throbber
Case: 4:23-cv-00082-JAR Doc. #: 1 Filed: 01/25/23 Page: 1 of 52 PageID #: 1
`
`IN THE UNITED STATES DISTRICT COURT
`FOR THE EASTERN DISTRICT OF MISSOURI
`EASTERN DIVISION
`
`
`ANN JONES, individually and on behalf of
`all others similarly situated,
`
` Plaintiff,
`
`
` v.
`
`BED BATH & BEYOND INC.,
`
`
` Defendant.
`
`
`
`
`CASE NO. 4:23-cv-00082
`
`JURY TRIAL DEMANDED
`
`
`
`
`
`
`
`
`COMPLAINT - CLASS ACTION
`
`Plaintiff Ann Jones (“Plaintiff”), individually and on behalf of all others similarly situated,
`
`hereby files this class action complaint against Defendant Bed Bath & Beyond Inc. (“Defendant”)
`
`and in support thereof alleges the following:
`
`INTRODUCTION
`
`1.
`
`This is a class action brought against Defendant for surreptitiously intercepting and
`
`wiretapping
`
`the
`
`electronic
`
`communications
`
`of
`
`visitors
`
`to
`
`its
`
`website,
`
`www.bedbathandbeyond.com. Defendant procures third-party vendor, Quantum Metric, to utilize
`
`“session replay” spyware to intercept Plaintiff’s and the Class members’ electronic computer-to-
`
`computer data communications (“Electronic Communications”) with Defendant’s website,
`
`including how they interacted with the website, their mouse movements and clicks, keystrokes,
`
`search terms, information inputted into website, and pages and content viewed while visiting the
`
`website. Defendant intercepted, stored, and recorded electronic communications regarding the
`
`webpages visited by Plaintiff and the Class Members, as well as everything Plaintiff and the Class
`
`Members did on those pages, e.g., what they searched for, what they looked at, the information
`
`they inputted, and what they clicked on.
`
`1
`
`

`

`Case: 4:23-cv-00082-JAR Doc. #: 1 Filed: 01/25/23 Page: 2 of 52 PageID #: 2
`
`2.
`
`The “session replay” spyware utilized by Defendant is not a traditional website
`
`cookie, tag, web beacon, or analytics tool. It is a sophisticated computer spyware that allows
`
`Defendant to contemporaneously intercept, capture, read, observe, re-route, forward, redirect, and
`
`receive incoming Electronic Communications to its website. Plaintiff’s and Class Members’
`
`Electronic Communications are then stored by Defendant using an outside vendor’s services and
`
`can later be viewed and utilized by Defendant to create a session replay, which is essentially a
`
`video of a Class Member’s entire visit to Defendant’s website.
`
`3.
`
` Defendant’s conduct violates the Missouri Wiretap Act, Mo. Ann. Stat. §§ 542.400
`
`et seq., the Missouri Merchandising Practices Act, Mo. Rev. Stat. § 407.010 et seq., the Electronic
`
`Communications Privacy Act, 18 U.S.C. § 2511(1) et seq., 18 U.S.C. § 2511(3)(a) et seq., and 18
`
`U.S.C. § 2701 et seq; Title II, 18 U.S.C. § 2702 et seq; the Computer Fraud and Abuse Act,
`
`(“CFAA”) 18 U.S.C. § 1030, et seq.; and constitutes (i) an invasion of the privacy rights of website
`
`visitors and (ii) a trespass to chattels.
`
`4.
`
`Plaintiff brings this action individually and on behalf of a class of all natural persons
`
`in the United States (1) who visited Defendant’s website, www.bedbathandbeyond.com, and (2)
`
`whose electronic communications were intercepted by Defendant or on Defendant’s behalf. (the
`
`“Nationwide Class”) and on behalf of a subclass of all natural persons in the State of Missouri (1)
`
`who visited Defendant’s website, www.bedbathandbeyond.com, and (2) whose electronic
`
`communications were intercepted by Defendant or on Defendant’s behalf. (the “Missouri Class”)
`
`and seeks all civil remedies provided under the causes of action, including but not limited to
`
`compensatory, statutory, and/or punitive damages, and attorneys’ fees and costs.
`
`5.
`
`Plaintiff brings this action individually and on behalf of a class of all persons whose
`
`electronic communications were intercepted and seeks all damages allowed by law.
`
`2
`
`

`

`Case: 4:23-cv-00082-JAR Doc. #: 1 Filed: 01/25/23 Page: 3 of 52 PageID #: 3
`
`PARTIES
`
`6.
`
`Plaintiff Ann Jones is a citizen of the State of Missouri, and at all times relevant to
`
`this action, resided and was domiciled in St. Louis County, Missouri. Plaintiff is a citizen of
`
`Missouri.
`
`7.
`
`Defendant Bed, Bath & Beyond Inc. is, and has been at all times mentioned herein,
`
`a New York corporation with its principal place of business in New Jersey. Defendant is therefore
`
`a citizen of New York and New Jersey.
`
`
`
`JURISDICTION AND VENUE
`
`8.
`
`This Court has subject matter jurisdiction pursuant to 28 U.S.C. § 1332(d)(2)(A)
`
`because this case is a class action where the aggregate claims of all members of the proposed class
`
`are in excess of $5,000,000.00, exclusive of interest and costs, there are 100 or more members of
`
`the proposed class, and at least one member of the proposed class, including Plaintiff, is a citizen
`
`of a state different than Defendant.
`
`9.
`
`This Court further has subject matter jurisdiction pursuant to 28 U.S.C. § 1331
`
`because this action arises under 18 U.S.C. § 2510, et seq., 18 U.S.C. § 2701, et seq., and 18 U.S.C.
`
`§ 1030, et seq., and this Court has supplemental jurisdiction over the remaining state law claims
`
`pursuant to 28 U.S.C. § 1367 because the state law claims form part of the same case or controversy
`
`under Article III of the United States Constitution.
`
`10.
`
`This Court has personal jurisdiction over Defendant because a substantial part of
`
`the events and conduct giving rise to Plaintiff’s claims occurred in Missouri. The privacy violations
`
`complained of herein resulted from Defendant’s purposeful and tortious acts directed towards
`
`Class Members while they were located within Missouri.
`
`11.
`
`Defendant markets its products online via its website and ships products to Missouri
`
`3
`
`

`

`Case: 4:23-cv-00082-JAR Doc. #: 1 Filed: 01/25/23 Page: 4 of 52 PageID #: 4
`
`residents—i.e., Defendant intends for Missouri residents to purchase its products online and, in
`
`turn, delivers its products to Missouri. During this process, Plaintiff alleges Defendant
`
`surreptitiously intercepted and wiretapped Plaintiff’s electronic communications on its website
`
`while Plaintiff and Class Members were located in Missouri. At all relevant times, Defendant
`
`knew its practices would directly result in collection of information from Missouri citizens while
`
`browsing www.bedbathandbeyond.com. Defendant chose to avail itself of the business
`
`opportunities of marketing and selling its goods in Missouri and collecting real-time data from
`
`website visit sessions initiated by customers located in Missouri, and the claims alleged herein
`
`arise from those activities. Additionally, Bed Bath & Beyond Inc. has at least 12 physical brick
`
`and mortar stores located in Missouri, five (5) of which are within this District.1 As such, it would
`
`not offend the “traditional notion of fair play and substantial justice” to order Bed Bath & Beyond
`
`Inc. to defend the claims lodged against it in Missouri.
`
`12.
`
`Defendant also knows that many users visit and interact with Defendant’s website
`
`while they are physically present in Missouri. Both desktop and mobile versions of Defendant’s
`
`website allow a user to search for nearby stores by providing the user’s location, as does the
`
`Defendant’s app. Users’ employment of automatic location services in this way means that
`
`Defendant is continuously made aware that its website is being visited by people located in
`
`Missouri, and that such website visitors are being wiretapped in violation of federal and Missouri
`
`statutory law and common law.
`
`13.
`
`Pursuant to 28 U.S.C. § 1391, this Court is the proper venue for this action because
`
`a substantial part of the events, omissions, and acts giving rise to the claims herein occurred in this
`
`District.
`
`
`1 https://www.bedbathandbeyond.com/locations/state/MO (last visited: January 24, 2023).
`
`4
`
`

`

`Case: 4:23-cv-00082-JAR Doc. #: 1 Filed: 01/25/23 Page: 5 of 52 PageID #: 5
`
`
`
`FACTUAL ALLEGATIONS
`
`A. Website User and Usage Data Have Immense Economic Value.
`
`14.
`
`The “world’s most valuable resource is no longer oil, but data.”2
`
`15.
`
`Earlier this year, Business News Daily reported that some businesses collect
`
`personal data (i.e., gender, web browser cookies, IP addresses, and device IDs), engagement data
`
`(i.e., how consumers interact with a business’s website, applications, and emails), behavioral data
`
`(i.e., customers’ purchase histories and product usage information), and attitudinal data (i.e., data
`
`on consumer satisfaction) from consumers.3 This information is valuable to companies because
`
`they can use this data to improve customer experiences, refine their marketing strategies, capture
`
`data to sell it, and even to secure more sensitive consumer data.4
`
`16.
`
`In a consumer-driven world, the ability to capture and use customer data to shape
`
`products, solutions, and the buying experience is critically important to a business’s success.
`
`Research shows that organizations who “leverage customer behavior insights outperform peers by
`
`85 percent in sales growth and more than 25 percent in gross margin.”5
`
`17.
`
`In 2013, the Organization for Economic Cooperation and Development (“OECD”)
`
`even published a paper entitled “Exploring the Economics of Personal Data: A Survey of
`
`
`2 The world’s most valuable resource is no longer oil, but data, The Economist (May 6, 2017),
`https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-
`longeroil-but-data.
`3 Max Freedman, How Businesses Are Collecting Data (And What They’re Doing With It),
`Business News Daily (Aug. 5, 2022), https://www.businessnewsdaily.com/10625-businesses-
`collecting-data.html.
`4 Id.
`5 Brad Brown, Kumar Kanagasabai, Prashant Pant & Goncalo Serpa Pinto, Capturing value from
`your customer data, McKinsey (Mar. 15, 2017), https://www.mckinsey.com/business-
`functions/quantumblack/our-insights/capturing-value-from-your-customer-data.
`
`5
`
`

`

`Case: 4:23-cv-00082-JAR Doc. #: 1 Filed: 01/25/23 Page: 6 of 52 PageID #: 6
`
`Methodologies for Measuring Monetary Value.”6 In this paper, the OECD measured prices
`
`demanded by companies concerning user data derived from “various online data warehouses.”7
`
`18.
`
`OECD indicated that “[a]t the time of writing, the following elements of personal
`
`data were available for various prices: USD 0.50 cents for an address, USD 2 [i.e., $2] for a date
`
`of birth, USD 8 for a social security number (government ID number), USD 3 for a driver’s license
`
`number and USD 35 for a military record. A combination of address, date of birth, social security
`
`number, credit record and military record is estimated to cost USD 55.”8
`
`B. Website Users Have a Reasonable Expectation of Privacy in Their Interactions
`with Websites.
`
`19.
`
`Consumers are skeptical and are wary about their data being collected. A report
`
`
`
`released by KPMG shows that “a full 86% of the respondents said they feel a growing concern
`
`about data privacy, while 78% expressed fears about the amount of data being collected.”9
`
`20.
`
`Another recent paper also indicates that most website visitors will assume their
`
`detailed interactions with a website will only be used by the website and not be shared with a party
`
`they know nothing about.10 As such, website visitors reasonably expect that their interactions with
`
`a website should not be released to third parties unless explicitly stated.11
`
`
`6 Exploring the Economics of Personal Data: A Survey of Methodologies for Measuring Monetary
`Value,
`OECD
`Digital
`Economy
`Papers,
`NO.
`220
`(Apr.
`2,
`2013),
`https://www.oecdilibrary.org/docserver/5k486qtxldmq-en.pdf.
`7 Id. at 25.
`8 Id.
`9 Lance Whitney, Data privacy is a growing concern for more consumers, TechRepublic (Aug.
`17, 2021), https://www.techrepublic.com/article/data-privacy-is-a-growing-concern-for-more-
`consumers/.
`10 CUJO AI Recent Survey Reveals U.S. Internet Users Expectations and Concerns Towards
`Privacy and Online Tracking, CUJO (May 26, 2020), https://www.prnewswire.com/news-
`releases/cujo-ai-recent-survey-reveals-us-internet-users-expectations-and-concerns-towards-
`privacy-and-online-tracking-301064970.html.
`11 Frances S. Grodzinsky, Keith W. Miller & Marty J. Wolf, Session Replay Scripts: A Privacy
`Analysis, The Information Society, 38:4, 257, 258 (2022).
`
`6
`
`

`

`Case: 4:23-cv-00082-JAR Doc. #: 1 Filed: 01/25/23 Page: 7 of 52 PageID #: 7
`
`21.
`
`Privacy polls and studies show that a majority of Americans consider one of the
`
`most important privacy rights to be the need for an individual’s affirmative consent before a
`
`company collects and shares its customers’ data.
`
`22.
`
`A recent study by Consumer Reports shows that 92% of Americans believe that
`
`internet companies and websites should be required to obtain consent before selling or sharing
`
`consumers’ data, and the same percentage believe internet companies and websites should be
`
`required to provide consumers with a complete list of the data that has been collected about them.12
`
`23. Moreover, according to a study by Pew Research Center, a majority of Americans,
`
`approximately 79%, are concerned about how data is collected about them by companies.13
`
`24.
`
`Users act consistently with their expectation of privacy. Following a new rollout of
`
`the iPhone operating software—which asks users for clear, affirmative consent before allowing
`
`companies to track users—85 percent of worldwide users and 94 percent of U.S. users chose not
`
`to allow such tracking.14
`
`
`
`C.
`
`25.
`
`How Session Replay Technology Works.
`
`Session
`
`replay
`
`technology,
`
`such
`
`as
`
`that
`
`implemented
`
`on
`
`www.bedbathandbeyond.com, enables website operators to record, save, and replay website
`
`visitors’ interactions with a given website. The clandestinely deployed code provides online
`
`
`12 Consumers Less Confident About Healthcare, Data Privacy, and Car Safety, New Survey Finds,
`Consumer
`Reports
`(May
`11,
`2017),
`https://www.consumerreports.org/consumerreports/consumers-less-confident-about-healthcare-
`data-privacy-and-car-safety/.
`13 Americans and Privacy: Concerned, Confused, and Feeling Lack of Control Over Their
`Information,
`Pew
`Research
`Center,
`(Nov.
`15,
`2019),
`Personal
`https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-
`Confusedand-feeling-lack-of-control-over-their-personal-information/.
`14 Margaret Taylor, How Apple
`screwed Facebook, Wired,
`https://www.wired.co.uk/article/apple-ios14-facebook.
`
`(May 19, 2021),
`
`7
`
`

`

`Case: 4:23-cv-00082-JAR Doc. #: 1 Filed: 01/25/23 Page: 8 of 52 PageID #: 8
`
`marketers and website designers with insights into the user experience by recording website
`
`visitors “as they click, scroll, type or navigate across different web pages.”15
`
`26. While session replay technology is utilized by websites for some legitimate
`
`purposes, it goes well beyond normal website analytics when it comes to collecting the actual
`
`contents of communications between website visitors and websites. Unlike other online
`
`advertising tools, session replay technology allows a website to capture and record nearly every
`
`action a website visitor takes while visiting the website, including actions that reveal the visitor’s
`
`personal or private sensitive data, sometimes even when the visitor does not intend to submit the
`
`data to the website operator, or has not finished submitting the data to the website operator.16 As a
`
`result, website visitors “aren’t just sharing data with the [web]site they’re on . . . but also with an
`
`analytics service that may be watching over their shoulder.”17
`
`27.
`
`Session replay technology works by inserting a computer spyware into the various
`
`event handling routines that web browsers use to receive input from users, thus intercepting the
`
`occurrence of actions the user takes. When a website delivers session replay technology to a user’s
`
`browser, the browser will follow the spyware’s instructions by sending responses in the form of
`
`“event” data to a designated third-party server. Typically, the server receiving the event data is
`
`controlled by the third-party entity that wrote the session replay technology, rather than the owner
`
`of the website where the spyware is installed.
`
`28.
`
`The types of events captured by session replay technology vary by specific product
`
`
`15 Erin Gilliam Haije, [Updated] Are Session Recording Tools a Risk to Internet Privacy?,
`Mopinion (Mar. 7, 2018), https://mopinion.com/are-session-recording-tools-a-risk-to-internet-
`privacy/.
`16 Id.
`17 Eric Ravenscraft, Almost Every Website You Visit Records Exactly How Your Mouse Moves,
`Medium (Feb. 5, 2020), https://onezero.medium.com/almost-every-website-you-visit-records-
`exactly-how-your-mouse-moves-4134cb1cc7a0.
`
`8
`
`

`

`Case: 4:23-cv-00082-JAR Doc. #: 1 Filed: 01/25/23 Page: 9 of 52 PageID #: 9
`
`and configuration, but in general, are wide-ranging and can encompass virtually every user action,
`
`including all mouse movements, clicks, scrolls, zooms, window resizes, keystrokes, text entry, and
`
`numerous other forms of a user’s navigation and interaction through the website. To permit an
`
`accurate reconstruction of a user’s visit, the session replay technology must be capable of capturing
`
`these events at hyper-frequent intervals, often just milliseconds apart. Events are typically
`
`accumulated and transmitted in blocks periodically throughout the user’s website session, rather
`
`than after the user’s visit to the website is completely finished.
`
`29.
`
`Unless specifically masked through configurations chosen by the website owner,
`
`some visible contents of the website may also be transmitted to the third-party vendor.
`
`30.
`
`Once the events from a user session have been recorded by the session replay
`
`technology, a website operator can view a visual reenactment of the user’s visit through the third-
`
`party vendor usually in the form of a video, meaning “[u]nlike typical analytics services that
`
`provide aggregate statistics, these scripts are intended for the recording and playback of individual
`
`browsing sessions.”18
`
`31.
`
`Because most session replay technology will by default indiscriminately capture
`
`the maximum range of user-initiated events and content displayed by the website, researchers have
`
`found that a variety of highly sensitive information can be captured in event responses from
`
`website visitors, including medical conditions, credit card details, and other personal information
`
`displayed or entered on webpages.19
`
`
`
`
`18 Steven Englehardt, No boundaries: Exfiltration of personal data by session-replay scripts,
`Freedom to Tinker (Nov. 15, 2017), https://freedom-to-tinker.com/2017/11/15/no-boundaries-
`exfiltration-of-personal-data-by-session-replay-scripts/.
`19 Id.
`
`9
`
`

`

`Case: 4:23-cv-00082-JAR Doc. #: 1 Filed: 01/25/23 Page: 10 of 52 PageID #: 10
`
`32.
`
`The following screenshot provides an example of a typical recording of a visit to a
`
`website captured utilizing session replay spyware, which includes mouse movements, keystrokes
`
`and click, search terms, content viewed, and information inputted by the website visitor:
`
`
`
`33. Most alarming, session replay technology may capture data that the user did not
`
`even intentionally transmit to a website during a visit, and then make that data available to website
`
`owners when they access the session replay through the third-party vendor. For example, if a user
`
`writes information into a text form field, but then chooses not to click a “submit” or “enter” button
`
`on the website, the session replay technology may nevertheless cause the non-submitted text to be
`
`sent to the designated event-response-receiving server before the user deletes the text or leaves the
`
`page. This information will then be viewable to the website owner when accessing the session
`
`replay through the third-party vendor.
`
`34.
`
`35.
`
`Session replay technology does not necessarily anonymize user sessions, either.
`
`First, if a user’s entry of personally identifying information is captured in an event
`
`response, that data will become known and visible to both the third-party vendor and the website
`
`10
`
`

`

`Case: 4:23-cv-00082-JAR Doc. #: 1 Filed: 01/25/23 Page: 11 of 52 PageID #: 11
`
`owner.
`
`36.
`
`Second, if a website displays user account information to a logged-in user, that
`
`content may be captured by session replay technology.
`
`37.
`
`Third, some
`
`third-party vendors explicitly offer website owners cookie
`
`functionality that permits linking a session to an identified user, who may be personally identified
`
`if the website owner has associated the user with an email address or username.20
`
`38.
`
`Third-party vendors often create “fingerprints” that are unique to a particular user’s
`
`combination of device and browser settings, screen configuration, and other detectable
`
`information. The resulting fingerprint, which is often unique to a user and rarely changes, are
`
`collected across all sites that the third-party vendor monitors.
`
`39. When a user eventually identifies themselves to one of these websites (such as by
`
`filling in a form), the provider can then associate the fingerprint with the user identity and can then
`
`back-reference all of that user’s other web browsing across other websites previously visited,
`
`including on websites where the user had intended to remain anonymous—even if the user
`
`explicitly indicated that they would like to remain anonymous by enabling private browsing.
`
`40.
`
`In addition to the privacy invasions caused by the diversion of user communications
`
`with websites to third-party [vendors] session replay technology also exposes website visitors to
`
`identity theft, online scams, and other privacy threats.21 Indeed, “[t]he more copies of sensitive
`
`information that exist, the broader the attack surface, and when data is being collected [] it may
`
`not be stored properly or have standard protections” increasing “the overall risk that data will
`
`
`20 Id.; see also FS.identify – Identifying users, FullStory, https://help.fullstory.com/hc/en-
`us/articles/360020828113, (last visited Sep. 8, 2022).
`21 Juha Sarrinen, Session Replay is a Major Threat to Privacy on the Web, itnews (Nov. 16, 2017),
`https://www.itnews.com.au/news/session-replay-is-a-major-threat-to-privacy-on-the-web-
`477720.
`
`11
`
`

`

`Case: 4:23-cv-00082-JAR Doc. #: 1 Filed: 01/25/23 Page: 12 of 52 PageID #: 12
`
`someday publicly leak or be breached.”22
`
`41.
`
`Recognizing the privacy concerns posed by session replay technology, in 2019
`
`Apple required app developers to remove or properly disclose the use of analytics code that allow
`
`app developers to record how a user interacts with their iPhone apps or face immediate removal
`
`from the app store.23 In announcing this decision, Apple stated: “Protecting user privacy is
`
`paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request
`
`explicit user consent and provide a clear visual indication when recording, logging, or otherwise
`
`making a record of user activity.”24
`
`D.
`
`
`42.
`
`Bed Bath & Beyond Inc. Secretly Wiretaps its Website Visitors’ Electronic
`Communications.
`
`Bed Bath & Beyond Inc. operates the website www.bedbathandbeyond.com. Bed
`
`Bath & Beyond Inc. is ranked 381 on the Fortune 500 list in the United States, with customers
`
`regularly using its website to inquire about products and make purchases.
`
`43.
`
`However, unbeknownst to the thousands of individuals perusing Defendant’s goods
`
`and services online, Defendant intentionally procures and embeds session replay technology from
`
`a third-party vendor on its website to track and analyze website user interactions with
`
`www.bedbathandbeyond.com. Because the third-party vendor is an unknown eavesdropper to
`
`visitors to www.bedbathandbeyond.com, it is not a party to website visitors’ electronic
`
`communication with Defendant.
`
`E.
`
`Plaintiff’s and Class Members’ Experience.
`
`
`
`
`22 Lily Hay Newman, Covert ‘Replay Sessions’ Have Been harvesting Passwords by Mistake,
`WIRED
`(Feb. 26, 2018), https://www.wired.com/story/covert-replay-sessions-harvesting-
`passwords/.
`23 Zack Whittaker, Apple Tells App Developers to Disclose or Remove Screen Recording Code,
`TechCrunch (Feb. 7, 2019), https://techcrunch.com/2019/02/07/apple-glassbox-apps/.
`24 Id.
`
`12
`
`

`

`Case: 4:23-cv-00082-JAR Doc. #: 1 Filed: 01/25/23 Page: 13 of 52 PageID #: 13
`
`44.
`
`Plaintiff has visited www.bedbathandbeyond.com while in Missouri. Specifically,
`
`Plaintiff visited www.bedbathandbeyond.com via the web browser on her computer and mobile
`
`device (collectively referred to herein as “computing devices”).
`
`45. While visiting Defendant’s website, Plaintiff fell victim to Defendant’s unlawful
`
`monitoring,
`
`recording, and collection of Plaintiff’s electronic communication with
`
`www.bedbathandbeyond.com.
`
`46.
`
`Unknown to Plaintiff, Defendant procures and embeds session replay technology
`
`on its website.
`
`47.
`
`During Plaintiff’s visits to Defendant’s website, Plaintiff, through her computer and
`
`mobile device, transmitted Electronic Communications in the form of instructions to Defendant’s
`
`computer servers utilized to operate the website. The commands were sent as messages instructing
`
`Defendant what content was being viewed, clicked on, requested and/or inputted by Plaintiff. The
`
`communications sent by Plaintiff to Defendant’s servers included, but were not limited to, the
`
`following actions taken by Plaintiff while on the website: mouse clicks and movements,
`
`keystrokes, substantive information inputted by Plaintiff, pages and content viewed by Plaintiff,
`
`scroll movement, and copy and paste actions.
`
`48.
`
`Defendant responded to Plaintiff's Electronic Communications by supplying—
`
`through its website—the information requested by Plaintiff. This series of requests and responses
`
`—whether online or over the phone—is Electronic Communications under the Missouri Wiretap
`
`Act.
`
`49.
`
`During the website visits, Plaintiff’s Electronic Communications were watched in
`
`real-time and captured by session replay technology and sent to a third-party vendor.
`
`50.
`
`For example, when visiting www.bedbathandbeyond, if a website user looks at
`
`13
`
`

`

`Case: 4:23-cv-00082-JAR Doc. #: 1 Filed: 01/25/23 Page: 14 of 52 PageID #: 14
`
`Defendant’s offerings, that information is captured by the session replay technology embedded on
`
`the website.
`
`51. When you select a store closest to you to see its inventory or to place an order for
`
`pick-up, that information is sent to the third-party vendor.
`
`52.
`
`The session replay technology operates in the same manner for all putative Class
`
`Members.
`
`53.
`
`Like Plaintiff, each Class Member visited www.bedbathandbeyond.com with
`
`session replay technology embedded in it, and the session replay technology watched and
`
`intercepted the Class Members’ electronic communications with www.bedbathandbeyond.com by
`
`sending hyper-frequent logs of those communications to a third-party vendor.
`
`54.
`
`Even if Defendant masks certain elements when it configures the settings of the
`
`session replay technology embedded on its website, any operational iteration of the session replay
`
`technology will, by its very nature and purpose, intercept the contents of communications between
`
`the website’s visitors and the website owner.
`
`55.
`
`For example, even with heightened masking enabled, the third-party vendor will
`
`still learn through the intercepted data exactly which pages a user navigates to, how the user moves
`
`through the page (such as which areas the user zooms in on or interacted with), and additional
`
`substantive information.
`
`56.
`
`As a specific example, if a user types a product into Defendant’s main search bar
`
`and initiates a search, even if the text entered into the search bar is masked, the third-party vendor
`
`will still learn what is entered into the bar as soon as the search result page loads. This is so because
`
`the responsive search results will be displayed on the subsequent page, and the responsive content
`
`generated by Defendant will repeat the searched information back on the generated page. That
`
`14
`
`

`

`Case: 4:23-cv-00082-JAR Doc. #: 1 Filed: 01/25/23 Page: 15 of 52 PageID #: 15
`
`information will not be masked even if user-inputted text is fully masked in a text field.
`
`57.
`
`Plaintiff reasonably expected that her visits to Defendant’s website would be
`
`private and that Defendant would not be watching, tracking, and recording Plaintiff as she browsed
`
`and interacted with the website, particularly because Plaintiff was never presented with any type
`
`of pop-up disclosure or consent form alerting Plaintiff that her visits to the website were being
`
`watched and recorded by Defendant. Moreover, she used his own personal device to communicate
`
`with the website, was not aware of anyone else present during the communication and presumed
`
`her private interactions with Defendant’s website were just that: private.
`
`58.
`
`Plaintiff reasonably believed that she was interacting privately with Defendant’s
`
`website, and not that she was being watched and recorded and that those recordings could later be
`
`watched again and again by Defendant’s employees, or worse yet, live while Plaintiff was on the
`
`website.
`
`59.
`
`The third-party vendor that provided the session replay technology to Defendant is
`
`not a provider of wire or electronic communication services, or an internet service provider.
`
`60.
`
`Defendant is not a provider of wire or Electronic Communication services, or an
`
`internet service provider.
`
`61.
`
`Defendant utilized
`
`session
`
`replay
`
`technology
`
`to
`
`intentionally
`
`and
`
`contemporaneously watch and intercept the substance and content of Plaintiff's Electronic
`
`Communications with Defendant’s website, including mouse clicks and movements, keystrokes,
`
`substantive information inputted by Plaintiff, pages and content viewed by Plaintiff, and scroll
`
`movements, and copy and paste actions. In other words, Defendant intercepted, stored, and
`
`recorded the webpages visited by Plaintiff, as well as everything Plaintiff did on those pages, what
`
`Plaintiff looked at, and the information Plaintiff inputted.
`
`15
`
`

`

`Case: 4:23-cv-00082-JAR Doc. #: 1 Filed: 01/25/23 Page: 16 of 52 PageID #: 16
`
`62.
`
`The third-party vendor intentionally utilized by Defendant contemporaneously
`
`watched and intercepted the content of electronic computer-to-computer data communications
`
`between Plaintiff's computer and the computer servers and hardware utilized by Defendant to
`
`operate its website—as the communications were transmitted from Plaintiff's computer and/or
`
`mobile device to Defendant’s computer servers and hardware—and while viewing, copied and
`
`sent and/or re-routed the communications to a storage file within the third-party vendor’s server.
`
`The intercepted data was transmitted contemporaneously to the third-party vendor’s server as it
`
`was sent from Plaintiff’s computer and/or mobile device.
`
`63.
`
`The session replay technology utilized by Defendant acts as an electronic,
`
`mechanical, or other analogous device or apparatus in that the session replay technology monitors,
`
`intercepts and records the content of electronic computer-to-computer communications between
`
`Plaintiff’s computer and/or mobile device and the computer servers and hardware utilized by
`
`Defendant to operate its website.
`
`64.
`
`The session replay technology utilized by Defendant is not a website cookie,
`
`standard analytics tool, tag, web beacon, or other similar technology.
`
`65.
`
`The data collected by Defendant identified specific information inputted and
`
`content viewed, and thus revealed personalized and sensitive information about Plaintiff's Internet
`
`activity and habits.
`
`66.
`
`The Electronic Communications intentionally watched and intercepted by
`
`Defendant was content generated through Plaintiff's intended use, interaction, and communication
`
`with Defendant’s website relating to the substance and/or meaning of Plaintiff's communications
`
`with the website (i.e., mouse clicks and movements, keystrokes, information inputted by Plaintiff,
`
`and pages and content clicked on and viewed by Plaintiff). This information is “content” as defined
`
`16
`
`

`

`Case: 4:23-cv-00082-JAR Doc. #: 1 Filed: 01/25/23 Page: 17 of 52 PageID #: 17
`
`by the Missouri Wiretapping Act and is not merely record information regarding the character

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket