STANDING STRIKES AGAIN IN PRIVACY LITIGATION: The Third Circuit Court of Appeals Affirms The District Court’s Dismissal For Lack of Article III Standing.

Add a comment

Hi, CIPAWorld! Kelly Sandberg here, with another case on alleging an injury in fact to meet Article III standing requirements for privacy claims.

In the case of In re BPS Direct, LLC; Cabela’s LLC Wiretapping Litig., eight Plaintiffs brought a putative class action against Bass Pro Shop and Cabela (collectively “BPS”). Plaintiffs alleged that BPS’s use of third-party data tracking software on their websites was a violation of the Wiretap Act and the Computer Fraud and Abuse Act. In re BPS Direct, LLC; Cabela’s LLC Wiretapping Litig., No. 23-3235, 2026 WL 1280969 (3d Cir. May 11, 2026). To sum, the United States Court of Appeals for the Third Circuit affirmed the United States District Court for the Eastern District of Pennsylvania’s dismissal of six Plaintiffs’ claims, and reversed the dismissal as to two Plaintiffs’ claims because only two Plaintiffs had alleged tangible injuries demonstrating they had a “close relationship” to a harm traditionally recognized at common law.

Bass Pro Shop and Cabela are outdoor retailers specializing in hunting, fishing, camping and outdoor recreation gear, and each company operates an applicable website for consumers to browse items and purchase gear for sale. Both companies use a JavaScript computer code known as “Session Replay Code” on their website that was developed by companies such as Microsoft, Quantum Metric, and Mouseflow (“Providers”).

This code captures a website user’s interactions such as their mouse movements, clicks, scrolls, zooms, window resizes, keystrokes and text entries. This data is then used to create a “video replay” of a user’s visit to the website that provides BPS with insight into their company performance and advertising campaigns.

Further, the Providers store this collected data, which includes personally identifying information, called “fingerprints.” The Providers can collect “fingerprints” from any website using the code to match a user’s “fingerprint” with their identity if the user had identified themselves on a website (i.e. filling out a form).

Two Plaintiffs – Heather Cornell and Peter Monteclavo – had made purchases on BPS’s websites and entered their personal billing information upon checkout. The remaining six Plaintiffs browsed BPS’s websites but had made no purchases or entered personally identifying information while on the website. These eight Plaintiffs brought action in the United States District Court for the Eastern District of Pennsylvania against BPS for violations of various state and federal privacy laws based on the code’s capturing of their data while using BPS’s websites.

Ultimately, the District Court granted BPS’s motion to dismiss, relying on the case of In re BPS Direct, LLC to determine whether an injury in fact for Article III standing had been properly alleged. They required that “the website users must be able to plead facts of sharing highly sensitive personal information such as a medical diagnosis or financial data from banks or credit cards to enjoy Article III standing.” In re BPS Direct, LLC, 705 F. Supp. 3d 333, 367 (E.D. Pa. 2023). After dismissal, all Plaintiffs appealed.

The Third Circuit Court of Appeals required that in order, “[t]o establish injury in fact, a plaintiff must show that he or she suffered an invasion of a legally protected interest that is concrete and particularized and actual or imminent, not conjectural or hypothetical.” Spokeo, 578 U.S. at 339, 136 S.Ct. 1540 (citation modified).

To establish that a concrete injury had occurred, Plaintiffs argued their injuries were analogous to harms recognized under the common law torts of: (1) public disclosure of private facts, and (2) intrusion upon seclusion.

The court determined that the six Plaintiffs who had not made purchases on BPS’s websites lacked Article III standing under the harm recognized within both common law torts. This was because their data gathered by the code was neither sensitive nor linked to Plaintiffs’ identities and because they failed to allege any facts showing that BPS helped de-anonymize Plaintiffs.

Further, Plaintiffs Cornell and Monteclavo had entered sensitive credit and debit card information on BPS’s website that was captured by the code, but the court determined that this unauthorized disclosure would only result in harm if the information was disclosed publicly. Neither Cornell nor MonteClavo alleged public disclosure and therefore could not provide a showing of harm recognized under the tort of public disclosure of private facts.

However, Cornell and Monteclavo were able to allege harms analogous to those recognized under an intrusion upon seclusion claim because the codes interception resulted in harm by gathering and storing their sensitive and private billing information. Cornell and Monteclavo sufficiently alleged a concrete injury required for Article III standing under this common law tort theory.

The important takeaway here is that Plaintiffs must allege tangible injuries that demonstrate a “close relationship” to harms traditionally recognized at common law to meet Article III standing requirements.

Unknown's avatar

Published by Kelly Sandberg

Kelly Sandberg is a new law clerk at Troutman Amin, LLP and is a recent graduate from Thomas Jefferson School of Law (2025). During law school she earned multiple Honor Roll distinctions, received CALI Excellence for the Future Awards, served as President of the Alternative Dispute Resolution (ADR) Organization, and graduated cum laude. She holds a Bachelor of Arts in Business Administration from Vanguard University of Southern California (2021), where she also graduated cum laude. Kelly has a strong interest in emerging legal issues involving artificial intelligence, technology, and other rapidly developing areas of law!

Leave a Reply