Opinion
23-3304 23-3606
12-24-2024
Ann Jones, individually and on behalf of all others similarly situated Plaintiff - Appellant v. Bloomingdales.com, LLC Defendant-Appellee Ann Jones, individually and on behalf of all others similarly situated; Jane Tenzer, individually and on behalf of all others similarly situated Plaintiffs - Appellants v. Papa John's International, Inc. Defendant-Appellee
Submitted: November 20, 2024
Appeals from United States District Court for the Eastern District of Missouri - St. Louis
Before SHEPHERD, ARNOLD, and ERICKSON, Circuit Judges.
ARNOLD, CIRCUIT JUDGE.
After Ann Jones learned that two websites she had visited had permitted others to record her electronic communications with the sites, she brought separate actions against the websites' owners for invading her privacy. In one case, the district courtdismissed her complaint for lack of subject-matter jurisdiction because she did not adequately plead that she had suffered a concrete injury. In the other case, the district court dismissed her complaint for lack of personal jurisdiction. She appeals both dismissals. (We consolidated the appeals for oral argument and now resolve them in a single opinion.) Since we believe that Jones hasn't plausibly alleged a concrete injury in either case, we affirm the judgments.
The Honorable Sarah E. Pitlyk, United States District Judge for the Eastern District of Missouri.
The Honorable Stephen R. Clark, Chief Judge, United States District Court for the Eastern District of Missouri.
Jones filed her lawsuits against Bloomingdales.com, LLC, and Papa John's International, Inc., on behalf of herself and a putative class of similarly situated people. (Another plaintiff named Jane Tenzer joined her suit against Papa John's, but we will call the plaintiffs "Jones" to keep things simple.) The allegations in each suit, which at this stage we accept as true, see Carlsen v. GameStop, Inc., 833 F.3d 903, 908 (8th Cir. 2016), are alike in all material respects. Jones alleges that she visited the companies' websites and, unbeknownst to her, they employed "session replay" technology that allowed them to discern and record things like her "mouse movements, clicks, keystrokes (such as text being entered into an information field or text box), search terms, URLs of web pages visited, as well as . . . what [she] searched for, what [she] looked at, the information [she] inputted, and what [she] clicked on." She says that this technology compiles what "is essentially a video of [her] entire visit" that can be replayed any time. According to Jones, companies like Bloomingdales and Papa John's use session-replay technology to improve their websites and to provide targeted advertisements.
To implement session-replay technology on their websites, the companies employed the assistance of third parties that we will call "providers." Using their session-replay programs, these providers allegedly can create unique "fingerprints" of individual users using information obtained from a user's visit to any website that the provider monitors. And, Jones asserts, if a user identifies herself (such as by inputting her name in a text box on the website), the provider can connect the user's identity to the digital fingerprint it has created for her, even if the user intended to browse anonymously.
Jones brought several claims against each company, some under state law alleging intrusion upon seclusion and violations of Missouri statutes, and others under the Electronic Communications Privacy Act, see 18 U.S.C. § 2511(1), (3)(a), the Stored Communications Act, see id. §§ 2701, 2702, and the Computer Fraud and Abuse Act, see id. § 1030. The companies each moved to dismiss the complaints, arguing that the courts lacked personal jurisdiction over them and that the complaints failed to state a claim.
The district court in the case against Bloomingdales dismissed the complaint but not for the reasons Bloomingdales offered. The court relied instead on a decision by another judge in the Eastern District of Missouri in a similar case involving session-replay technology. See Adams v. PSP Grp., LLC, 691 F.Supp.3d 1031 (E.D. Mo. 2023). The court there held that the plaintiff lacked standing to sue because she didn't suffer a concrete injury, as she didn't allege that the website she visited had captured "any sensitive, personal, or confidential information" about her. See id. at 1041-42. Persuaded by this decision, the district court dismissed Jones's complaint against Bloomingdales. As for the case against Papa John's, the district court agreed that it lacked personal jurisdiction over Papa John's and so it didn't address whether Jones had standing. Because we hold that Jones lacks standing in both cases, we need not resolve whether the courts have personal jurisdiction over the defendant companies. We review the matter of standing de novo. See Bassett v. Credit Bureau Servs., Inc., 60 F.4th 1132, 1134 (8th Cir. 2023).
Article III of the Constitution "confines the federal judicial power to the resolution of 'Cases' and 'Controversies.'" TransUnion LLC v. Ramirez, 594 U.S. 413, 423 (2021). For a case or controversy to exist, the plaintiff must have a personal stake in the lawsuit-a requirement that courts call "standing." See id. Standing "limits the category of litigants empowered to maintain a lawsuit in federal court to seek redress for a legal wrong." Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016). As Justice Scalia once put it, to have standing, a plaintiff must be able to give a good answer to the question, "What's it to you?" See Antonin Scalia, The Doctrine of Standing as an Essential Element of the Separation of Powers, 17 Suffolk U. L. Rev. 881, 882 (1983).
To demonstrate standing at this stage, Jones must plead facts that demonstrate, among other things, that she suffered an injury that is "concrete" and "real," not merely "abstract." See Spokeo, 578 U.S. at 338, 340. Examples of qualifying harms include traditional "tangible" harms that are physical or monetary in nature. See TransUnion, 594 U.S. at 425. But the Supreme Court has explained that some intangible harms can also be concrete, such as "harms traditionally recognized as providing a basis for lawsuits in American courts" like "reputational harms, disclosure of private information, and intrusion upon seclusion." See id.
Jones doesn't allege that she suffered physical or monetary harm from visiting the companies' websites; rather, she asserts that she suffered a harm to her privacy that bears a close relationship to "the historically cognizable harm of intrusion upon seclusion." According to Missouri law, "One who intentionally intrudes, physically or otherwise upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person." See Sofka v. Thal, 662 S.W.2d 502, 510 (Mo. banc 1983) (quoting Restatement (Second) of Torts § 652B). We've observed that Missouri courts view "the existence of a secret and private subject matter" as an element of this tort. See Ruzicka Elec. &Sons, Inc. v. Int'l Bhd. of Elec. Workers, Local 1, 427 F.3d 511, 524 (8th Cir. 2005).
Though it is true that the kind of harm to privacy associated with an intrusion upon seclusion can constitute a concrete injury for standing purposes, that doesn't mean that every plaintiff who comes to court alleging such a harm gets in the courthouse door. Federal courts are not much concerned with labels and unsupported characterizations. See Ashcroft v. Iqbal, 556 U.S. 662, 678, 681 (2009). So even though Jones alleges that the companies invaded her privacy, we do not think her allegations plausibly show that is the case. Jones does not allege, for example, that session-replay technology captured her inputting and then deleting personal information like her social security number, medical history, bank account figures, or credit card information. She doesn't allege that it recorded any of her contact information or even her name. Nor does she allege that it hijacked her camera and watched her in her home as she surfed the web. Most of her allegations concern what this technology is able to capture generally. But as one court aptly explained, "We need to know what session-replay code actually captured, not what session-replay code is capable of capturing." See In re BPS Direct, LLC, 705 F.Supp.3d 333, 356 (E.D. Pa. 2023).
All we know from her allegations is that she visited the websites and that they recorded her "Website Communications," but she never tells us what she communicated. She mentions that her communications included things like "mouse movements, clicks, [and] keystrokes," but we don't understand how the movements of a cursor or a person's general navigation across a website conveys any information that a customer could reasonably expect to keep private from the website owners themselves. The situation is akin to the commonplace use of a security camera at a brick-and-mortar store to record customers as they shop-an analogy Jones herself evokes when she alleges in her complaints that session-replay technology is "the electronic equivalent of 'looking over the shoulder' of each" customer. See Goldstein v. Costco Wholesale Corp., 559 F.Supp.3d 1318, 1321 (S.D. Fla. 2021). But no reasonable customer at a brick-and-mortar store could claim a privacy interest in her general movements and activities in the public parts of that store. We therefore join the overwhelming number of district courts to hold that plaintiffs lack standing in cases like these where they don't allege the interception of private information. See, e.g., Arndt v. Gov't Emps. Ins. Co., 2024 WL 4335644, at *5 (D. Md. Sept. 26, 2024) (collecting cases).
The Court's decision in TransUnion supports our conclusion. There, a class of plaintiffs said they had suffered harm to their reputations-an intangible harm that can constitute a concrete injury-when a credit reporting agency created misleading credit reports. See TransUnion, 594 U.S. at 417. The Court agreed that those whose reports the agency had disseminated had suffered a concrete injury. See id. For those whose reports had not been disseminated, however, the Court disagreed that they had suffered reputational harm, explaining that "[t]he mere presence of an inaccuracy in an internal credit file, if it is not disclosed to a third party, causes no concrete harm." See id. at 434. So even though some contended they had suffered an intangible injury that would support standing, the Court held to the contrary. We do the same here.
This is not the first time our court has done so. In one case, a plaintiff alleged she had suffered intangible reputational harm, but since she didn't plead facts to support that contention, we concluded she lacked standing. See Auer v. Trans Union, LLC, 902 F.3d 873, 878 (8th Cir. 2018). We explained that her "naked assertion of reputational harm, devoid of further factual enhancement, falls short of plausibly establishing injury." See id. We've applied the same reasoning to assertions of harm to privacy. See Schumacher v. S.C. Data Ctr., Inc., 33 F.4th 504, 514 (8th Cir. 2022). In short, "[b]reezy declarations" of an intangible yet concrete injury without support won't suffice. See McNaught v. Nolen, 76 F.4th 764, 772 (8th Cir. 2023).
Jones points out that things like her mouse movements, clicks, and keystrokes provide "rich, personal content" that is valuable to the companies as they could reveal her shopping preferences and allow them to target her with specific advertisements. She says that "[t]he fact that these communications consisted of clicks or hovers instead of typed words is immaterial; the electronic exchanges conveyed information nonetheless."
We do not doubt that the companies value the information that session-replay technology gathers. That's why they gather it. But that does not mean that the information gathered is information that a website visitor could reasonably expect to keep private from the website owners or their agents. Just as a security camera at a physical store might record how customers react to a display of products, sessionreplay technology captures how a store's online customers react to digital displays, to the extent "clicks" and "hovers" might reveal those reactions. We fail to see how this invades Jones's privacy, especially when she voluntarily conveyed the information she says is private to the defendants, cf. Schumacher, 33 F.4th at 513-14, and when the allegations don't suggest that she provided information that would identify her. Cf. Dinerstein v. Google, LLC, 73 F.4th 502, 513-14 (7th Cir. 2023).
We hold that Jones has not plausibly alleged that she suffered a concrete injury, and so she lacks standing to bring these suits. We do so not because we think she experienced only a slight invasion of her privacy, see Golan v. FreeEats.com, Inc., 930 F.3d 950, 959 (8th Cir. 2019), but because her allegations do not plausibly suggest that she suffered any such invasion at all.
Affirmed.