• by Wendy Davis  @wendyndavis, 8 hours ago

Bloomingdale's must face a claim that it violated a California privacy law by allegedly using "session replay" tracking technology provided by an ad-tech company, a federal appellate court ruled Friday.

The technology allegedly captured shoppers' "interactions" with the retailer's site, and enabled the ad-tech provider to learn of those interactions.

Friday's ruling, issued by the 9th Circuit Court of Appeals, reversed a trial judge's order dismissing that claim.

The decision came in a lawsuit brought in March 2023 by San Diego County resident Erica Mikulsky, who alleged in a class-action complaint that Bloomingdale's violated California's wiretap law, which prohibits anyone from intercepting communications in transit.

She specifically alleged that she shopped online at Bloomingdale's, and that its website used session replay code provided by an ad-tech business. She alleged that the software enabled the ad-tech company to record her "interactions" with the site, including mouse moves, key presses and page navigation.

"Session replay code captures and records nearly every action a website visitor takes while on the website, including actions that reveal the visitor’s personal or private sensitive data, even when the visitor does not intend to submit the data to the website operator, or has not finished submitting the data to the website operator," she alleged.

"The clandestinely deployed code provides online marketers and website designers with insights into the user experience," she added in the complaint.

The lawsuit is one of numerous recent cases centering on allegations that website operators wrongly embed session replay code on their sites.

In addition to claiming that Bloomingdale's violated a California wiretap law, she accused the company of "intrusion upon seclusion" -- a claim that can be brought in California over "highly offensive" privacy violations.

U.S. District Court Judge James Lorenz in the Southern District of California threw out the case last year, ruling that even if the allegations were proven true, they wouldn't establish either of the claims.

Lorenz specifically ruled that any interceptions would have been of "record data" -- not communications.

He also ruled that the allegations, if true, wouldn't warrant a finding that Bloomingdale's engaged in "highly offensive" behavior.

Mikulsky appealed to the 9th Circuit, which restored her claim that the retailer violated California's wiretap law, ruling that the allegations centered on the interception of "communications," not merely metadata.

"The complaint alleged real-time capture of the contents of Mikulsky’s communications on defendants’ website without her consent, not merely the real-time capture of information regarding the characteristics of the communications," Circuit Judges Jay Bybee, Sandra Segal Ikuta and Danielle Forrest wrote in an unsigned opinion. (The judges did not revive the claim regarding intrusion upon seclusion.)

Late last year, a three-judge panel of the 9th Circuit sided with Bloomingdale's in a similar suit. In that case, however, the judges said the plaintiff -- California resident Amanda Daghaly -- failed to allege specifics regarding her activity on the company's site.

"Daghaly’s allegations about her own interactions with the Bloomingdales.com website are sparse,” Circuit Judges Marsha Berzon and Michelle Friedland, and District Court Judge Matthew F. Kennelly wrote in that case.

Daghaly “alleges only that she 'visited' and 'accessed' the website ... but she does not allege that she herself actually made any communications that could have been intercepted once she had accessed the website,” the judges added.