Papa John’s faces class-action lawsuit for alleged misuse of session tracking scripts

Pizza retailer Papa John’s is facing a class-action lawsuit over allegations that it used privacy-violating trackers on its website.

Customer David Kauffman filed a lawsuit against the pizza delivery giant under the Federal Wiretap Act and California Invasion of Privacy Act, alleging an illegal level of data collection on customers using its website via session replay tools.

Such tools are commonly used on websites but were described in the lawsuit as tantamount to spyware given the amount and type of data they monitor and comunicate back to Papa John’s.

Session replay scripts are often deployed for data analytics purposes but the lawsuit alleged that the volume and type of data collected far exceeds what is reasonably expected from a pizza-ordering website.

The scripts track a range of actions made by users on a website, including how long they stay on each page, what was clicked, and even mouse cursor movements are tracked and anonymous. These are often studied for advertising purposes, as well as to investigate buggy or broken website features.

However, the lawsuit argued that in failing to properly notify users of the scripts, Papa John’s has violated the Federal Wiretap Act which penalises any entity who “intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication.” The CIPA also sets out punishment for anyone who attempts to intercept communications without the consent of all parties involved.

“Plaintiff and Class Members reasonably expected that visits to Defendant’s website would be private, and that Defendant would not be intercepting, tapping, connecting with, or otherwise attempting to understand their communications with Defendant’s website, particularly because Defendant failed to present Plaintiff and Class Members with a pop-up disclosure or consent form alerting Plaintiff that the visits to the website were monitored and recorded by Defendant,” the lawsuit read.

Firms such as Yandex and Clicktale provide session replay for their customers, as third-party services. The Freedom to Tinker group at Princeton’s Center for Information Technology Policy found evidence of session recording on the websites of companies such as HP, Comcast and Intel.

However, data protection regulations such as the Data Protection Act 2018, General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) lay out strict boundaries on how personal data can be collected, and used to profile or identify individuals.

“The technology not only allows the tapping and unauthorized connection of a visitor’s electronic communication with a website, but also allows the user to create a detailed profile for each visitor to the site,” the lawsuit claimed.

The plaintiff is seeking damages of $10,000 or $100 per day and violation, whichever of the two is greater. Within the lawsuit, it is proposed that the class number of affected customers is “in the hundreds of thousands” and that the damages could therefore exceed $5,000,000.

Previous concerns around session replay technology have centered around the inadequate measures deployed by analytics service Glassbox to censor fields containing sensitive data such as passwords or payment information within session replay recordings.

IT Pro has approached Papa John’s for comment.

Featured Resources

Three ways manual coding is killing your business productivity

…and how you can fix it

Download

Goodbye broadcasts, hello conversations

Drive conversations across the funnel with the WhatsApp Business Platform

Download

Winning with multi cloud

How to drive a competitive advantage and overcome data integration challenges

Download

Talking to a business should feel like messaging a friend

Managing customer conversations at scale with the WhatsApp Business Platform

Download