• by Wendy Davis  @wendyndavis, June 18, 2021

Tech company NaviStone has defeated two privacy lawsuits -- one in Pennsylvania and another in California -- over its tracking technology, which enables online retailers to send mail to online visitors' postal addresses.

The Pennsylvania case, which was dismissed on Thursday, was brought in 2019 by Laurence County resident Ashley Popa, who sued NaviStone as well as the retailer Harriet Carter over the tracking technology.

Popa alleged in her class-action complaint that Harriet Carter's retail site violates Pennsylvania wiretap law by using NaviStone's tracking code, and that the companies engaged in “intrusion upon seclusion” -- a concept defined as intentional and offensive privacy intrusions.

Popa also initially claimed that NaviStone captured keystrokes and IP addresses that can be used to identify people. That allegation appeared to stem from a 2017 Gizmodo article.

NaviStone denies that its technology logs keystrokes, and that it identifies individuals or enables retailers to do so. Instead, the company said in court papers that it relies on cookie syncing, and draws on data held by ad-tech company Neustar to obtain mailing addresses for some consumers, without learning those people's names.

“To accomplish cookie syncing, the NaviStone code created a unique and anonymous client-specific visitor ID for each web browser that visited Harriet Carter's website, and set that ID in a cookie stored by the web browsing software,” NaviStone and Harriet Carter said in papers filed last year with U.S. District Court Judge William Stickman IV in the Western District of Pennsylvania.

Last year Stickman threw out the “intrusion upon seclusion” claim, but allowed Popa to proceed with allegations that the companies violated Pennsylvania's wiretap law, which prohibits companies from intercepting communications without consent.

On Thursday, Stickman dismissed the wiretap claim, ruling that NaviStone didn't intercept any transmissions because it was a party to the communication.

“The information regarding certain activities of Popa on Harriet Carter's website was sent directly to Navistone,” he wrote. “As a result Navistone was a direct party to that information.”

He alternatively ruled that even if there was an interception, it occurred in Virginia, not Pennsylvania, and therefore wouldn't have violated Pennsylvania law.

The California case involved a similar lawsuit brought against NaviStone and apparel retailer Moosejaw by state resident Jeremiah Revitch.

Moosejaw agreed to settle that matter earlier this year, but NaviStone pressed U.S. District Court Judge Vince Chhabria in the Northern District of California to rule that the company's technology doensn't violate the state's wiretapping law.

Last week, Chhabria threw out the case without reaching that issue. Instead, he said Revitch hadn't proven that NaviStone placed a cookie on his browser.

“For NaviStone’s code to track a user’s clickstream data, it must place a cookie on that user’s web browser,” Revitch wrote. “The only possible caveat is that the cookie might have been deleted after the fact, but Revitch has not produced any evidence that that happened and has stated that he has not deleted any cookies from his browser. Thus, on this quirky record, there is no genuine dispute: any reasonable factfinder would be compelled to conclude that NaviStone’s code never ran on Revitch’s browser.”

In 2018, the ad-tech company prevailed in a series of other privacy lawsuits.