Amended Complaint Filed in Nike, FullStory Suit

In October, Law Street Media covered a class-action complaint filed by a consumer against Nike and FullStory for allegedly wiretapping the electronic communications of Nike website visitors by recording their sessions on Nike’s website without disclosing it or obtaining permission; on Dec. 22, the plaintiff filed a first amended class-action complaint against the defendants. Additions included more detail as to Nike’s privacy policy.

As stated in the filing, at issue is FullStory’s software that provides marketing analytics, particularly its “Session Replay” feature. The plaintiff stated that this feature captures “mouse movements, clicks, typing, scrolling, swiping, tapping, etc.” on a website by using “embedded snippets of code … (that) watch and record a visitor’s every move on a website, in real time” to create a recorded session. Reportedly, the “wiretaps…are used by Defendants to secretly observe and record website visitors’ keystrokes, mouse clicks, and other electronic communications, including the entry of Personally Identifiable Information (‘PII’), in real time.”

The amended complaint noted that FullStory lets users view a list of users who have visited the website and the time that they spend on the website. After clicking on a particular recorded session, FullStory purportedly lets a client “view the video of a user’s interaction with a website” and all of the information captured in said video in order to “see the real customer experience behind the data.” Furthermore, using its “Go Live” feature, Nike can view these sessions in real time. The plaintiff pointed to a 2017 study conducted by Princeton University researchers who examined FullStory and found that “unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder.” The plaintiff contended that this exceeds user expectations for information that is collected and monitored.

The plaintiff claimed that Nike does not ask for nor obtain user consent for this purported wiretapping and that its Privacy Policy does not disclose said wiretapping. Specifically, the plaintiff noted that, while Nike’s homepage contained a link to the Privacy Policy, “it was buried at the very bottom of the webpage in tiny, 7.5 non-contrasting font that was designed to be unobtrusive and easy to overlook. Further, even though users are presented with a hyperlink to Nike’s Privacy Policy at the checkout process, Nike began recording users long before this moment, i.e., any purported disclosure was made after the wiretap had already begun.”

Additionally, the plaintiff said that even when users agree to the Privacy Policy “Nike does not mention FullStory or its Session Replay feature in Nike’s Privacy Policy.” The plaintiff stated that the Privacy Policy discloses the use of “Cookies and Pixel Tags” “to collect ‘click behavior,’ ” but not to the extent that this is used by FullStory; they added that other companies that use screen-recording technology “actively disclose the use of session recording technology on their websites by implementing a pop-up screen that a user must acknowledge before advancing further on the website.”

The plaintiffs are accused of violating the California Invasion of Privacy Act and the plaintiff and putative class’ privacy rights as given in the California Constitution. The plaintiff has sought to certify the class and for the plaintiff and his counsel to represent the class, declaratory judgment in his favor, an award for damages, restitution, prejudgment interest, an injunction, and an award for costs and fees.

The plaintiff is represented by Bursor & Fisher PA. Nike and FullStory are represented by Covington & Burling LLP.