Case: 4:23-cv-00082-JAR Doc. #: 1 Filed: 01/25/23 Page: 1 of 52 PageID #: 1
`
`IN THE UNITED STATES DISTRICT COURT
`FOR THE EASTERN DISTRICT OF MISSOURI
`EASTERN DIVISION
`
`
`ANN JONES, individually and on behalf of
`all others similarly situated,
`
` Plaintiff,
`
`
` v.
`
`BED BATH & BEYOND INC.,
`
`
` Defendant.
`
`
`
`
`CASE NO. 4:23-cv-00082
`
`JURY TRIAL DEMANDED
`
`
`
`
`
`
`
`
`COMPLAINT - CLASS ACTION
`
`Plaintiff Ann Jones (“Plaintiff”), individually and on behalf of all others similarly situated,
`
`hereby files this class action complaint against Defendant Bed Bath & Beyond Inc. (“Defendant”)
`
`and in support thereof alleges the following:
`
`INTRODUCTION
`
`1.
`
`This is a class action brought against Defendant for surreptitiously intercepting and
`
`wiretapping
`
`the
`
`electronic
`
`communications
`
`of
`
`visitors
`
`to
`
`its
`
`website,
`
`www.bedbathandbeyond.com. Defendant procures third-party vendor, Quantum Metric, to utilize
`
`“session replay” spyware to intercept Plaintiff’s and the Class members’ electronic computer-to-
`
`computer data communications (“Electronic Communications”) with Defendant’s website,
`
`including how they interacted with the website, their mouse movements and clicks, keystrokes,
`
`search terms, information inputted into website, and pages and content viewed while visiting the
`
`website. Defendant intercepted, stored, and recorded electronic communications regarding the
`
`webpages visited by Plaintiff and the Class Members, as well as everything Plaintiff and the Class
`
`Members did on those pages, e.g., what they searched for, what they looked at, the information
`
`they inputted, and what they clicked on.
`
`1
`
`

`

`Case: 4:23-cv-00082-JAR Doc. #: 1 Filed: 01/25/23 Page: 2 of 52 PageID #: 2
`
`2.
`
`The “session replay” spyware utilized by Defendant is not a traditional website
`
`cookie, tag, web beacon, or analytics tool. It is a sophisticated computer spyware that allows
`
`Defendant to contemporaneously intercept, capture, read, observe, re-route, forward, redirect, and
`
`receive incoming Electronic Communications to its website. Plaintiff’s and Class Members’
`
`Electronic Communications are then stored by Defendant using an outside vendor’s services and
`
`can later be viewed and utilized by Defendant to create a session replay, which is essentially a
`
`video of a Class Member’s entire visit to Defendant’s website.
`
`3.
`
` Defendant’s conduct violates the Missouri Wiretap Act, Mo. Ann. Stat. §§ 542.400
`
`et seq., the Missouri Merchandising Practices Act, Mo. Rev. Stat. § 407.010 et seq., the Electronic
`
`Communications Privacy Act, 18 U.S.C. § 2511(1) et seq., 18 U.S.C. § 2511(3)(a) et seq., and 18
`
`U.S.C. § 2701 et seq; Title II, 18 U.S.C. § 2702 et seq; the Computer Fraud and Abuse Act,
`
`(“CFAA”) 18 U.S.C. § 1030, et seq.; and constitutes (i) an invasion of the privacy rights of website
`
`visitors and (ii) a trespass to chattels.
`
`4.
`
`Plaintiff brings this action individually and on behalf of a class of all natural persons
`
`in the United States (1) who visited Defendant’s website, www.bedbathandbeyond.com, and (2)
`
`whose electronic communications were intercepted by Defendant or on Defendant’s behalf. (the
`
`“Nationwide Class”) and on behalf of a subclass of all natural persons in the State of Missouri (1)
`
`who visited Defendant’s website, www.bedbathandbeyond.com, and (2) whose electronic
`
`communications were intercepted by Defendant or on Defendant’s behalf. (the “Missouri Class”)
`
`and seeks all civil remedies provided under the causes of action, including but not limited to
`
`compensatory, statutory, and/or punitive damages, and attorneys’ fees and costs.
`
`5.
`
`Plaintiff brings this action individually and on behalf of a class of all persons whose
`
`electronic communications were intercepted and seeks all damages allowed by law.
`
`2
`
`

`

`Case: 4:23-cv-00082-JAR Doc. #: 1 Filed: 01/25/23 Page: 3 of 52 PageID #: 3
`
`PARTIES
`
`6.
`
`Plaintiff Ann Jones is a citizen of the State of Missouri, and at all times relevant to
`
`this action, resided and was domiciled in St. Louis County, Missouri. Plaintiff is a citizen of
`
`Missouri.
`
`7.
`
`Defendant Bed, Bath & Beyond Inc. is, and has been at all times mentioned herein,
`
`a New York corporation with its principal place of business in New Jersey. Defendant is therefore
`
`a citizen of New York and New Jersey.
`
`
`
`JURISDICTION AND VENUE
`
`8.
`
`This Court has subject matter jurisdiction pursuant to 28 U.S.C. § 1332(d)(2)(A)
`
`because this case is a class action where the aggregate claims of all members of the proposed class
`
`are in excess of $5,000,000.00, exclusive of interest and costs, there are 100 or more members of
`
`the proposed class, and at least one member of the proposed class, including Plaintiff, is a citizen
`
`of a state different than Defendant.
`
`9.
`
`This Court further has subject matter jurisdiction pursuant to 28 U.S.C. § 1331
`
`because this action arises under 18 U.S.C. § 2510, et seq., 18 U.S.C. § 2701, et seq., and 18 U.S.C.
`
`§ 1030, et seq., and this Court has supplemental jurisdiction over the remaining state law claims
`
`pursuant to 28 U.S.C. § 1367 because the state law claims form part of the same case or controversy
`
`under Article III of the United States Constitution.
`
`10.
`
`This Court has personal jurisdiction over Defendant because a substantial part of
`
`the events and conduct giving rise to Plaintiff’s claims occurred in Missouri. The privacy violations
`
`complained of herein resulted from Defendant’s purposeful and tortious acts directed towards
`
`Class Members while they were located within Missouri.
`
`11.
`
`Defendant markets its products online via its website and ships products to Missouri
`
`3
`
`

`

`Case: 4:23-cv-00082-JAR Doc. #: 1 Filed: 01/25/23 Page: 4 of 52 PageID #: 4
`
`residents—i.e., Defendant intends for Missouri residents to purchase its products online and, in
`
`turn, delivers its products to Missouri. During this process, Plaintiff alleges Defendant
`
`surreptitiously intercepted and wiretapped Plaintiff’s electronic communications on its website
`
`while Plaintiff and Class Members were located in Missouri. At all relevant times, Defendant
`
`knew its practices would directly result in collection of information from Missouri citizens while
`
`browsing www.bedbathandbeyond.com. Defendant chose to avail itself of the business
`
`opportunities of marketing and selling its goods in Missouri and collecting real-time data from
`
`website visit sessions initiated by customers located in Missouri, and the claims alleged herein
`
`arise from those activities. Additionally, Bed Bath & Beyond Inc. has at least 12 physical brick
`
`and mortar stores located in Missouri, five (5) of which are within this District.1 As such, it would
`
`not offend the “traditional notion of fair play and substantial justice” to order Bed Bath & Beyond
`
`Inc. to defend the claims lodged against it in Missouri.
`
`12.
`
`Defendant also knows that many users visit and interact with Defendant’s website
`
`while they are physically present in Missouri. Both desktop and mobile versions of Defendant’s
`
`website allow a user to search for nearby stores by providing the user’s location, as does the
`
`Defendant’s app. Users’ employment of automatic location services in this way means that
`
`Defendant is continuously made aware that its website is being visited by people located in
`
`Missouri, and that such website visitors are being wiretapped in violation of federal and Missouri
`
`statutory law and common law.
`
`13.
`
`Pursuant to 28 U.S.C. § 1391, this Court is the proper venue for this action because
`
`a substantial part of the events, omissions, and acts giving rise to the claims herein occurred in this
`
`District.
`
`
`1 https://www.bedbathandbeyond.com/locations/state/MO (last visited: January 24, 2023).
`
`4
`
`

`

`Case: 4:23-cv-00082-JAR Doc. #: 1 Filed: 01/25/23 Page: 5 of 52 PageID #: 5
`
`
`
`FACTUAL ALLEGATIONS
`
`A. Website User and Usage Data Have Immense Economic Value.
`
`14.
`
`The “world’s most valuable resource is no longer oil, but data.”2
`
`15.
`
`Earlier this year, Business News Daily reported that some businesses collect
`
`personal data (i.e., gender, web browser cookies, IP addresses, and device IDs), engagement data
`
`(i.e., how consumers interact with a business’s website, applications, and emails), behavioral data
`
`(i.e., customers’ purchase histories and product usage information), and attitudinal data (i.e., data
`
`on consumer satisfaction) from consumers.3 This information is valuable to companies because
`
`they can use this data to improve customer experiences, refine their marketing strategies, capture
`
`data to sell it, and even to secure more sensitive consumer data.4
`
`16.
`
`In a consumer-driven world, the ability to capture and use customer data to shape
`
`products, solutions, and the buying experience is critically important to a business’s success.
`
`Research shows that organizations who “leverage customer behavior insights outperform peers by
`
`85 percent in sales growth and more than 25 percent in gross margin.”5
`
`17.
`
`In 2013, the Organization for Economic Cooperation and Development (“OECD”)
`
`even published a paper entitled “Exploring the Economics of Personal Data: A Survey of
`
`
`2 The world’s most valuable resource is no longer oil, but data, The Economist (May 6, 2017),
`https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-
`longeroil-but-data.
`3 Max Freedman, How Businesses Are Collecting Data (And What They’re Doing With It),
`Business News Daily (Aug. 5, 2022), https://www.businessnewsdaily.com/10625-businesses-
`collecting-data.html.
`4 Id.
`5 Brad Brown, Kumar Kanagasabai, Prashant Pant & Goncalo Serpa Pinto, Capturing value from
`your customer data, McKinsey (Mar. 15, 2017), https://www.mckinsey.com/business-
`functions/quantumblack/our-insights/capturing-value-from-your-customer-data.
`
`5
`
`

`

`Case: 4:23-cv-00082-JAR Doc. #: 1 Filed: 01/25/23 Page: 6 of 52 PageID #: 6
`
`Methodologies for Measuring Monetary Value.”6 In this paper, the OECD measured prices
`
`demanded by companies concerning user data derived from “various online data warehouses.”7
`
`18.
`
`OECD indicated that “[a]t the time of writing, the following elements of personal
`
`data were available for various prices: USD 0.50 cents for an address, USD 2 [i.e., $2] for a date
`
`of birth, USD 8 for a social security number (government ID number), USD 3 for a driver’s license
`
`number and USD 35 for a military record. A combination of address, date of birth, social security
`
`number, credit record and military record is estimated to cost USD 55.”8
`
`B. Website Users Have a Reasonable Expectation of Privacy in Their Interactions
`with Websites.
`
`19.
`
`Consumers are skeptical and are wary about their data being collected. A report
`
`
`
`released by KPMG shows that “a full 86% of the respondents said they feel a growing concern
`
`about data privacy, while 78% expressed fears about the amount of data being collected.”9
`
`20.
`
`Another recent paper also indicates that most website visitors will assume their
`
`detailed interactions with a website will only be used by the website and not be shared with a party
`
`they know nothing about.10 As such, website visitors reasonably expect that their interactions with
`
`a website should not be released to third parties unless explicitly stated.11
`
`
`6 Exploring the Economics of Personal Data: A Survey of Methodologies for Measuring Monetary
`Value,
`OECD
`Digital
`Economy
`Papers,
`NO.
`220
`(Apr.
`2,
`2013),
`https://www.oecdilibrary.org/docserver/5k486qtxldmq-en.pdf.
`7 Id. at 25.
`8 Id.
`9 Lance Whitney, Data privacy is a growing concern for more consumers, TechRepublic (Aug.
`17, 2021), https://www.techrepublic.com/article/data-privacy-is-a-growing-concern-for-more-
`consumers/.
`10 CUJO AI Recent Survey Reveals U.S. Internet Users Expectations and Concerns Towards
`Privacy and Online Tracking, CUJO (May 26, 2020), https://www.prnewswire.com/news-
`releases/cujo-ai-recent-survey-reveals-us-internet-users-expectations-and-concerns-towards-
`privacy-and-online-tracking-301064970.html.
`11 Frances S. Grodzinsky, Keith W. Miller & Marty J. Wolf, Session Replay Scripts: A Privacy
`Analysis, The Information Society, 38:4, 257, 258 (2022).
`
`6
`
`

`

`Case: 4:23-cv-00082-JAR Doc. #: 1 Filed: 01/25/23 Page: 7 of 52 PageID #: 7
`
`21.
`
`Privacy polls and studies show that a majority of Americans consider one of the
`
`most important privacy rights to be the need for an individual’s affirmative consent before a
`
`company collects and shares its customers’ data.
`
`22.
`
`A recent study by Consumer Reports shows that 92% of Americans believe that
`
`internet companies and websites should be required to obtain consent before selling or sharing
`
`consumers’ data, and the same percentage believe internet companies and websites should be
`
`required to provide consumers with a complete list of the data that has been collected about them.12
`
`23. Moreover, according to a study by Pew Research Center, a majority of Americans,
`
`approximately 79%, are concerned about how data is collected about them by companies.13
`
`24.
`
`Users act consistently with their expectation of privacy. Following a new rollout of
`
`the iPhone operating software—which asks users for clear, affirmative consent before allowing
`
`companies to track users—85 percent of worldwide users and 94 percent of U.S. users chose not
`
`to allow such tracking.14
`
`
`
`C.
`
`25.
`
`How Session Replay Technology Works.
`
`Session
`
`replay
`
`technology,
`
`such
`
`as
`
`that
`
`implemented
`
`on
`
`www.bedbathandbeyond.com, enables website operators to record, save, and replay website
`
`visitors’ interactions with a given website. The clandestinely deployed code provides online
`
`
`12 Consumers Less Confident About Healthcare, Data Privacy, and Car Safety, New Survey Finds,
`Consumer
`Reports
`(May
`11,
`2017),
`https://www.consumerreports.org/consumerreports/consumers-less-confident-about-healthcare-
`data-privacy-and-car-safety/.
`13 Americans and Privacy: Concerned, Confused, and Feeling Lack of Control Over Their
`Information,
`Pew
`Research
`Center,
`(Nov.
`15,
`2019),
`Personal
`https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-
`Confusedand-feeling-lack-of-control-over-their-personal-information/.
`14 Margaret Taylor, How Apple
`screwed Facebook, Wired,
`https://www.wired.co.uk/article/apple-ios14-facebook.
`
`(May 19, 2021),
`
`7
`
`

`

`Case: 4:23-cv-00082-JAR Doc. #: 1 Filed: 01/25/23 Page: 8 of 52 PageID #: 8
`
`marketers and website designers with insights into the user experience by recording website
`
`visitors “as they click, scroll, type or navigate across different web pages.”15
`
`26. While session replay technology is utilized by websites for some legitimate
`
`purposes, it goes well beyond normal website analytics when it comes to collecting the actual
`
`contents of communications between website visitors and websites. Unlike other online
`
`advertising tools, session replay technology allows a website to capture and record nearly every
`
`action a website visitor takes while visiting the website, including actions that reveal the visitor’s
`
`personal or private sensitive data, sometimes even when the visitor does not intend to submit the
`
`data to the website operator, or has not finished submitting the data to the website operator.16 As a
`
`result, website visitors “aren’t just sharing data with the [web]site they’re on . . . but also with an
`
`analytics service that may be watching over their shoulder.”17
`
`27.
`
`Session replay technology works by inserting a computer spyware into the various
`
`event handling routines that web browsers use to receive input from users, thus intercepting the
`
`occurrence of actions the user takes. When a website delivers session replay technology to a user’s
`
`browser, the browser will follow the spyware’s instructions by sending responses in the form of
`
`“event” data to a designated third-party server. Typically, the server receiving the event data is
`
`controlled by the third-party entity that wrote the session replay technology, rather than the owner
`
`of the website where the spyware is installed.
`
`28.
`
`The types of events captured by session replay technology vary by specific product
`
`
`15 Erin Gilliam Haije, [Updated] Are Session Recording Tools a Risk to Internet Privacy?,
`Mopinion (Mar. 7, 2018), https://mopinion.com/are-session-recording-tools-a-risk-to-internet-
`privacy/.
`16 Id.
`17 Eric Ravenscraft, Almost Every Website You Visit Records Exactly How Your Mouse Moves,
`Medium (Feb. 5, 2020), https://onezero.medium.com/almost-every-website-you-visit-records-
`exactly-how-your-mouse-moves-4134cb1cc7a0.
`
`8
`
`

`

`Case: 4:23-cv-00082-JAR Doc. #: 1 Filed: 01/25/23 Page: 9 of 52 PageID #: 9
`
`and configuration, but in general, are wide-ranging and can encompass virtually every user action,
`
`including all mouse movements, clicks, scrolls, zooms, window resizes, keystrokes, text entry, and
`
`numerous other forms of a user’s navigation and interaction through the website. To permit an
`
`accurate reconstruction of a user’s visit, the session replay technology must be capable of capturing
`
`these events at hyper-frequent intervals, often just milliseconds apart. Events are typically
`
`accumulated and transmitted in blocks periodically throughout the user’s website session, rather
`
`than after the user’s visit to the website is completely finished.
`
`29.
`
`Unless specifically masked through configurations chosen by the website owner,
`
`some visible contents of the website may also be transmitted to the third-party vendor.
`
`30.
`
`Once the events from a user session have been recorded by the session replay
`
`technology, a website operator can view a visual reenactment of the user’s visit through the third-
`
`party vendor usually in the form of a video, meaning “[u]nlike typical analytics services that
`
`provide aggregate statistics, these scripts are intended for the recording and playback of individual
`
`browsing sessions.”18
`
`31.
`
`Because most session replay technology will by default indiscriminately capture
`
`the maximum range of user-initiated events and content displayed by the website, researchers have
`
`found that a variety of highly sensitive information can be captured in event responses from
`
`website visitors, including medical conditions, credit card details, and other personal information
`
`displayed or entered on webpages.19
`
`
`
`
`18 Steven Englehardt, No boundaries: Exfiltration of personal data by session-replay scripts,
`Freedom to Tinker (Nov. 15, 2017), https://freedom-to-tinker.com/2017/11/15/no-boundaries-
`exfiltration-of-personal-data-by-session-replay-scripts/.
`19 Id.
`
`9
`
`

`

`Case: 4:23-cv-00082-JAR Doc. #: 1 Filed: 01/25/23 Page: 10 of 52 PageID #: 10
`
`32.
`
`The following screenshot provides an example of a typical recording of a visit to a
`
`website captured utilizing session replay spyware, which includes mouse movements, keystrokes
`
`and click, search terms, content viewed, and information inputted by the website visitor:
`
`
`
`33. Most alarming, session replay technology may capture data that the user did not
`
`even intentionally transmit to a website during a visit, and then make that data available to website
`
`owners when they access the session replay through the third-party vendor. For example, if a user
`
`writes information into a text form field, but then chooses not to click a “submit” or “enter” button
`
`on the website, the session replay technology may nevertheless cause the non-submitted text to be
`
`sent to the designated event-response-receiving server before the user deletes the text or leaves the
`
`page. This information will then be viewable to the website owner when accessing the session
`
`replay through the third-party vendor.
`
`34.
`
`35.
`
`Session replay technology does not necessarily anonymize user sessions, either.
`
`First, if a user’s entry of personally identifying information is captured in an event
`
`response, that data will become known and visible to both the third-party vendor and the website
`
`10
`
`

`

`Case: 4:23-cv-00082-JAR Doc. #: 1 Filed: 01/25/23 Page: 11 of 52 PageID #: 11
`
`owner.
`
`36.
`
`Second, if a website displays user account information to a logged-in user, that
`
`content may be captured by session replay technology.
`
`37.
`
`Third, some
`
`third-party vendors explicitly offer website owners cookie
`
`functionality that permits linking a session to an identified user, who may be personally identified
`
`if the website owner has associated the user with an email address or username.20
`
`38.
`
`Third-party vendors often create “fingerprints” that are unique to a particular user’s
`
`combination of device and browser settings, screen configuration, and other detectable
`
`information. The resulting fingerprint, which is often unique to a user and rarely changes, are
`
`collected across all sites that the third-party vendor monitors.
`
`39. When a user eventually identifies themselves to one of these websites (such as by
`
`filling in a form), the provider can then associate the fingerprint with the user identity and can then
`
`back-reference all of that user’s other web browsing across other websites previously visited,
`
`including on websites where the user had intended to remain anonymous—even if the user
`
`explicitly indicated that they would like to remain anonymous by enabling private browsing.
`
`40.
`
`In addition to the privacy invasions caused by the diversion of user communications
`
`with websites to third-party [vendors] session replay technology also exposes website visitors to
`
`identity theft, online scams, and other privacy threats.21 Indeed, “[t]he more copies of sensitive
`
`information that exist, the broader the attack surface, and when data is being collected [] it may
`
`not be stored properly or have standard protections” increasing “the overall risk that data will
`
`
`20 Id.; see also FS.identify – Identifying users, FullStory, https://help.fullstory.com/hc/en-
`us/articles/360020828113, (last visited Sep. 8, 2022).
`21 Juha Sarrinen, Session Replay is a Major Threat to Privacy on the Web, itnews (Nov. 16, 2017),
`https://www.itnews.com.au/news/session-replay-is-a-major-threat-to-privacy-on-the-web-
`477720.
`
`11
`
`

`

`Case: 4:23-cv-00082-JAR Doc. #: 1 Filed: 01/25/23 Page: 12 of 52 PageID #: 12
`
`someday publicly leak or be breached.”22
`
`41.
`
`Recognizing the privacy concerns posed by session replay technology, in 2019
`
`Apple required app developers to remove or properly disclose the use of analytics code that allow
`
`app developers to record how a user interacts with their iPhone apps or face immediate removal
`
`from the app store.23 In announcing this decision, Apple stated: “Protecting user privacy is
`
`paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request
`
`explicit user consent and provide a clear visual indication when recording, logging, or otherwise
`
`making a record of user activity.”24
`
`D.
`
`
`42.
`
`Bed Bath & Beyond Inc. Secretly Wiretaps its Website Visitors’ Electronic
`Communications.
`
`Bed Bath & Beyond Inc. operates the website www.bedbathandbeyond.com. Bed
`
`Bath & Beyond Inc. is ranked 381 on the Fortune 500 list in the United States, with customers
`
`regularly using its website to inquire about products and make purchases.
`
`43.
`
`However, unbeknownst to the thousands of individuals perusing Defendant’s goods
`
`and services online, Defendant intentionally procures and embeds session replay technology from
`
`a third-party vendor on its website to track and analyze website user interactions with
`
`www.bedbathandbeyond.com. Because the third-party vendor is an unknown eavesdropper to
`
`visitors to www.bedbathandbeyond.com, it is not a party to website visitors’ electronic
`
`communication with Defendant.
`
`E.
`
`Plaintiff’s and Class Members’ Experience.
`
`
`
`
`22 Lily Hay Newman, Covert ‘Replay Sessions’ Have Been harvesting Passwords by Mistake,
`WIRED
`(Feb. 26, 2018), https://www.wired.com/story/covert-replay-sessions-harvesting-
`passwords/.
`23 Zack Whittaker, Apple Tells App Developers to Disclose or Remove Screen Recording Code,
`TechCrunch (Feb. 7, 2019), https://techcrunch.com/2019/02/07/apple-glassbox-apps/.
`24 Id.
`
`12
`
`

`

`Case: 4:23-cv-00082-JAR Doc. #: 1 Filed: 01/25/23 Page: 13 of 52 PageID #: 13
`
`44.
`
`Plaintiff has visited www.bedbathandbeyond.com while in Missouri. Specifically,
`
`Plaintiff visited www.bedbathandbeyond.com via the web browser on her computer and mobile
`
`device (collectively referred to herein as “computing devices”).
`
`45. While visiting Defendant’s website, Plaintiff fell victim to Defendant’s unlawful
`
`monitoring,
`
`recording, and collection of Plaintiff’s electronic communication with
`
`www.bedbathandbeyond.com.
`
`46.
`
`Unknown to Plaintiff, Defendant procures and embeds session replay technology
`
`on its website.
`
`47.
`
`During Plaintiff’s visits to Defendant’s website, Plaintiff, through her computer and
`
`mobile device, transmitted Electronic Communications in the form of instructions to Defendant’s
`
`computer servers utilized to operate the website. The commands were sent as messages instructing
`
`Defendant what content was being viewed, clicked on, requested and/or inputted by Plaintiff. The
`
`communications sent by Plaintiff to Defendant’s servers included, but were not limited to, the
`
`following actions taken by Plaintiff while on the website: mouse clicks and movements,
`
`keystrokes, substantive information inputted by Plaintiff, pages and content viewed by Plaintiff,
`
`scroll movement, and copy and paste actions.
`
`48.
`
`Defendant responded to Plaintiff's Electronic Communications by supplying—
`
`through its website—the information requested by Plaintiff. This series of requests and responses
`
`—whether online or over the phone—is Electronic Communications under the Missouri Wiretap
`
`Act.
`
`49.
`
`During the website visits, Plaintiff’s Electronic Communications were watched in
`
`real-time and captured by session replay technology and sent to a third-party vendor.
`
`50.
`
`For example, when visiting www.bedbathandbeyond, if a website user looks at
`
`13
`
`

`

`Case: 4:23-cv-00082-JAR Doc. #: 1 Filed: 01/25/23 Page: 14 of 52 PageID #: 14
`
`Defendant’s offerings, that information is captured by the session replay technology embedded on
`
`the website.
`
`51. When you select a store closest to you to see its inventory or to place an order for
`
`pick-up, that information is sent to the third-party vendor.
`
`52.
`
`The session replay technology operates in the same manner for all putative Class
`
`Members.
`
`53.
`
`Like Plaintiff, each Class Member visited www.bedbathandbeyond.com with
`
`session replay technology embedded in it, and the session replay technology watched and
`
`intercepted the Class Members’ electronic communications with www.bedbathandbeyond.com by
`
`sending hyper-frequent logs of those communications to a third-party vendor.
`
`54.
`
`Even if Defendant masks certain elements when it configures the settings of the
`
`session replay technology embedded on its website, any operational iteration of the session replay
`
`technology will, by its very nature and purpose, intercept the contents of communications between
`
`the website’s visitors and the website owner.
`
`55.
`
`For example, even with heightened masking enabled, the third-party vendor will
`
`still learn through the intercepted data exactly which pages a user navigates to, how the user moves
`
`through the page (such as which areas the user zooms in on or interacted with), and additional
`
`substantive information.
`
`56.
`
`As a specific example, if a user types a product into Defendant’s main search bar
`
`and initiates a search, even if the text entered into the search bar is masked, the third-party vendor
`
`will still learn what is entered into the bar as soon as the search result page loads. This is so because
`
`the responsive search results will be displayed on the subsequent page, and the responsive content
`
`generated by Defendant will repeat the searched information back on the generated page. That
`
`14
`
`

`

`Case: 4:23-cv-00082-JAR Doc. #: 1 Filed: 01/25/23 Page: 15 of 52 PageID #: 15
`
`information will not be masked even if user-inputted text is fully masked in a text field.
`
`57.
`
`Plaintiff reasonably expected that her visits to Defendant’s website would be
`
`private and that Defendant would not be watching, tracking, and recording Plaintiff as she browsed
`
`and interacted with the website, particularly because Plaintiff was never presented with any type
`
`of pop-up disclosure or consent form alerting Plaintiff that her visits to the website were being
`
`watched and recorded by Defendant. Moreover, she used his own personal device to communicate
`
`with the website, was not aware of anyone else present during the communication and presumed
`
`her private interactions with Defendant’s website were just that: private.
`
`58.
`
`Plaintiff reasonably believed that she was interacting privately with Defendant’s
`
`website, and not that she was being watched and recorded and that those recordings could later be
`
`watched again and again by Defendant’s employees, or worse yet, live while Plaintiff was on the
`
`website.
`
`59.
`
`The third-party vendor that provided the session replay technology to Defendant is
`
`not a provider of wire or electronic communication services, or an internet service provider.
`
`60.
`
`Defendant is not a provider of wire or Electronic Communication services, or an
`
`internet service provider.
`
`61.
`
`Defendant utilized
`
`session
`
`replay
`
`technology
`
`to
`
`intentionally
`
`and
`
`contemporaneously watch and intercept the substance and content of Plaintiff's Electronic
`
`Communications with Defendant’s website, including mouse clicks and movements, keystrokes,
`
`substantive information inputted by Plaintiff, pages and content viewed by Plaintiff, and scroll
`
`movements, and copy and paste actions. In other words, Defendant intercepted, stored, and
`
`recorded the webpages visited by Plaintiff, as well as everything Plaintiff did on those pages, what
`
`Plaintiff looked at, and the information Plaintiff inputted.
`
`15
`
`

`

`Case: 4:23-cv-00082-JAR Doc. #: 1 Filed: 01/25/23 Page: 16 of 52 PageID #: 16
`
`62.
`
`The third-party vendor intentionally utilized by Defendant contemporaneously
`
`watched and intercepted the content of electronic computer-to-computer data communications
`
`between Plaintiff's computer and the computer servers and hardware utilized by Defendant to
`
`operate its website—as the communications were transmitted from Plaintiff's computer and/or
`
`mobile device to Defendant’s computer servers and hardware—and while viewing, copied and
`
`sent and/or re-routed the communications to a storage file within the third-party vendor’s server.
`
`The intercepted data was transmitted contemporaneously to the third-party vendor’s server as it
`
`was sent from Plaintiff’s computer and/or mobile device.
`
`63.
`
`The session replay technology utilized by Defendant acts as an electronic,
`
`mechanical, or other analogous device or apparatus in that the session replay technology monitors,
`
`intercepts and records the content of electronic computer-to-computer communications between
`
`Plaintiff’s computer and/or mobile device and the computer servers and hardware utilized by
`
`Defendant to operate its website.
`
`64.
`
`The session replay technology utilized by Defendant is not a website cookie,
`
`standard analytics tool, tag, web beacon, or other similar technology.
`
`65.
`
`The data collected by Defendant identified specific information inputted and
`
`content viewed, and thus revealed personalized and sensitive information about Plaintiff's Internet
`
`activity and habits.
`
`66.
`
`The Electronic Communications intentionally watched and intercepted by
`
`Defendant was content generated through Plaintiff's intended use, interaction, and communication
`
`with Defendant’s website relating to the substance and/or meaning of Plaintiff's communications
`
`with the website (i.e., mouse clicks and movements, keystrokes, information inputted by Plaintiff,
`
`and pages and content clicked on and viewed by Plaintiff). This information is “content” as defined
`
`16
`
`

`

`Case: 4:23-cv-00082-JAR Doc. #: 1 Filed: 01/25/23 Page: 17 of 52 PageID #: 17
`
`by the Missouri Wiretapping Act and is not merely record information regarding the character