Dynatrace Privacy Lawsuits and Risks: Implications for Website Operators

Table of Contents

 

Dynatrace Privacy Lawsuits

How Dynatrace Causes Data Privacy Issues Based On Its Functionality

Dynatrace is a leading software observability platform that monitors and optimizes digital performance across websites, applications, and IT infrastructure. Its key features include:

  • Session Replay: Captures user interactions like keystrokes, mouse clicks, and page navigation for user experience analysis.
  • Analytics: Tracks metrics such as page load times, user behavior, and engagement to enhance website functionality.
  • Infrastructure Monitoring: Observes server, cloud, and network performance for operational efficiency.
  • AI-Driven Insights: Uses artificial intelligence to detect anomalies and suggest optimizations.

Dynatrace integrates into websites via code snippets, collecting data to improve user experience and system performance. Its Privacy Rights app supports compliance with data protection laws like GDPR and CCPA by streamlining data subject rights requests, such as exports or deletions. If you’ve followed the session replay lawsuits and litigation that we’ve covered over and over again Dynatrace is just one of many between Hotjar and Microsoft Clarity that litigators love to sue over and if you’re not using a cookie consent banner to respect data subjects preferences you can guarantee that you’ll have privacy litigation issues.

Privacy Lawsuits Involving Dynatrace

Dynatrace has faced legal challenges over its data collection practices, particularly its session replay technology. Below are notable cases:

    • Gary v. Dynatrace, Inc. and Ulta Beauty (2023, Massachusetts District Court, 1:23-cv-11673): Filed in July 2023, plaintiffs Alyssa Gary and Marla Defoort alleged that Dynatrace’s session replay software acted as “spyware,” intercepting keystrokes, mouse clicks, IP addresses, geolocation, and device information without consent. The lawsuit claimed violations of the Massachusetts Wiretapping Statute, the California Invasion of Privacy Act (CIPA), and various state privacy laws, seeking compensatory damages, injunctive relief, and attorney fees. The plaintiffs argued that data collection began before users could view privacy disclosures, rendering them ineffective. Dynatrace’s motion to dismiss argued that session replay technology enhances user experience and does not constitute unlawful eavesdropping, but the case’s outcome is not fully detailed in available sources.
    • Software Research, Inc. v. Dynatrace LLC (2018, Northern District of California, 3:18-cv-00232): This case, filed in January 2018, focused on patent infringement rather than privacy, alleging that Dynatrace’s Performance Management (DPM) product infringed on Software Research’s patents for web application monitoring. Dynatrace’s motion to dismiss was denied, as the court found the plaintiff sufficiently identified DPM as the infringing product. The case closed in November 2018, likely via settlement, but specific outcomes are unavailable.
    • Potential Related Litigation: While not directly named, Dynatrace’s session replay technology has been referenced in broader discussions of wiretapping lawsuits. For instance, a 2023 California case against Saks.com alleged violations of CIPA for using Dynatrace-like tracking tools, suggesting Dynatrace may be implicated in similar lawsuits against its clients.

 

Risks of Using Dynatrace on Websites

Deploying Dynatrace on websites carries privacy-related risks, particularly in jurisdictions with strict data protection laws:

  • Unauthorized Data Collection: Session replay may capture sensitive data (e.g., form inputs) if not configured to exclude it, potentially violating consent requirements.
  • Compliance Challenges: Laws like CIPA, GDPR, and CCPA mandate explicit consent and transparency. Misconfigured tools or delayed disclosures risk litigation.
  • Third-Party Data Sharing: Dynatrace’s data sharing with analytics partners, if not clearly disclosed, may trigger CIPA wiretapping claims.
  • Legal and Reputational Costs: CIPA violations carry $5,000 per violation penalties, and publicized lawsuits can damage consumer trust.

Comparison with Hotjar, Microsoft Clarity, and Meta Pixel

Other tracking tools like Hotjar, Microsoft Clarity, and Meta Pixel share similar functionalities and risks, particularly under CIPA:

Tool Functionality Privacy Risks CIPA Relevance
Dynatrace Session replay, analytics, infrastructure monitoring, AI-driven insights Captures detailed interactions; risks collecting sensitive data without consent Targeted in Gary v. Dynatrace for wiretapping; risks from third-party data sharing
Hotjar Heatmaps, session recordings, user feedback Records sensitive inputs if not masked; consent issues similar to Dynatrace Faces CIPA lawsuits for unauthorized data collection; less robust compliance features
Microsoft Clarity Heatmaps, session recordings, anonymized tracking Anonymization may not prevent CIPA claims; risks from automatic tracking Emerging CIPA lawsuits for wiretapping; limited compliance tools
Meta Pixel Tracking for targeted ads, user interaction analytics Shares data with Meta; high-profile CIPA lawsuits (e.g., Doe v. Meta) Frequent target of CIPA claims for unauthorized data sharing

Relation to CIPA

The California Invasion of Privacy Act (CIPA), enacted in 1967, prohibits unauthorized wiretapping and eavesdropping. Its Section 631(a) (wiretapping) and Section 638.51 (pen register/trap and trace) are increasingly applied to tracking technologies:

  • Dynatrace and CIPA: The Gary v. Dynatrace case alleged that session replay constitutes wiretapping by intercepting user communications without consent. The pen register theory, claiming tracking tools record interactions, is gaining traction but faces inconsistent court rulings (e.g., dismissed in Rodriguez v. Plivo, upheld in Greenley v. Kochava).
  • Common Issues: All tools risk CIPA violations if they collect data without explicit consent or share it with third parties. Courts are split on whether tracking equals wiretapping, but the $5,000 per violation penalty drives litigation.

Mitigation Strategies

To minimize CIPA and privacy risks, website operators should follow the advice that we share for free as part of the education center here as well as install our software tools to automate compliance. This includes the advice below:

  • Obtain Explicit Consent: Use opt-in banners before tracking begins, leveraging Dynatrace’s Cookie Preference Center.
  • Limit Data Collection: Configure tools to mask sensitive inputs (Dynatrace and Hotjar support this).
  • Enhance Transparency: Disclose third-party tools in privacy policies and conduct regular audits as well as in your privacy notice that Captain Compliance can generate for you.
  • Monitor Legal Trends: Stay updated on CIPA case law, as rulings like Sanchez v. Cars.com favor defendants with strong consent mechanisms.
  • Leverage Compliance Tools: Use Dynatrace’s Privacy Rights app for GDPR/CCPA compliance, which may bolster CIPA defenses.

How To Be Compliant With Dynatrace’s Software Running

Dynatrace’s observability tools enhance website performance but carry privacy risks, as seen in lawsuits like Gary v. Dynatrace and all the cases we outlined above. So it’s not a one time issue it’s a common issue. Compared to Hotjar, Microsoft Clarity, and Meta Pixel, Dynatrace faces similar CIPA challenges but benefits from compliance features like the Privacy Rights app. Website operators must prioritize consent, transparency, and data minimization to navigate the evolving landscape of privacy litigation and the best solution is to have good privacy hygiene.

Written by: 

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo or start a trial now.