Third Circuit Raises the Stakes for Session Replay Technology

The Third Circuit recently added to the growing body of wiretapping law addressing the use of session replay technology in In re BPS Direct, LLC; Cabela’s LLC Wiretapping Litig., 2026 WL 1280969 (May 11, 2026). Expanding on its prior decisions, the court held that in certain circumstances, data collected through session replay technology could give rise to a concrete injury sufficient for standing to pursue claims under wiretapping laws including the Electronic Communications Privacy Act (ECPA).

The Third Circuit’s decision is a departure from its prior decision in Cook v. GameStop, Inc.[1] and from Ninth Circuit authority that as to session replay software, consumers have no reasonable expectation of privacy.[2] In light of the Third Circuit’s decision, going forward, online retailers should tread carefully when using session replay to collect analytics on their websites because there may be different risk profiles in different jurisdictions.

Session Replay Technology and Plaintiffs’ Allegations

Session replay technology allows businesses to collect and understand how website visitors browse and interact with their websites. Depending on how it is configured, the software may collect anonymized mouse movements, clicks, keystrokes, scrolls, and text inputs and interactions that can be used to improve website functionality and user experience. Plaintiffs claim that the aggregated data can be combined with user identifiers to create “fingerprints” of a user, and, in some circumstances, can be matched to specific visitors, particularly when the visitor provides identifying information on the website.

Here, eight plaintiffs brought suit against retailers Bass Pro Shops and Cabela’s (together, BPS) for the retailers’ use of session replay technology without their consent. They claimed that the session replay providers (e.g., Microsoft, Quantum Metric, and Mouseflow) created fingerprints of their specific visiting sessions and were able to specifically identify each plaintiff. Crucially, only two plaintiffs alleged that they made any purchases on the websites. The remaining plaintiffs only visited the websites but made no purchases and entered no personally identifying information into the site. Plaintiffs alleged violations of the ECPA and the Computer Fraud and Abuse Act.

Plaintiffs Who Made Purchases Had Standing

BPS successfully moved to dismiss the complaint at the trial court on the basis that the plaintiffs lacked standing to bring their claims. To assert standing, plaintiffs needed to allege, among other things, that they suffered an injury in fact. In determining whether this element is satisfied, courts often look to traditional common law harms to provide the basis for standing in wiretap and privacy actions like this one. The district court compared the plaintiffs’ wiretap claims to the torts of public disclosure of private facts and intrusion upon seclusion and found the plaintiffs’ claims lacking.

Drawing upon two prior decisions,[3] the district court determined, and the Third Circuit agreed, that plaintiffs lacked standing to show an injury under the public disclosure of private facts tort. As to the plaintiffs who did not make a purchase, information allegedly collected was not sensitive or identifiable. As to the plaintiffs who did make purchases, the credit card information and other identifiable information was not publicly disclosed because it remained internal between BPS and its session reply providers.

With respect to the intrusion upon seclusion analysis, the Third Circuit reached a different conclusion from the district court for the two purchasing plaintiffs. For the plaintiffs who did not make a purchase, the court held that “clicks, scrolls, and searches for outdoor products” were not private or worthy of protection because plaintiffs entered no personal or sensitive information. But for the two plaintiffs who purchased products, the analysis was different. By submitting their credit card information to BPS, those two plaintiffs entered “personal or sensitive” information, and thus were injured in a manner similar to intrusion upon seclusion. The Third Circuit determined those two plaintiffs had standing, and their privacy claims against BPS could proceed past the pleading stage, reversing the district court’s dismissal of the claims and remanding for further proceedings.

This decision, and its holding that session replay could run afoul of wiretapping laws, is in direct tension with Popa, where the Ninth Circuit found the purported harm caused by session replay technology was not analogous to the traditional harms for public disclosure of private facts or intrusion upon seclusion. Although the plaintiff in Popa did not allege her credit card information was collected by the session replay technology, she did allege that it captured her mailing address. Notably, California district courts have held that there is no expectation of privacy for credit card information collected by session replay technology. It remains to be seen whether the Ninth Circuit decision would have come out differently had credit card information been at issue.

Key Takeaways

While the Third Circuit confirmed that, in general, there are no issues with session replay technology, companies may still face exposure if they collect “personal and sensitive” information, such as financial or health care data. Going forward, companies may consider the following steps:

Confirm that session replay tools are configured to mask, redact, or avoid capturing sensitive information fields, including credit card numbers, social security numbers, and any other health or financial data. This may create a successful defense at the motion to dismiss or summary judgment phases.
Consider disabling session replay on pages where users input “personal and sensitive” information into the website, including social security numbers, credit card information, government identification information, or other financial or health information.
Continue to assert standing defenses where available, but where “personal and sensitive” information is allegedly captured, develop other non-standing arguments in their responsive pleadings, including consent and whether protected communications were actually intercepted.

If your company needs assistance with any privacy issues, Coblentz Data Privacy & Cybersecurity attorneys can help. Please reach out to Scott Hall or Phillip Wiese for further information or assistance.

[1] 148 F.4th 153 (3d Cir. 2025).

[2] Popa v. Microsoft Corp., 143 F.4th 784 (9th Cir. 2025).

[3] Barclift Keystone Credit Servs., LLC, 93 F.4th 136 (3d Cir. 2024); Cook, 148 F.4th 153.