Nike, FullStory Sued For Recording Screen Sessions of Website’s Visitors


On Tuesday in the Central District of California, Burhaan Saleh filed a class-action complaint against Nike, Inc. and FullStory, Inc., a marketing software-as-a-service company, for purportedly wiretapping visitors’ electronic communications by recording their sessions on Nike’s website without disclosing it or obtaining permission.

The plaintiff claimed that the suit was brought against the defendants for “wiretapping the electronic communications of visitors to Defendant Nike’s website, Nike.com.” According to the complaint, the wiretaps embedded in the website’s code “are used by Defendants to secretly observe and record website visitors’ keystrokes, mouse clicks, and other electronic communications, including the entry of Personally Identifiable Information (‘PII’), in real time.”

Specifically, Nike used FullStory’s feature called “Session Replay,” which “purports to help businesses improve their website design and customer experience” by “provid(ing) a real-time recording of a user’s interactions on a website.” FullStory reportedly lets someone using its software “view a list of users who visited the website, as well as the time they spent on the website.” After clicking on a particular user session, the program allows a company to view a video of the interactions  “‘to see the real customer experience behind the data.’” Companies are able to use the Session Replay and other FullStory software by using its snippet of code, embedded in their websites, to enable the alleged wiretapping. 

The plaintiff asserted that when he visited Nike’s website, information of his was recorded, including his payment card information, IP address, and his location at the time of the visit. The plaintiff alleged that this information was disclosed to the defendants through this purported wiretap interception, despite the plaintiff being unaware that this was being recorded or disclosed. 

Additionally, the plaintiff stated that he did not provide consent to this conduct or disclosure of his information. Consequently, Saleh proffered that Nike wiretapped his electronic communications without his knowledge or consent because Nike did not ask for consent or notify users that their communications were being wiretapped by FullStory; the plaintiff pointed out that there is no mention of this conduct in Nike’s Privacy Policy. Moreover, the plaintiff claimed that the Session Replay feature “is not only highly intrusive, but dangerous,” because it and other similar recording technologies record and collect “sensitive user information such as passwords and credit card numbers,” which “can leave users vulnerable to data leaks and the harm resulting therefrom.”

The class included California residents who visited Nike’s website and had their electronic communications intercepted or recorded by FullStory. The defendants were accused of violating the California Invasion of Privacy Act (CIPA) and violating privacy rights established in the California Constitution.

Saleh has sought an order certifying the class and for the plaintiff and his counsel to represent the class; declaratory judgment in its favor; an award for damages; and order for restitution; injunctive relief; and an award for costs and fees.

The plaintiff is represented by Bursor & Fisher, P.A.