Carnival Violated CIPA by Letting 3rd Parties Track Users: Complaint
Carnival Corp. engaged in wiretapping when it allowed third-party vendors such as Microsoft to embed JavaScript session replay code on its website to record visitors’ electronic communications, alleged a class action Thursday (3:23-cv-404) in U.S. District Court for Southern California in San Diego.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Third-party vendors create session replay code at Carnival’s request and then use the website communications to secretly recreate users’ visits to the company’s website in violation of the California Invasion of Privacy Act, said the complaint.
Plaintiff Erica Mikulsky, a California resident, didn’t consent to, authorize or know about Carnival’s intrusion when it occurred, and she had the right not to have her personal information intercepted and used for business gain, the complaint asserted. Without her consent, Carnival procured session replay providers to obtain certain information about her device, browser, and to create a unique ID and profile for her.
The Microsoft code, called Clarity, captures over 30 different categories of information, which can be “translated into a simulation video of how a user interacts with a website,” the complaint said. Clarity has three settings of “masking” for personal information. Even when a website operator selects “strict” and “balanced” settings, Clarity can collect text entered by users, including sensitive information, it said.
The company has a written privacy policy, but it's insufficient for class members to address prior to consent, the complaint said. Wiretapping begins the moment a user visits the Carnival website, so visitors have no opportunity to review the privacy policy before wiretapping has begun, it said. They can only provide “insufficient and subsequent consent after the wiretapping has already occurred.” The privacy policy is “buried at the very bottom of the website” in non-contrasting font that is “unobtrusive and easy to overlook,” the plaintiff said.
Carnival’s conduct caused Mikulsky and the class “mental anguish and suffering” due to their loss of privacy and confidentiality of their electronic communications, the complaint alleges. Carnival improperly profited from its invasion of class members’ privacy in its use of their data for its economic value, it said.
Plaintiffs seek a judgment declaring Carnival’s conduct as unlawful, injunctive relief and the award of statutory, actual, compensatory, consequential, punitive and nominal damages, plus restitution and/or disgorgement of profits unlawfully obtained. Plaintiff’s law firm, Hausfeld, filed similar privacy class actions against Cheesecake Factory (see 2302150008) and JetBlue (see 2302270025) last month. Carnival didn't comment Monday.