Importantly, the court reversed the dismissal of claims brought by two plaintiffs who made purchases and allegedly had their payment information captured during checkout.
On May 11, 2026, the U.S. Court of Appeals for the Third Circuit issued its opinion in In re BPS Direct, LLC; Cabela's, LLC Wiretapping Litigation, No. 23-3235, addressing Article III standing in a putative class action challenging the use of session replay on retail websites. The court affirmed dismissal of claims brought by six plaintiffs who browsed the websites without making purchases, but modified that dismissal to be without prejudice. Importantly, the court reversed the dismissal of claims brought by two plaintiffs who made purchases and allegedly had their payment information captured during checkout.
Case Background
Bass Pro Shops and Cabela's used session replay on their retail websites. According to the complaint, the session replay captured users' website interactions, including mouse movements, clicks, scrolls, keystrokes, text entries and other activity. The session replay code allegedly captured inputs even when a user typed information into a field but did not click "submit" or "enter."
Bass Pro Shops used third-party providers to supply the session replay code. The complaint alleged that those providers stored data collected from users of the websites on their own servers and that Bass Pro Shops and the providers could use the data to create video-style replays of website visits, which allegedly gave the company insight into the performance of its websites and advertising campaigns.
Eight named plaintiffs filed a putative class action alleging violations of the federal Wiretap Act, the Computer Fraud and Abuse Act and several state-law and common-law causes of action. Six plaintiffs alleged that they browsed Bass Pro Shops’ websites but did not make purchases or enter names, addresses or other personally identifying information. Two plaintiffs, Heather Cornell and Peter Montecalvo, alleged that they made purchases and entered their names, addresses and "payment and billing information" during checkout. The district court dismissed the complaint under Rule 12(b)(1) for lack of Article III standing.
The Holding
The Third Circuit reached a split result. The claims of the six nonpurchasing plaintiffs had their dismissal affirmed, but modified to be without prejudice. Plaintiffs Heather Cornell and Peter Montecalvo had their dismissal reversed and remanded for further proceedings.
The court analyzed the alleged intangible injuries under TransUnion v. Ramirez, asking whether the plaintiffs identified a close historical or common-law analogue for their asserted injuries. The plaintiffs relied on two common-law privacy torts: public disclosure of private facts and intrusion upon seclusion. The court held that none of the plaintiffs alleged an injury analogous to public disclosure of private facts, but that Cornell and Montecalvo alleged an injury analogous to intrusion upon seclusion.
Public Disclosure of Private Facts
The court rejected public disclosure standing for all eight plaintiffs. Relying on Barclift v. Keystone Credit Services, the court explained that the public disclosure tort addresses the humiliation associated with disclosure of sensitive or scandalizing private information to public scrutiny. The court reasoned that information shared with the session replay providers remained "functionally internal" because the complaint alleged that the providers stored and returned the information to Bass Pro Shops for its business purposes, not that they shared it with the public or another outside party.
That reasoning applied even to Cornell and Montecalvo, whose payment information the court treated as sensitive. Although the court recognized that a complete credit or debit card number, expiration date and security code are highly sensitive, it held that the alleged disclosure to service providers was not the kind of public disclosure required for that common-law analogue.
Intrusion Upon Seclusion
The court reached a different result under intrusion upon seclusion. For the six nonpurchasing plaintiffs, the court held that clicks, scrolls and searches for outdoor products were not plausibly private because those plaintiffs entered no personal or sensitive information. The court compared their online browsing to the physical browsing that shoppers do every day in brick-and-mortar stores. As a result, the court concluded that observation of those nonpersonal and nonsensitive interactions did not cause harm analogous to an intrusion into private affairs, consistent with the court's earlier decision in Cook v. GameStop, Inc., which similarly held that the capture of ordinary website browsing activity, absent personal or sensitive information, does not establish Article III standing under an intrusion-upon-seclusion analogue.
For Cornell and Montecalvo, the court held that the alleged capture of complete credit or debit card numbers during checkout was different. The court read "payment and billing information" to mean a complete credit or debit card number, expiration date and security code because online purchases typically require that information to finalize the transaction. The court held that surreptitious recording of that information caused harm closely analogous to intrusion upon seclusion because consumers expect complete payment card information to be free from prying eyes.
Fingerprinting Allegations Were Not Enough
The court rejected the plaintiffs' fingerprinting theory as too speculative. The complaint alleged that session replay providers "can" and "often do" aggregate data into user fingerprints, and that a provider can later match a fingerprint to a user's identity if the user identifies herself on a site using the same provider's code. The court held that this alleged only a theoretical path to injury because the plaintiffs did not allege that the providers actually used aggregation functionality on Bass Pro Shops' websites. The court also held that the theory did not help the six nonpurchasing plaintiffs because they did not identify themselves on the websites. For Cornell and Montecalvo, the court similarly held that allegations about provider capability were not enough absent allegations that providers used aggregation functionality on Bass Pro Shops' websites and deanonymized their browsing histories.
Why the Decision Matters
The decision gives website owners and operators a useful standing framework for defending browse-only session replay claims in the Third Circuit. The court's analysis confirms that allegations involving ordinary website browsing, without capture of personal or sensitive information, may be insufficient to establish a concrete injury under Article III.
The decision also reinforces the importance of how data flows between a website operator and its service providers. Where a complaint alleges only that a vendor stores or processes information to provide services back to the website operator, the Third Circuit's "functionally internal" reasoning provides a strong answer to public disclosure theories.
At the same time, the decision highlights checkout pages and other data-entry flows as higher-risk areas. If session replay tools record complete credit or debit card numbers, expiration dates or security codes, plaintiffs may be able to plead Article III standing under an intrusion-upon-seclusion theory.
Finally, the decision gives defendants a focused response to complaints that depend on what tracking technology can do rather than what it actually did. Capability allegations, including allegations about fingerprinting or cross-site aggregation, are vulnerable if the complaint does not allege that the functionality was actually deployed on the defendant's site and actually caused deanonymization or another concrete privacy harm.
Practical Steps for Businesses
Businesses using session replay code, marketing pixels, analytics tools or similar website-tracking technologies should reassess what those tools capture on checkout, account creation, login and other pages where users enter payment, financial, health or other sensitive information. Companies should consider masking or excluding payment card fields, security codes and comparable sensitive inputs at the code, tag-management or vendor-configuration level. They should also review vendor configurations and contracts to confirm whether providers store, process, aggregate or fingerprint captured data, and whether any such functionality is disabled, limited or restricted to providing services back to the company.
Companies should also review their privacy notices, cookie banners, consent-management tools and internal data maps to make sure session replay and similar technologies are accurately disclosed and governed.
For More Information
If you have questions about this Alert, please contact J. Colin Knisely, Michael S. Zullo, any of the attorneys in our Website Accessibility and Privacy Compliance Litigation Group, any of the attorneys in our Technology, Media and Telecom Industry Group or the attorney in the firm with whom you are regularly in contact.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.