Spirit Airlines has shut down. They’re liquidating. There’s almost no money left. And virtually all outstanding claims that haven’t yet been confirmed would be for unsecured creditors who would get very little if anything. And yet there are still lawsuits on the books!
One proposed class action (Smidga v. Spirit Airlines, W.D. Pa. No. 2:22-cv-01578) just went down in the Third Circuit, with the federal court reminding us that “what we do on the Internet is not completely private.”
Customers were suing Spirit over its website and how they tracked user behavior – embedding third-party ‘session replay’ code on spirit.com, which allowed Spirit and their vendor to intercept, record, save, and replay visitor activity on the website.
They captured mouse movements, clicks, scrolls, keystrokes, URLs, search terms, pages visited, inactivity, IP and geolocation information, device and browser identifiers, and form entries. A lot of that is captured in server logs anyway but this allowed putting it together to monitor how people interacted with a site in order to better optimize it.
Here’s the thing. The court said that the custoemrs didn’t actually show a concrete injury from Spirit recording their online activity. Spirit’s Chief Information Officer said that this session replay was used for website functionality and user-experience optimization, it didn’t collect personally identifiable information, and recorded data couldn’t even be traced to a specific website user.
And that court had ruled last year in Cook v. GameStop that a website visitor who alleged recording of clicks, mouse movements, keystrokes, and browsing activity, but didn’t actually allege disclosure of sensitive personal information, didn’t have a concrete injury, and a statutory ‘wiretap’ violation alone didn’t create federal standing to sue.
- customers voluntarily entered information to search for and buy flights
- the data anonymized
- there was no allegation that Spirit made an express promise not to collect or share this data, so no claim they breached a privacy policy promise
Here’s one piece of the case that does seem interesting – if you navigated directly to a page to learn about site privacy, you were being tracked. There couldn’t have been consent for that since the tracking began before you even knew what you were consenting to.
On the other hand, surely one of the worst experiences is browsing the web in Europe where you have to consent to cookies on every site before browsing.
Most of the actual sensitive data, though, is something the user voluntarily discloses. It’s not their IP address, it’s their name, date of birth, where they’re traveling and their payment information.
And by the way there are similar suits against JetBlue, Delta, Alaska and American. I haven’t found any against United but it’s hard to imagine lawyers would have overlooked them! Those suits could fare better, because there may not be on point case law working against them in all cases, and because here Spirit submitted a declaration that basically said there was nothing to see here and the plaintiffs failed to do any discovery to validate that and develop their own factual record.
In other words, it’s possible to sue for anything. But not every lawyer suing is very good at it. In fact, there’s something fitting about what seems to me to be the Spirit Airlines of lawyers suing Spirit even after they’ve gone out of businesss.
American Airlines, Delta Air Lines, and other airlines track your activity when you use their websites. This tracking helps them maximize airline profit, manage reservations, improve service, and enhance the passenger experience.
Nothing illegal here so hopefully these all get dismissed. There is no right of privacy when using a website. Yes they have certain privacy provisions but that is against unauthorized access (aka hacking). That doesn’t mean businesses can’t collect data to customize an experience, optimize their systems or maximize profit. If you don’t like it don’t use the internet.