This article is more than 1 year old

Papa John's sued for 'wiretap' spying on website mouse clicks, keystrokes

When the tracking hits your eye like a big pizza pie, that's a priori

Papa John's is being sued by a customer – not for its pizza but for allegedly breaking the US Wiretap Act by snooping on the way he browsed the pie-slinger's website.

The titan of greasy wheels is accused of falling foul of wiretapping rules by using so-called session replay software on its website. This software records and phones home everything a user does on the site, beyond what fetching pages and placing an order would submit, we're told. For instance, it tells Papa John's where the mouse is moved and clicked, and what's typed into the page, it's claimed. This info can be used to figure out where users get stuck, bail out of a sale, get lost, and so on.

Session replay tools have been a privacy concern due to their indiscriminate capturing of data, sometimes poor security, and failures to get user consent to track and store this data, not to mention having analysts going over your every move to see how they can optimize their webpages and boost sales.

On the other hand, you may not see it as that much of a concern given all the other material data a website might have on you – such as name, email and home address, date of birth, orders placed, payment details, etc etc.

Intel, we note, has faced a similar legal challenge for using the technology.

The case against Papa John's was filed [PDF] this week in a federal district court in southern California. The proposed class-action suit accuses Papa John's of violating both the Wiretap Act and the California Invasion of Privacy Act (CIPA) by going too far with its session replay software.

"The purported use of 'session replay' technology is to monitor and discover broken website features; however, the extent and detail collected by users of the technology ... far exceeds the stated purpose," the lawsuit, brought by San Diego's David Kauffman, alleges. 

While his complaint doesn't name the software – or "spyware" as he put it – that Papa John's allegedly used, he claims such code is illegal.

The lawsuit is seeking "the greater of $10,000 or $100 per day for each violation" of the Wiretap Act as well as $2,500 in statutory damages for each violation of CIPA. Unfortunately for Papa John's, if found liable, that could amount to a lot of cash. While Kauffman's lawyers can't be certain how many class members the lawsuit covers, they believe "millions" were snooped on.

We've asked Papa John's about the lawsuit, and will update this story if they respond. 

You can't bake respect for privacy into a pizza

It can be argued Papa John's leaves a lot of stuff out of its pizza – you know, like flavor – but a lack of concern for privacy isn't new: the fast-food chain faced a £10,000 ($11,100) fine in the UK last year for sending advertising text messages to customers without their explicit consent.

Papa John's was accused of abusing the "soft opt-in" exemption in Blighty's Privacy and Electronic Communications Regulations, which states that companies who obtain customer data in the course of a sale can use that data to send marketing messages – but only if they're given an opt-out opportunity first. Papa John's failed to do that.

As for session replay code, Papa John's would hardly be the first company to be accused in US courts of abusing it. Multiple lawsuits have been filed in Florida and California against organizations that have allegedly had the technology embedded in their websites and used it unlawfully. 

While many cases brought in Florida have been dismissed in recent years, the Ninth Circuit Court of Appeals issued a ruling in June that The National Law Review said opened the door to a slew of new session replay lawsuits in California using the same legal reasoning applied in the Papa John's case. 

Could Papa John's have avoided this whole situation? Perhaps, by just ditching it – as the The National Law Review explained: "[The 9th Circuit] case suggests that a robust privacy policy may not be enough for an organization and it could open doors to organizations including an affirmative opt-in function going forward as a risk mitigation measure." ®

More about


Send us news

Other stories you might like