Export Compliance Daily is a Warren News publication.
'Watching Over Their Shoulder'

Cheesecake Factory Named in Session Replay Wiretapping Complaint

The Cheesecake Factory hires third-party vendors such as Microsoft to embed JavaScript session replay code on its website for wiretapping purposes, alleged a Friday privacy class action (docket 3:23-cv-00272), in U.S. District Court for Southern California in San Diego.

Sign up for a free preview to unlock the rest of this article

Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.

The referenced code deploys on each website visitor's internet browser for the purpose of “intercepting and recording” the visitor’s electronic communications on the website, including mouse movements, clicks, search information, URLs and other real-time communications, the complaint said. The conduct violates the California Invasion of Privacy Act, said California plaintiff Anne Lightoller, who accessed, viewed and placed orders on the Cheesecake Factory website.

When a website delivers session replay code to a user’s browser, the browser will follow the code’s instructions by sending “event” data to a third-party server, the complaint said. Most session replay codes by default “indiscriminately capture the maximum range of user-initiated events,” which can include medical conditions and credit card details, said the complaint.

The codes also may capture data the user didn’t intentionally transmit to a website during a visit and then make the data available to website owners when they access the replay through the session replay provider. If a user writes information in a form field but then chooses not to submit or enter the information, the code may cause the non-submitted text to be sent to the event-response receiving server before the user leaves the page, the complaint said. Website visitors are sharing data with the website and the analytics service “that may be watching over their shoulder.”

The diversion of user website communications to third-party session replay providers exposes visitors to identity theft, online scams and other privacy threats, the complaint said, citing a Wired article. The “more copies of sensitive information that exist, the broader the attack surface,” the complaint said, citing ITnews.

Microsoft’s Clarity session replay code has three approaches for masking sensitive information: strict, balanced and relaxed, said the complaint. When Clarity is set to “relaxed,” whatever information a user enters into the field on a website can be previewed in session recordings, it said. When a website operator selects “strict” and “balanced” settings, Clarity is capable of collecting text, including sensitive information, from users, it said.

The ability to capture and use customer data “to shape products, solutions and the buying experience is critically important to a business’ success,” said the plaintiff. It cited a 2013 Organisation for Economic Co-operation and Development report placing values of $2 for a date of birth and 50 cents for an address. Some 92% of Americans believe internet companies and websites should be required to obtain consent before selling or sharing consumer data, said the complaint, citing Consumer Reports. About 79% of Americans are concerned about how data is collected about them, the complaint said, citing Pew Research Center.

Plaintiffs seek injunctive relief; statutory, actual, compensatory, consequential, punitive and nominal damages; plus legal costs and reasonable attorneys’ fees.