A recent Third Circuit decision gives companies another strong defense point in the wave of website tracking and session replay litigation, including claims brought under the California Invasion of Privacy Act (CIPA). In Smidga v. Spirit Airlines, the plaintiffs alleged that Spirit used session replay code to record website visitors’ interactions, including text entries, clicks, and geolocation, and one plaintiff asserted a CIPA claim based on that alleged tracking. The Third Circuit affirmed dismissal because the plaintiffs failed to show a concrete privacy injury sufficient for Article III standing, relying heavily on its recent Cook v. GameStop decision involving similar session replay allegations.
The decision is especially useful for companies because the court rejected the idea that an alleged statutory privacy violation alone automatically creates federal standing. The court emphasized that plaintiffs still must plead concrete harm, not just point to a privacy statute, and distinguished earlier data privacy cases involving allegations of deceptive tracking or disclosure of non-anonymous personal information. The court also found no close relationship to traditional privacy torts where two plaintiffs did not allege collection of personal information, the third did not allege embarrassment or humiliation, the allegedly intercepted information was anonymized, and users voluntarily entered information on the website.
For companies defending CIPA and similar session replay cases, the decision reinforces several practical arguments: plaintiffs need more than boilerplate claims about “recording” website activity, anonymized or non-user-specific data may undercut concrete injury, and the absence of a specific privacy promise can matter. It also highlights the value of factual assertions at the jurisdictional stage, since Spirit submitted evidence that the software functions capable of collecting personal information had never been enabled and that collected data was not traceable to a specific website user. While the opinion is non-precedential, it is still a helpful signal that courts are scrutinizing standing in website tracking cases and are not treating CIPA-style allegations as an automatic ticket into federal court.