Ninth Circuit Dismisses “Session Replay” Lawsuit–Popa v. Microsoft
This case involves “session replay” technologies, described as (cleaned up):
the software embeds snippets of JavaScript computer code on a website, which then deploys on each website visitor’s internet browser for the purpose of intercepting and recording the website visitor’s electronic communications with the website, including their mouse movements, clicks, keystrokes, URLs of web pages visited, and/or other electronic communications in real-time. The session-replay provider then uses those website communications to recreate website visitors’ entire visit to the website. A business utilizing this technology can then access useful consumer data, including detailed heatmaps of a website that provide information about which elements of a website have high user engagement, how far website users scrolled on the website, and the total clicks within a given area on the website. In essence, session-replay technology helps a business to determine which parts of its website are effective with customers and which are not
Standard product marketing work.
The technology at issue is Microsoft’s Clarity service. It has three settings for capturing personal information during the session: (1) no user text is captured, (2) key items, like passwords, are not captured (this is the default setting), and (3) all user text is captured. The defendant, Pet Supplies Plus, masked the text capture so it did not include the plaintiffs’ street number or zip code.
The plaintiffs’ lawsuit over Clarity’s session replay fails because the plaintiffs lack Article III standing per Spokeo and TransUnion.
To establish Article III standing, the plaintiffs have to show how they suffered a “concrete” injury. This is no small challenge. Tracking and recording a person’s navigation of a website may be unwanted and disquieting, but it typically has no real effects on individual users. See my old paper on data mining.
I highlight this issue when I teach the old Phamtrak case. I ask students: where’s the harm where the system collected highly sensitive PII but the collector never paid attention to it? In Pharmatrak, the plaintiffs couldn’t articulate any theory of how that unexamined collected data harmed them (though the case didn’t turn on Article III standing). Same too here.
To satisfy Spokeo/TransUnion, the plaintiffs’ claims must satisfy the common law requirement that any privacy intrusion be highly offensive. Session replay isn’t that:
Popa does not explain how the tracking of her interactions with the PSP website caused her to experience any kind of harm that is remotely similar to the “highly offensive” interferences or disclosures that were actionable at common law….Popa identifies no embarrassing, invasive, or otherwise private information collected by Clarity. Indeed, the monitoring of Popa’s interactions with PSP’s website seems most similar to a store clerk’s observing shoppers in order to identify aisles that are particularly popular or to spot problems that disrupt potential sales….
At most, Popa alleges that Clarity gathered her pet-store preferences and her street name. To the extent Microsoft’s tracking software could be offensive in particular circumstances (e.g., involving sensitive medical or financial information), Popa does not plausibly allege the infringement of any such privacy interest.
While I agree with the conclusion, the court’s invocation of an offline analogy to online activities is problematic. I recently dealt with similar analogies in my Segregate-and-Suppress paper, where I claimed there was a significant difference between a physical-space retailer’s inspection of a shopper’s government-issued ID and online age authentication using government-issued ID. I pointed out several key differences, including the fact that the digital mediation (including the encoding, interceptability, and possible storage that could lead to expropriation) creates privacy and security risks that don’t exist with physical world age authentication. Also, a store clerk monitoring a shopper isn’t likely to record any of the shopper’s conversations with other store clerks or patrons, while session replay will. The opinion would have been better without the offline analogy.
In a footnote, the court discounts the identity theft risk:
the complaint identifies potential harms that might be associated with session-replay technology, such as identity theft. But the complaint includes no allegations plausibly linking these potential, generalized harms to the operation of Clarity on PSP’s website vis-à-vis Popa.
The court also discounts the possible trespass to chattels angle:
Popa also mentions trespass as a potential common-law analog twice in her opening brief, without any additional explanation. But she never identifies what possessory interest Microsoft invaded. Indeed, Clarity—at least according to the complaint—appears to operate on PSP’s website rather than on an individual’s computer.
The court also says that statutes (in this case, the Pennsylvania ECPA equivalent) can’t boostrap themselves into creating a concrete injury for Article III standing purposes based on the mere statutory violation.
The obvious question is: could session replay plaintiffs establish Article III standing with better pleadings, or will session replays always lack any cognizable harm? I think the answer is… yes? Recording for session replay is a fundamentally inconsequential act by itself, even though the court intimates that the collection of more sensitive consumer information might be a different story. (That’s a warning to any Clarity or other session replay users who aren’t suppressing recording of user text). However, when the data collection is combined with some other harm, such as an expropriation that leads to actual identity theft, then the plaintiffs may have something. But session replay plaintiffs aren’t likely to have evidence of these additional harms very often, and even more rarely will have that evidence at the time of filing the complaint (i.e., pre-discovery).
Without better facts, the plaintiffs try to manufacture Article III harms by invoking speculative and factually unsupported future possibilities. This court wasn’t receptive to that effort. Accordingly, I think most or all of the session replay cases in the Ninth Circuit won’t survive this ruling.
Case Citation: Popa v. Microsoft Corporation, 2025 WL 2448824 (9th Cir. August 26, 2025)