A federal judge in Los Angeles has grounded a class action lawsuit accusing JetBlue of violating California residents’ privacy rights though software used to track and record customer interactions with the airline’s website.
In an opinion filed June 12, U.S. District Judge Marilyn Huff said she didn’t need to conduct a scheduled hearing on JetBlue’s motion to dismiss a complaint from Anne Lightoller, whose complaint indicated she visited JetBlue.com to check flight prices. According to Lightoller, who sued on Feb. 24, JetBlue’s website used a third-party product called Session Replay Code to analyze user interactions in violation of the California Invasion of Privacy Act.
“Session Replay Code enables website operators to record, save and replay a website visitor’s interactions with a given website, including ‘mouse movements, clicks, keystrokes (such as text being entered into an information field or text box), URLs of webpages visited, and/or other electronic communications in real-time,’ ” Huff wrote, quoting Lightoller’s complaint. “Once the events have been recorded by a Session Replay Code, a website operator can view a visual reenactment of the user’s visit through the Session Replay Provider, usually in the form of a video.”
In arguing for dismissal, JetBlue said Lightoller failed to allege any concrete harm as a result of JetBlue’s use of the code, meaning she lacked standing under Article III of the U.S. Constitution.
“A legislature’s creation of a statutory prohibition or obligation and a cause of action does not relieve courts of their responsibility to independently decide whether a plaintiff has suffered a concrete harm under Article III,” Huff wrote.
Although Lightoller pointed to cases where a violation of privacy rights was found actionable without further legal damage, Huff said a 2021 U.S. Supreme Court opinion, TransUnion v. Ramirez, established “Article III standing requires a concrete injury even in the context of a statutory violation.”
Huff said although privacy rights violations have long been fodder for common law litigation, and further that CIPA specifically codified privacy rights, an important question is whether a plaintiff has alleged the loss of control of their personal information.
“This is significant because (Lightoller’s) complaint does not allege that she disclosed any personal information to (JetBlue),” Huff wrote. What she typed or where she clicked, Huff implied, doesn’t amount to an allegation of disclosing personal information that could be recorded or intercepted.
“Flight pricing information is not personal information,” Huff wrote. “As such, (Lightoller) has failed to adequately allege that she suffered any concrete harm that bears a close relationship to the right to control personal information, meaning (she) has failed to establish an injury in fact.”
Earlier situations where Facebook was found liable for CIPA violations, Huff continued, involved allegations of the social network continuing to monitor people’s browsing activity even after moving to different websites or software — and then blending those logs with users’ Facebook profiles to create richer and more marketable understandings of their customer base. Huff’s complaint contained no such detail.
Huff’s dismissal did not leave Lightoller room to amend her complaint.
Lightoller has been represented in the action by attorneys Steven M. Nathan and James J. Pizzirusso, of the firm of Hausfeld LLP, of New York and Washington, D.C.; and Stephen B. Murray, of the Murray Law Firm, of New Orleans.
JetBlue has been represented by attorneys Rebekah S. Guyon and Jacob D. Bundick, of Greenberg Traurig, of Las Vegas and Los Angeles.