Microsoft secretly recorded every mouse movement, every click, every keystroke, and every product a woman browsed while she shopped for pet food online, organized that surveillance data into more than 30 categories, and a federal court just ruled she has no legal standing to even complain about it.

How a Pet Food Shopping Trip Exposed the Death of Digital Privacy

Microsoft’s “Clarity” surveillance tool watches everything you do on thousands of websites. A court just told the public: that’s fine. Here’s what they’re actually capturing, and who fought to keep it legal.

EvilCorporations.com Investigative Desk · Source: U.S. Court of Appeals, Ninth Circuit · Opinion filed August 26, 2025

Your Screen is a Surveillance Feed. Microsoft Built the Camera.

Most people think of Microsoft as a software company that makes Windows and Office. They do not think of it as a company that has deployed invisible tracking code on thousands of retail websites, recording shoppers’ behavior in real time. But that is exactly what Microsoft Clarity does, and the court record makes the mechanics uncomfortably clear.

Session-replay technology works by embedding small pieces of JavaScript code directly into a website’s code. The moment you load that site, that code activates inside your browser and begins transmitting your behavior to a remote server. According to the court record, this includes “mouse movements, clicks, keystrokes, URLs of web pages visited, and other electronic communications in real-time.” The operator of the surveillance tool can then reconstruct your entire session as a video replay.

Microsoft’s version of this tool, Clarity, does not just capture a vague sense of what you did. The amended complaint in this case states that Clarity organizes captured data into over 30 distinct categories. Those categories include the date of your visit, the device you used, the browser you used, your operating system, your country of origin, your mouse movements, your screen swipes, text you typed, and how far you scrolled down any given page.

They Know What You Looked At, Even If You Didn’t Buy It

Ashley Popa visited petsuppliesplus.com to browse for pet supplies. She used her mouse to hover over and click on products. The complaint states explicitly: “if a website user views a certain product offered for sale, that information is captured by Microsoft Clarity.” She did not have to purchase anything. She did not have to create an account. Simply looking at a product was enough to generate a surveillance record.

The complaint also states that mailing address information, entered during checkout, was being intercepted by Clarity. Microsoft’s own settings show Clarity operates in three modes: strict (all text masked), balanced (passwords and credit card fields masked), and relaxed (nothing masked at all). The court record indicates Clarity’s default setting is “balanced,” meaning most of what you type on a website using Clarity is visible to Microsoft unless the website operator specifically coded an exception.

The result of all this data collection is a product Microsoft describes as offering “detailed heatmaps” showing which parts of a website get the most user engagement, how far users scrolled, and the total number of clicks in any given area. This is valuable commercial intelligence. Corporations pay for this kind of data because it helps them optimize their sales funnels. The person generating the data gets nothing. They are not informed. They are not asked.

She Took Microsoft to Court. The Court Sided With the Surveillance.

In September 2022, Ashley Popa filed a lawsuit in federal court, representing herself and a proposed class of everyone who had visited petsuppliesplus.com. She sued under Pennsylvania’s Wiretapping and Electronic Surveillance Control Act (WESCA), which makes it illegal to intercept electronic communications without consent. She also claimed invasion of privacy through “intrusion upon seclusion.” Both defendants were PSP Group LLC, which operates the pet supply website, and Microsoft, which built and operates Clarity.

The case bounced from Pennsylvania to Washington state. Then, in 2023, both defendants moved to have the case thrown out. The district court agreed with the defendants. It ruled Popa had failed to establish “Article III standing,” which is the legal requirement that you demonstrate a specific, concrete injury before a federal court will hear your case. The court said the data Clarity collected “reveals nothing more than the products that interested Popa” and was “not the type of private information that the law has historically protected.”

Popa appealed to the Ninth Circuit. While the appeal was pending, PSP Group LLC filed for bankruptcy and the case against them was eventually dropped. Microsoft was the last defendant standing. On August 26, 2025, the Ninth Circuit affirmed the dismissal, ruling that Popa’s injury was not “concrete” enough for federal court under the Supreme Court’s current standing doctrine.

The Corporations Who Showed Up to Defend Microsoft

This was not a quiet legal dispute. Industry heavyweights filed formal briefs as “amici curiae” (friends of the court) in support of Microsoft’s position. The list of organizations that showed up to argue against Popa’s right to sue includes the U.S. Chamber of Commerce, the Retail Litigation Center, the Washington Legal Foundation, NetChoice LLC, and the Interactive Advertising Bureau. These are the lobbying arms and legal defense funds of the retail and tech industries. Their presence in this case tells you everything about what is at stake commercially. Losing would have exposed hundreds of corporations using similar surveillance technology to mass liability.

The Non-Financial Ledger: What You Can’t Put a Price On

The court treated Ashley Popa’s experience as legally trivial. The opinion literally compared what Microsoft did to “a store clerk’s observing shoppers in order to identify aisles that are particularly popular.” But that comparison erases something fundamental about what actually happened. A store clerk sees you walk past a shelf. They do not record every millimeter your eyes traveled, log what you hesitated over, timestamp your uncertainty, and sell a behavioral analysis of your shopping psychology to a third party. Those are categorically different things, and collapsing them into the same metaphor is a rhetorical gift to surveillance capitalism.

Popa was not warned. The website did not tell her that a Microsoft product was embedded in its code, recording her session in real time. She had no opportunity to consent, opt out, or even know the surveillance was happening. That is the feature, not the bug. Session-replay technology works precisely because users do not know it is there. The entire business model depends on the absence of informed consent. When courts rule that this does not constitute a “concrete” harm, they are ruling that the systematic removal of your ability to make an informed choice about your own data is legally acceptable.

The complaint describes Popa browsing for pet supplies, hovering over products, clicking around, and eventually entering her delivery address. Every one of those actions was captured and transmitted to Microsoft’s servers, organized, categorized, and made available for commercial analysis. She was not a user. She was a data point. Her curiosity about a bag of dog food became a behavioral signal in a corporate dataset she will never see and cannot access. The court found this unremarkable. That determination says far more about whose interests the legal system prioritizes than it does about the actual nature of the harm.

The ruling also carries a message for every person who has ever typed something into a website and assumed it was private. The court acknowledged that Clarity’s “relaxed” setting captures everything a user types, with zero masking, and that the default “balanced” setting masks only passwords and credit card fields. Everything else, including search terms, personal notes typed into comment fields, address details, and product inquiries, flows to Microsoft unless someone has specifically coded an exception. The court held that Popa could not prove this caused her sufficient harm. But the harm is structural: an entire architecture of surveillance operates across the commercial internet, and the legal system has now signaled it will not intervene unless you can document damage in terms so specific that most people will never meet the threshold.

Legal Receipts: What the Court Actually Said

These are direct quotes from the Ninth Circuit’s opinion. Read them slowly. The court is explaining, in its own words, why your digital privacy does not qualify for legal protection under the current framework.

“The monitoring of Popa’s interactions with PSP’s website seems most similar to a store clerk’s observing shoppers in order to identify aisles that are particularly popular or to spot problems that disrupt potential sales.” Ninth Circuit Opinion, Popa v. Microsoft Corp. (Aug. 26, 2025)

“The court observed that the information allegedly collected by defendants ‘reveals nothing more than the products that interested . . . Popa and thus is not the type of private information that the law has historically protected.'” District Court ruling, quoted and affirmed by the Ninth Circuit

“Popa does not explain how the tracking of her interactions with the PSP website caused her to experience any kind of harm that is remotely similar to the ‘highly offensive’ interferences or disclosures that were actionable at common law.” Ninth Circuit Opinion, Popa v. Microsoft Corp. (Aug. 26, 2025)

“At most, Popa alleges that Clarity gathered her pet-store preferences and her street name. To the extent Microsoft’s tracking software could be offensive in particular circumstances (e.g., involving sensitive medical or financial information), Popa does not plausibly allege the infringement of any such privacy interest.” Ninth Circuit Opinion, Popa v. Microsoft Corp. (Aug. 26, 2025)

“Clarity organizes the information it captures into over 30 different categories including: the date a user visited the website, the device the user accessed the website on, the type of browser the user accessed the website on, the operating system of the device used to access the website, the country where the user accessed the website from, a user’s mouse movements, a user’s screen swipes, text inputted by the user on the website, and how far down a webpage a user scrolls.” Amended Complaint, quoted in Ninth Circuit Opinion, Popa v. Microsoft Corp. (Aug. 26, 2025)

Societal Impact Mapping: Who Else Gets Hurt

Economic Inequality: The Surveillance Tax on Being Poor and Online

Corporate surveillance technology like Microsoft Clarity extracts economic value from users without compensating them. Popa’s shopping behavior, her hesitations, her browsing patterns, and her purchase intent all became commercially useful data. Microsoft and PSP Group benefited from that data. Popa received nothing. This is the core transaction of surveillance capitalism: you provide labor (your attention, your behavioral data), and the corporation collects the profit.

The ruling solidifies a two-tiered information economy. Corporations with legal teams, lobbying arms, and industry coalitions successfully argued in court that this arrangement is legally acceptable. Popa, an individual consumer represented by a plaintiffs’ law firm, could not overcome the standing barrier that the Supreme Court and Congress have built around corporate data practices. The people most likely to be harmed by invisible surveillance are the same people least likely to have the legal resources to fight it. That is not a coincidence. That is the architecture of the system.

The amici in this case underscore the economic stakes. The Chamber of Commerce, the Retail Litigation Center, and the Interactive Advertising Bureau represent trillions of dollars in combined commercial interests. They filed briefs because a ruling against Microsoft would have created liability exposure for every retailer and tech platform using session-replay technology. The court’s ruling protects that economic infrastructure. The cost of that protection falls on users who never got to vote on the deal.

Public Health: When “Balanced” Masking Isn’t Enough

The court acknowledged that Clarity’s potential for harm increases when the data collected involves “sensitive medical or financial information.” The opinion explicitly noted this as a hypothetical: “To the extent Microsoft’s tracking software could be offensive in particular circumstances (e.g., involving sensitive medical or financial information), Popa does not plausibly allege the infringement of any such privacy interest.” But Microsoft Clarity is not deployed only on pet supply stores. It is a tool available to any website operator.

Clarity’s “relaxed” setting captures every character a user types with zero masking. The “balanced” setting masks only passwords and credit card numbers. Health-related search queries, symptom descriptions, medication names, and personal communications typed into website forms on health-adjacent retail sites are not automatically masked. Under the balanced default, a user typing their symptoms into a pharmacy website’s contact form, or searching for a specific medical device on a retailer’s site, generates data that flows to Microsoft. The court’s ruling establishes that this, too, does not meet the threshold for a “concrete” legal harm.

The ruling does not create a carve-out for medical or financial data. It creates a framework in which the burden falls entirely on the individual to prove that the specific data captured in their specific session was sensitive enough to qualify. Most people do not know what data was captured. They cannot access it. They cannot audit it. The legal system has now confirmed that this informational asymmetry does not, by itself, constitute an actionable injury. For people who use the internet to research health conditions, financial hardship, domestic situations, or any other genuinely sensitive personal concern, that is a meaningful and ongoing risk.

The “Cost of a Life” Metric: What Microsoft Keeps

What Now? Here’s What You Can Actually Do.

The court did not rule that session-replay surveillance is good. It ruled that you personally cannot sue about it without proving a specific, documented, legally recognized harm. That is a much narrower ruling than “this is fine.” It means the fight moves to legislatures, regulatory agencies, and the streets.

Corporate Roles Still In Play

• Microsoft Corporation: Owner and operator of Clarity, the surveillance tool at the center of this case. Still actively deployed across thousands of commercial websites.
• PSP Group LLC (Petsuppliesplus.com): The website operator that embedded Clarity into its site. Filed for bankruptcy during the case. The surveillance tool was still running when it did.
• U.S. Chamber of Commerce: Filed a brief defending Microsoft’s surveillance practices. Represents corporate interests in nearly every major digital privacy legal battle.
• Retail Litigation Center Inc.: Filed a brief defending Microsoft. Exists specifically to fight consumer protection lawsuits on behalf of the retail industry.
• Interactive Advertising Bureau: Filed a brief defending Microsoft. Represents the digital advertising industry’s financial stake in unrestricted behavioral data collection.
• NetChoice LLC: Filed a brief defending Microsoft. A tech industry lobby group that consistently opposes digital privacy regulation.

Regulatory Watchlist

• Federal Trade Commission (FTC): Has authority over deceptive trade practices. Undisclosed session-replay surveillance is a potential target for enforcement action.
• State Attorneys General: Several states have stronger privacy laws than federal standards. Pennsylvania’s WESCA, which Popa sued under, is one example. Your state AG may have more tools than a federal court.
• U.S. Congress: A federal comprehensive privacy law, similar to Europe’s GDPR, would change the legal standing calculus entirely. The absence of such a law is a legislative choice, not an accident.
• State Legislatures: California, Virginia, Colorado, and others have passed consumer privacy laws. Pressure your state to pass or strengthen digital privacy protections that create explicit private rights of action.

Install a browser extension that blocks tracking scripts. Use uBlock Origin or similar tools to prevent session-replay JavaScript from loading in your browser in the first place. Support organizations like the Electronic Frontier Foundation (EFF) and EPIC (Electronic Privacy Information Center) that litigate and lobby for digital rights. Talk to your neighbors about this. The legal system just told the surveillance industry it can keep watching you. The only answer is collective, organized, ungovernable refusal to let that stand quietly.