Background
Outdoor products retailers Bass Pro Shops and Cabela’s use JavaScript session replay code on their websites to capture user interactions, including mouse movements and text entries. Eight plaintiffs sued, alleging violations of the Wiretap Act and the Computer Fraud and Abuse Act. The District Court dismissed all claims for lack of Article III standing, reasoning that users must allege the sharing of highly sensitive information like medical diagnoses or financial data to have standing. The court dismissed the claims of six plaintiffs who did not make purchases with prejudice, and dismissed the claims of two plaintiffs who made purchases without prejudice.
The court’s reasoning
The court analyzed whether the plaintiffs alleged injuries with a close relationship to harms traditionally recognized at common law. For the six plaintiffs who did not make purchases, the court found no standing because their browsing of non-sensitive items was not analogous to intrusion upon seclusion or public disclosure of private facts. For the two plaintiffs who entered complete credit card numbers, the court found that the unauthorized interception of such sensitive financial data is analogous to the tort of intrusion upon seclusion. The court also held that dismissals for lack of standing should be without prejudice.
Because two plaintiffs have done so, we will REVERSE the dismissal order as to them and REMAND for further proceedings.
In re BPS Direct, LLC; Cabela’s, LLC Wiretapping Litigation, No. 23-3235 (3d Cir. May 11, 2026)
What it means going forward
Retailers using session replay code may face litigation from users who enter sensitive financial information, but not from users who only browse without entering personal data. Plaintiffs dismissed without prejudice may amend their complaints to allege additional facts regarding sensitive data interception.
Podcast (federal-narrative-summaries): Play in new window | Download
