Papa John's faces class-action lawsuit for alleged misuse of session tracking scripts

The logo of Papa John's is shown on a phone held in a person's hand, with a digital chart made of red, green and blue lines shown in the background
(Image credit: Getty Images)

Pizza retailer Papa John’s is facing a class-action lawsuit over allegations that it used privacy-violating trackers on its website.

Customer David Kauffman filed a lawsuit against the pizza delivery giant under the Federal Wiretap Act and California Invasion of Privacy Act, alleging an illegal level of data collection on customers using its website via session replay tools.

RELATED RESOURCE

Cyber security in the retail sector

Retailers need to ensure their business operations and internal data aren't breached

FREE DOWNLOAD

Such tools are commonly used on websites but were described in the lawsuit as tantamount to spyware given the amount and type of data they monitor and comunicate back to Papa John's.

Session replay scripts are often deployed for data analytics purposes but the lawsuit alleged that the volume and type of data collected far exceeds what is reasonably expected from a pizza-ordering website.

The scripts track a range of actions made by users on a website, including how long they stay on each page, what was clicked, and even mouse cursor movements are tracked and anonymised. These are often studied for advertising purposes, as well as to investigate buggy or broken website features.

However, the lawsuit argued that in failing to properly to notify users of the scripts, Papa John’s has violated the Federal Wiretap Act which penalises any entity who “intentionally intercepts, endeavours to intercept, or procures any other person to intercept or endeavour to intercept, any wire, oral, or electronic communication.” The CIPA also sets out punishment for anyone who attempts to intercept communications without the consent of all involved parties.

“Plaintiff and Class Members reasonably expected that visits to Defendant’s website would be private, and that Defendant would not be intercepting, tapping, connecting with, or otherwise attempting to understand their communications with Defendant’s website, particularly because Defendant failed to present Plaintiff and Class Members with a pop-up disclosure or consent form alerting Plaintiff that the visits to the website were monitored and recorded by Defendant,” the lawsuit read.

Firms such as Yandex and Clicktale provide session replay for their customers, as third-party services. The Freedom to Tinker group at Princeton’s Center for Information Technology Policy found evidence of session recording on the websites of companies such as HP, Comcast and Intel.

However, data protection regulations such as the Data Protection Act 2018, General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) lay out strict boundaries on how personal data can be collected, and used to profile or identify individuals.

“The technology not only allows the tapping and unauthorised connection of a visitor’s electronic communication with a website, but also allows the user to create a detailed profile for each visitor to the site,” the lawsuit claimed.

The plaintiff is seeking damages of $10,000 or $100 per day and violation, whichever of the two is greater. Within the lawsuit, it is proposed that the class number of affected customers is “in the hundreds of thousands” and that the damages could therefore exceed $5,000,000.

Previous concerns around session replay technology have centred around the inadequate measures deployed by analytics service Glassbox to censor fields containing sensitive data such as passwords or payment information within session replay recordings.

IT Pro has approached Papa John’s for comment.

Rory Bathgate
Features and Multimedia Editor

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.

In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.