Pennsylvania resident Ashley Popa is asking an appellate court to revive her class-action privacy complaint against ad-tech company NaviStone over its tracking technology, which allegedly collected data from her after she visited Harriet Carter Gifts' website.
“NaviStone used software to surreptitiously collect and receive contents from Popa’s communications with the website,” lawyers for Popa write in papers filed Saturday with the 3rd Circuit Court of Appeals. “This is precisely the conduct prohibited as an illegal interception: using a device to contemporaneously acquire the contents of a communication without all parties’ knowledge and consent.”
The dispute dates to 2019, when Popa sued NaviStone and Harriet Carter over tracking technology that allegedly enables online retailers to arrange to send postal mail to “anonymous” web users after they visit a website.
Popa said in her complaint that she browsed the Harriet Carter site, which included code from NaviStone that allegedly “acted as a secret wiretap that sends visitors' IP address and other [personally identifiable information] to Navistone in real time.”
Among other claims, Popa contended that the companies violate Pennsylvania's wiretap law, which prohibits the interception of electronic communications without the consent of both parties.
NaviStone's tracking technology came to public attention in 2017, when Gizmodo reported that NaviStone's technology can capture email or home addresses that users type into retailers' sites, even if the users never hit the “enter” button. (After Gizmodo published its report, Navistone revised its technology, according to statements provided in court documents.)
The company denies that it identifies individuals or enables retailers to do so.
NaviStone said in court papers that it relies on cookie syncing, and draws on data held by ad-tech company Neustar to obtain mailing addresses for some consumers, without learning those people's names.
“To accomplish cookie syncing, the NaviStone code created a unique and anonymous client-specific visitor ID for each web browser that visited Harriet Carter's website, and set that ID in a cookie stored by the web browsing software,” NaviStone and Harriet Carter said in documents filed last year with U.S. District Court Judge William Stickman IV in the Western District of Pennsylvania.
Earlier this year, Stickman dismissed Popa's complaint, ruling that NaviStone didn't “intercept” any transmissions because it was a party to the communication.
“The information regarding certain activities of Popa on Harriet Carter's website was sent directly to Navistone,” he wrote. “As a result Navistone was a direct party to that information.”
He alternatively ruled that even if there was an interception, it occurred in Virginia, where NaviStone's servers are, and therefore wouldn't have violated Pennsylvania's relatively stringent law.
Popa's lawyers are now asking the 3rd Circuit to reverse Stickman's decision.
“From the perspective of Popa, the facts before the district court clearly showed that NaviStone was not an intended, necessary, known, or apparent recipient of her communications with [Harriet Carter Gifts],” they write.
They also say Pennsylvania law should have applied. “The interception at issue could not have physically happened in Virginia; it only occurred because NaviStone’s software was deployed to and then ran within Popa’s browser, running on her phone in Pennsylvania,” they argue.
NaviStone has faced several privacy lawsuits since 2018, and has so far defeated all of the cases brought in federal court.