Why Session Replay Tech is Under Fire in Ulta Beauty Suit

The Ulta complaint asserts 'that the web tracking technology surreptitiously intercepts users' data and communications in violation of the California Invasion of Privacy Act and the federal Wiretap Act.'
The Ulta complaint asserts "that the web tracking technology surreptitiously intercepts users' data and communications in violation of the California Invasion of Privacy Act and the federal Wiretap Act."

Session replay software is in the crosshairs of a number of recent lawsuits, including a class action suit against Ulta Beauty in California Southern District Court (3:22-cv-01954, Wright v. Ulta Salon, Cosmetics & Fragrance, Inc.).

Session replay technology to replay is used by companies to track a "visitor's journey on a web site or within a mobile application or web application" to better understand behavior patterns that can be applied to user experience upgrades, marketing or other elements of the business.

The technology is reportedly GDPR-compliant. However, a range of suits is calling the tech's use into question.

The Ulta complaint asserts "that the web tracking technology surreptitiously intercepts users' data and communications in violation of the California Invasion of Privacy Act and the federal Wiretap Act."

In Pennsylvania Bloomingdale's was hit with a similar suit, as was Bed Bath & Beyond. Avis and Liberty Mutual have also been targeted. 

A blog post from law firm Dentons notes:

As it concerns wiretapping, California, Florida, and Pennsylvania are all “two-party consent” states, meaning that all parties to a communication are required to consent before one can lawfully record the communication. Plaintiffs have focused their filings in those three states both because they are “two-party consent” states and because their wiretapping statutes include a private cause of action, allowing plaintiffs to sue to recover monetary damages.

The authors conclude:

A company conducting e-commerce activities nationally must ensure that its website policies and technologies comply with the wiretap laws of each state where its website is accessed. Irrespective which state’s law applies, a plaintiff’s consent will preclude a claim under a wiretapping statute containing a two-party consent requirement. To that end, companies should ensure that they effectively obtain the consumer’s consent to the use of such software and understand the laws governing such consent.

More in Digital/E-commerce