){kind=logo}
TL;DR: In privacy class actions, it is often an open legal question whether there is an injury at all. On May 11, 2026, the Third Circuit issued In re BPS Direct, LLC; Cabela's, LLC Wiretapping Litigation, which held that plaintiffs whose credit card information was captured via session-replay code adequately alleged Article III injury-in-fact. The ruling creates an explicit appellate-level split. The same allegations in the Ninth Circuit would have been dismissed. This split may provide the single most important strategic variable in session-replay class action defense. In-house and defense counsel who do not have a forum strategy as of today are missing out.
What the Third Circuit Actually Held
In BPS Direct, eight named plaintiffs filed a putative class action against online retailers (including Bass Pro Shops and Cabela's) alleging that session-replay code embedded on the defendants’ websites violated the federal Wiretap Act, the Computer Fraud and Abuse Act and various state wiretapping statutes. The district court dismissed all eight plaintiffs' claims for lack of Article III standing.
The Third Circuit looked closely at the data collected by the session-replay data. Two plaintiffs had actually made purchases on the defendants' websites, and the session-replay code had captured their credit card information without disclosed consent. As to those two, the Third Circuit reversed, holding that the unauthorized collection was analogous to the common law tort of intrusion upon seclusion, which is a recognized historical analog sufficient to confer Article III injury-in-fact under the U.S. Supreme Court’s decision in TransUnion v. Ramirez.
The remaining six plaintiffs had only browsed. Because the session-replay code in their cases captured only mouse movements, clicks, keystrokes in non-sensitive fields and similar non-sensitive interaction data, the Third Circuit affirmed dismissal and the asserted privacy injury was not concrete in the TransUnion sense.
Two things make the ruling consequential beyond the four corners of the opinion. First, the Third Circuit expressly identified the type of data captured as dispositive: credit card information, Social Security numbers, financial account credentials. Second, the ruling sits in clean tension with the Ninth Circuit cases, which have repeatedly held that even capture of sensitive data via session-replay code, without more, does not create a reasonable expectation of privacy sufficient to support the underlying state-law theory. The standing split is now explicit and unmistakably ripe for forum-shopping by both sides of the bar.
Why Ruling Provides Both Risk and Opportunity Defendants
The plaintiffs’ bar has run session-replay privacy litigation as a nationwide business for three years. The model has always depended on a third-party script that captures user interactions that was then repackaged across multiple statutes (CIPA § 631, CIPA § 638.51, the federal Wiretap Act, Pennsylvania's WESCA, Florida's FSCA, the VPPA in some configurations) and filed in whichever forum the plaintiffs’ bar believes will most reliably survive a motion to dismiss. From there, these attorneys price their demands based upon their own calculus of the nuisance value of the suits.
The Third Circuit's ruling reshapes that calculus in three ways.
Forum now often determines whether the case dies at the pleadings. In the Third Circuit, a complaint that pleads capture of credit card or financial credential data will now likely clear Article III. A complaint that pleads only mouse-movement and keystroke capture in non-sensitive fields will not survive. In California federal courts, the standing analysis remains more skeptical and defense-friendly.
Forum determines class certification posture. A standing victory at the pleadings stage in California sometimes obviates class certification briefing entirely. A standing defeat in the Third Circuit means defendants now face a full Rule 23 briefing, where the recent Northern District of California line on individualized consent and exposure issues in pixel and tracking-technology cases offers an important parallel dispositive weapon.
Forum can determine insurance and panel-counsel posture. Directors & Officers and cyber policies often condition coverage on jurisdiction-specific triggers. Panel-counsel selection by insurers frequently varies by venue. A multi-forum exposure profile now creates coverage-coordination work that did not exist when standing law was nationally uniform.
The combined effect is that forum is no longer a secondary tactical variable.
The Forum-Specific Defense Playbook
For Third Circuit defendants, the dispositive battles now shift to two grounds. First, the elements of the underlying state or federal wiretap statute are now the first issue to address. These include the “party to the communication” doctrine, the “ordinary course of business” exception, the consent defenses available under the federal Wiretap Act and the technical question of whether the session-replay configuration constitutes a real-time “interception” or a post-hoc reconstruction. Second, parties should focus upon class certification under Rule 23(b)(3), where individualized issues around consent state, browser configuration, prior disclosure exposure and consent management platform (CMP) interaction frequently defeat predominance. Both of these attacks require deep knowledge of data-flow architecture and CMP configuration.
Ninth Circuit defendants have more defensive options. Standing remains a viable dispositive defense. Moreover, the parallel state-law expectation-of-privacy analysis under CIPA continues to favor defendants in the typical session-replay fact pattern. The continuing doctrinal uncertainty around CIPA § 638.51 (including emergent district court rulings on whether the pen-register/trap-and-trace statute extends to ordinary web-tracking technologies) provides additional dispositive grounds for a motion.
Because of these advantages, the strategic opportunity becomes working to ensure that any suits are brought in the Ninth Circuit. That question turns into three concrete deliverables: refreshed forum-selection clauses in website terms of use; declaratory judgment timing analysis when pre-suit demand letters arrive; and first-filed doctrine planning when a multi-jurisdiction litigation pattern emerges.
What This Means for Pre-Suit Risk Posture
The Third Circuit ruling also serves as a remediation roadmap. Every defendant whose website runs a session-replay tool (or a session-replay-adjacent technology such as form-field capture, error-replay or interaction-heatmap tooling) should run a multiple-step audit as soon as possible.
Identify whether the session-replay vendor's configuration captures credit card numbers, expiration dates, CVV codes, Social Security numbers, account credentials or analogously sensitive data. You must also understand whether that data is gathered in real time or later in reconstructed form. If the data is collected, whether in real time or later, you may have to make some decisions as to the data-capture configuration.
Consent-management audit. Confirm that the CMP discloses session-replay specifically (not generically as “analytics”) and that the consent state is reliably captured before the session-replay tag fires.
Vendor contract audit. Where possible, re-paper session-replay vendor contracts for (a) indemnification on configuration-driven liability, (b) cooperation obligations on discovery, and (c) forum-selection clauses that align with the defendant's preferred forum strategy.
Forum-selection clause audit. Review terms of use and click-wrap forum-selection clauses for enforceability and consider rerouting all cases to California.
The cost of running this audit is meaningfully less than the cost of defending a single complaint, and significantly less than the cost of being denied coverage because the policy trigger does not align with the forum.
The Larger Pattern
Privacy class actions under wiretap statutes have become an industrialized revenue stream for the plaintiffs’ bar, and they price their demands against the cost of defense. The Third Circuit's BPS Direct ruling tilts the leverage calculus toward plaintiffs in one circuit, leaves it tilted toward defendants in another. That asymmetry creates opportunities.
The right defense posture for privacy class actions is not bigger teams, broader motions or longer, more scholarly briefs. It is forum literacy, technical fluency in the underlying data-flow architecture and a willingness to litigate dispositively in the forums where dispositive victory remains available. The right response is not to fight these cases in the wrong forum. The right response is to make sure the next complaint is filed in the right one.
-
Partner