Office Depot's Use of Email Spy Trackers Violates Ariz. Law, Alleges Complaint

Nancy Encinas opened emails from Office Depot from January to June to review promotional materials, said the complaint. Each time the Casa Grande, Arizona, resident opened one, the office supplies retailer “procured her sensitive email information including the time and place she opened and read the messages, how long she read the email, her location, her email client type, her IP address, her device information and whether and to whom the email was forwarded to,” alleged the complaint. Encinas didn’t give consent to Office Depot to do so, it said.

The complaint cited an investigation code-named Project Kona involving leaked emails related to a 2006 management upheaval at HP that led to Congress’ enactment of the Telephone Records and Privacy Protection Act. The law criminalizes tactics “knowingly and intentionally obtain[ing], or attempt[ing] to obtain, confidential phone records information of a covered entity, by making false or fraudulent statements or representations to an employee of a covered entity,” but it covers only “pretexting,” and not the use of email trackers, the complaint said.

An individual involved in the HP incident revealed that his investigators had obtained reporters' private phone records through “pretexting,” which “involved investigators requesting information from [telephone] operators orally, over the phone, pretending to be someone else if necessary,” said the complaint.

The Arizona legislature “went a step further,” enacting the Telephone Records and Privacy Protection Act (A.R.S.), which addressed both investigative methods that HP operatives used in Project Kona, the complaint said. The Arizona law “prohibits any person from procuring or conspiring with another to procure 'a telephone record’ of residents without consent”; it also “prohibits procurement of any 'communication service record,'" including email records, of “any resident of this state without the authorization of the customer to whom the record pertains, or by fraudulent, deceptive, or false means.”

Despite the Arizona law, companies “still embed trackers within emails without first obtaining consumers’ consent,” said the complaint. The tracking “spy pixels” allow companies to learn information about an email transmission, such as when and where the email was opened, said the complaint. Pixels log when the recipient accesses the email and the number of times it is opened, along with the IP address linked to the user’s location and device usage, it said.

Spy pixels are activated when the subscriber opens the email, said the complaint: “The recipient does not need to directly engage with the pixel -- when an email is opened the tracking pixel is automatically downloaded,” it said. The 1x1 image “is so small it is basically impossible to see with the naked eye,” it said. The spy pixel used by marketers today “operates the same way as the spy pixels in the HP pretexting scandal,” said the complaint: Email activity -- including who accessed an email and when and where it was accessed – “is procured through the same technology, an invisible pixel embedded in the email code that allows the sender to log and track that information,” it said.

Encinas was unaware tracking pixels were embedded in Office Depot’s emails since the company doesn’t inform users it inserts tracking pixels in its marketing emails, alleged the complaint. The defendant never received consent from Encinas or class members to use spy pixels, it said.

Encinas seeks an order declaring that Office Depot’s conduct violates A.R.S., actual damages for each violation, damages equal to the sum of any profits the retailer made for each violation, injunctive relief, pre- and post-judgment interest and attorneys’ fees and costs. Office Depot didn't comment Thursday.