In MARILYN HERNANDEZ, individually & on behalf of all others similarly situated, Plaintiff, v. NOOM, INC., Defendant., No. 1:23-CV-00641-JRR, 2023 WL 8934019, at *1–2 (D. Md. Dec. 27, 2023), Judge Rubin found no Article III standing for a wiretapping claim based on a website’s capture and recording of users’ electronic interactions with the website.
Plaintiff Marilyn Hernandez, individually and on behalf of all others similarly situated, brings this action against Defendant for allegedly wiretapping the electronic communications of visitors to its website, www.noom.com, in violation of Maryland statutory and common law.2(ECF No. 1.) Plaintiff is citizen and resident of the State of Maryland. Id. ¶ 5. Defendant is a Delaware corporation with its principal place of business in New York, New York. Id. ¶ 6. Defendant is a digital health and wellness platform, and operates the website www.noom.com and all of its subpages. Id. ¶ 42. Plaintiff alleges that the court has personal jurisdiction over Defendant because it directed purposeful and tortious acts towards Maryland citizens. Id. ¶ 8. Plaintiff further alleges that “Defendant chose to avail itself of the business opportunities of marketing and selling its services in Maryland and collecting real-time data from website visit sessions initiated by Maryland citizens while located in Maryland.” Id
According to Plaintiff, Defendant procures third-party vendors to embed computer code (“Session Replay Code”) which enables Noom to intercept and record website visitors’ electronic communications with Noom’s website, including “mouse movements, clicks, keystrokes (such as text being entered into an information field or text box), URLs of web pages visited, and/or other electronic communications in real-time.” (ECF No. 1 ¶¶ 1, 25.) Website operators can then access the recordings and view a visual reenactment of the user’s visit through the Session Reply Provider. Id. ¶ 27. Plaintiff alleges that Defendant does not notify users that Defendant utilizes Session Replay Code or that users’ electronic interactions with the website are recorded. Id. ¶ 60. On March 8, 2022, Plaintiff filed the Complaint, which sets forth two counts: (1) Violation of the Maryland Wiretapping and Electronic Surveillance Act (“MWESA”), MD. CODE ANN., CTS. & JUD. PROC. §§ 10-401, et seq. (Count I); and (2) Invasion of Privacy — Intrusion Upon Seclusion (Count II). (ECF No. 1 at 18–22.) The prayer for relief seeks an order: (i) certifying the Class and appointing Plaintiff as the Class representative; (ii) appointing Plaintiff’s counsel as class counsel; (iii) declaring that Defendant’s alleged past conduct was unlawful; (iv) declaring Defendant’s alleged ongoing conduct is unlawful; (v) enjoining Defendant from continuing the alleged unlawful practices, and awarding such injunctive and other equitable relief as the court deems just and proper; (vi) awarding Plaintiff and the Class members statutory, actual, compensatory, consequential, punitive, and nominal damages, as well as restitution and/or disgorgement of profits allegedly unlawfully obtained; (vii) awarding Plaintiff and the Class members pre-judgment and post-judgment interest; (viii) awarding Plaintiff and the Class members reasonable attorneys’ fees, costs, and expenses; and (ix) granting such other relief as the court deems just and proper. Id. at 22–23.
*2 Defendant moves to dismiss the Complaint on several grounds: (1) Plaintiff fails to allege facts that allow the court to exercise personal jurisdiction over Defendant; (2) Plaintiff fails to sufficiently allege that she suffered an injury-in-fact for Article III standing; and (3) Plaintiff fails to state a claim under MWESA and for common law intrusion upon seclusion. (ECF No. 18-1 at 9-32.)
The District Court found no Article III standing:
Here, Plaintiff alleges: “Plaintiff has visited www.noom.com and certain of its subpages on her computer while in Maryland prior to filing this action.
While visiting Noom’s website, Plaintiff fell victim to Defendant’s unlawful monitoring, recording, and collection of Plaintiff’s Website Communications with www.noom.com. *** During a visit by Plaintiff to www.noom.com and its subpages, Plaintiff browsed for different products for sale and signed up for a trial membership. Plaintiff communicated with Noom’s website by using her mouse to hover and click on certain products and services and by typing her personal information in text fields.” The Session Replay Code instantaneously captured her Website Communications throughout her visit. Indeed, through Noom’s procurement of Session Replay Code, Plaintiff’s Website Communications were automatically and secretly intercepted while using Noom’s website. Further, without her consent, Noom procured Session Replay Providers to obtain certain information about her device, browser, and create a unique ID and profile for her. During the website visit, Plaintiff’s Website Communications were captured by Session Replay Code and sent to various Session Replay Providers.
(ECF No. 1 ¶¶ 48-49, 51-53.) While Plaintiff alleges that “a variety of highly sensitive information can be captured in event responses from website visitors, including medical conditions, credit card details, and other personal information displayed or entered on webpages” (ECF No. 1 ¶ 28), she does not allege that the Session Replay Code actually captured her specific sensitive personal information. Rather, Plaintiff alleges when she typed her personal information in text fields, her “Website Communications” (generally defined in the Complaint at paragraph 1 as “mouse movements, clicks, keystrokes…URLs of web pages visited, and/or other electronic communications”) – were captured by Session Replay Code and then sent to Session Replay Providers. Id. ¶¶ 1, 51, 53. Absent allegations regarding “the specific kinds of captured personal information implicating a substantive privacy interest,” Plaintiff fails to adequately allege that she suffered an intangible injury (i.e., invasion of her privacy) – specifically that her personal information was intercepted and recorded by Defendant. See Straubmuller and Mikulsky, supra.
Similarly, Plaintiff could allege no tangible injury to support Article III standing.
Plaintiff also argues that Defendant’s disclosure of her communications to Session Replay Providers exposes website visitors to identity theft, online scams, and other privacy threats. (ECF No. 21 at 10.) Defendant argues that Plaintiff fails to allege a personal or specific future risk of identity theft. (ECF No. 22 at 7.) Straubmuller v. Jetblue Airways Corporation, supra, is again instructive. 2023 WL 5671615 (D. Md. Sept. 1, 2023). There, the plaintiff argued that the defendant’s “disclosure of his electronic communications to Session Replay Providers gives rise to a plausible risk of enhanced privacy threats, such as identity theft, constituting a concrete tangible harm.” Id. at *5. The Straubmuller court rejected this argument: “A threatened injury constitutes an injury in fact when it is certainly impending. Clapper v. Amnesty Int’l USA, 568 U.S. 398, 409 (2013). Sufficiently imminent injuries in fact cannot be premised on a “highly attenuated chain of possibilities.” Id. at 410. The Fourth Circuit has interpreted Clapper to require targeting or misuse before a future risk of identity theft qualifies as an injury in fact. See Beck v. McDonald, 848 F.3d 262, 274 (4th Cir. 2017) (holding that without evidence of misuse or deliberate targeting by data thieves, an enhanced risk of identity theft as a result of a data breach is too speculative to constitute an injury in fact); Hutton v. Nat’l Bd. of Examiner in Optometry, Inc., 892 F.3d 613, 622 (4th Cir. 2018) (holding that data breach victims who had already experienced identity theft and credit card fraud sufficiently alleged an injury in fact); O’Leary v. TrustedID, 60 F.4th 240 (4th Cir. 2023) (holding that a plaintiff who cannot connect the alleged statutory violation to an increased risk of identity theft without a “Rube Goldberg-type chain reaction” lacks standing).” Here, Plaintiff has not alleged facts establishing targeting or misuse of his personal information. In fact, as Defendant states, “[Plaintiff] does not allege that he provided any information to JetBlue that could be used to commit the ‘identity theft, online scams, and other privacy threats’ he allegedly fears.” (ECF No. 19 at 12). While Plaintiff argues that being a visitor to Defendant’s website subject to Session Replay Code results in non-conjectural privacy risks, (ECF No. 14 at 17-18), for identity theft to materialize, Defendant’s Session Replay providers must suffer a data breach, the breach must compromise Plaintiff’s sensitive personal information, and an identity thief must misuse that information to harm Plaintiff – the very kind of chain reaction Clapper has deemed too speculative. 2023 WL 5671615, at *5. Like the Sraubmuller plaintiff, Plaintiff here does not adequately allege facts of targeting or misuse of her personal data; nor does Plaintiff allege facts to suggest that her Website Communications could be, or will be, used to steal her identity. As discussed above, outside of a broad category, not unique to Plaintiff, defined generally to include “mouse movements, clicks, keystrokes…URLs of web pages visited, and/or other electronic communications,” Plaintiff does not identify specific personal information she disclosed on Defendant’s website and that Defendant intercepted and misused. See Section III.A.1., supra. Plaintiff alleges: “In addition to the privacy invasions caused by the diversion of user communications with websites to third-party Session Replay Providers, Session Replay Code also exposes website visitors to identity theft, online scams, and other privacy threats. Indeed, “[t]he more copies of sensitive information that exist, the broader the attack surface, and when data is being collected [ ] it may not be stored properly or have standard protections” increasing “the overall risk that data will someday publicly leak or be breached.” (ECF No. 1 ¶ 36.) Plaintiff’s allegations, broadly and reasonably construed, are insufficient to plead a tangible injury. Plaintiff’s theory of standing “relies on a highly attenuated chain of possibilities” and fails to connect the alleged statutory violation to an increased risk of identity theft. Clapper v. Amnesty Intern. USA, 568 U.S. 398, 410 (2013); see Straubmuller, 2023 WL 5671615, at *5 (noting that “for identity theft to materialize, Defendant’s Session Replay providers must suffer a data breach, the breach must compromise Plaintiff’s sensitive personal information, and an identity thief must misuse that information to harm Plaintiff”).