “most commercially available web browsers” permit people to prevent cookies from being placed on their computers.

Harriet Carter and NaviStone now argue that those statements show Popa consented to the data collection.

“Harriet Carter made no secret that a user's decision to browse its website could result in data being shared with third parties,” the companies contend.

They add that Popa “had control over whether the NaviStone Code operated on her device,” because she could have taken steps -- such as disabling cookies -- to prevent NaviStone from gathering data.

“Plaintiff did not act to secure the privacy of information she chose to freely share. Having failed to do so, she did not have a reasonable expectation of privacy in her information,” the companies argue.

They also argue that NaviStone's code “is an anonymous behavior tracker of a kind ubiquitous across the Internet,” comparable to Google Analytics.

NaviStone also says the cookie-based data it collects is “anonymous,” and that it was able to sync that data with information held by ad-tech company Neustar, in order to obtain mailing addresses for some consumers, without learning those people's names.

“To accomplish cookie syncing, the NaviStone code created a unique and anonymous client-specific visitor ID for each web browser that visited Harriet Carter's website, and set that ID in a cookie stored by the web browsing software,” the companies write. “The code then sent this anonymous visitor ID, and nothing more, to Neustar, a company that maintained a list of mailing addresses associated with Neustar's own cookie ID. .... If Neustar had its own cookie ID stored on the visitor's web browser, Neustar “synced” its cookie ID to NaviStone's cookie ID.”

The companies add: “Visitor anonymity was preserved because neither NaviStone nor its client, Harriet Carter, ever learned the names and addresses associated with NaviStone's anonymous visitor IDs.”

NaviStone and a different retailer, Moosejaw, are facing a separate privacy lawsuit in California. Last October, a federal judge rejected the companies' request to dismiss that matter at an early stage of the case.

But NaviStone and retailers have prevailed in other lawsuits. In July of 2018, a federal judge in New York dismissed claims that NaviStone and three retailers --  Moosejaw, mattress startup Casper, clothing retailer Tyrwhitt -- violated the federal wiretap law and New York's consumer protection laws.