At least 15 states require mutual consent to any recording, meaning the interception is “unauthorized” if the intercepting party has not obtained the consent of all parties to the communication.
A new wave of class action lawsuits filed in California, Pennsylvania and Florida target companies that use technologies to track user activity on their websites, alleging such practices, when done without obtaining a user’s consent, violate electronic interception provisions of various state laws. The two technologies at issue are: 1) session replay software and 2) coding tools embedded in chat features. Session replay software tracks a user’s interactions with the website—their clicking, scrolling, swiping, hovering and typing—and creates a stylized recording of those interactions and inputs. Coding tools create and store transcripts of the conversations users have in a website’s chat feature. The plaintiffs in this new string of class actions allege that recording their interactions with a website and sending that recording to a third party for analysis without their consent is an illegal invasion of their privacy.
State Wiretapping Statutes
Plaintiffs ground their claims in the electronic interception provisions of state laws—for example, the California Invasion of Privacy Act, the Pennsylvania Wiretapping and Electronic Surveillance Act and the Florida Security of Communications Act. Generally, these wiretap statutes prohibit the unauthorized interception or disclosure of communications transmitted electronically. At least 15 states require mutual consent to any recording, meaning the interception is “unauthorized” if the intercepting party has not obtained the consent of all parties to the communication. It is in these two-party consent states that the plaintiffs behind this new litigation trend allege that a company’s recording or storing their interactions with a website (e.g., their clicks, scrolls and chat inputs) and sending those recordings to a third party for analysis without their prior consent is illegal.
Recent Decisions from the Ninth and Third Circuits
Recent decisions from the Ninth and Third Circuits are fueling the swell of lawsuits alleging violations of state wiretap statutes. In May, the Ninth Circuit held in Javier v. Assurance IQ, LLC that the California Invasion of Privacy Act requires prior consent, and explicitly rejected the argument that this wiretap statute allows a business to obtain consent to the use of session replay software after the recording has already begun. However, the Ninth Circuit did not comment on what would amount to effective consent to the websites’ use of session reply software under the wiretap statute.
A few months later, the Third Circuit in Popa v. Harriet Carter Gifts ruled that an electronic interception violating the Pennsylvania Wiretapping and Electronic Surveillance Act occurred when the plaintiff visited a website to purchase a pet product and her interactions on that site were recorded and transmitted to a third-party marketing firm. The Third Circuit further concluded that the location of the interception was the plaintiff’s browser, rejecting the defendants’ argument that the wiretap statute did not apply because the third-party marketing firm’s servers—where the information was sent—were located in Virginia. Thus, if other circuits follow the Third Circuit’s approach, companies could be subject to liability under a state wiretap statute each time a user accesses their website from that state.
The Risks Posed by the Lawsuits
This new wave of suits alleging wiretap violations threatens to subject businesses to a substantial amount in penalties. Fines range from $1,000 to $50,000 per violation, depending on the state. Since a violation arguably occurs every time a user accesses a website in one of these states, the amount of penalties to which a company may be subject can balloon quickly. For example, in each of the three lawsuits brought thus far in Pennsylvania, the class consisted of allegedly more than 5,000 plaintiffs.
What Safeguards Businesses Can Employ
Companies can employ several proactive measures to protect them from exposure to a class action lawsuit or potentially incurring fines under state wiretap statutes.
- Companies should ensure that the disclosure of those terms is conspicuous enough to make users’ consent to them enforceable. Given that there is not yet a clear standard as to what constitutes enforceable consent to the use of these technologies, obtaining affirmative consent from website users before starting any recordings or chat transcriptions may be the strongest safeguard against lawsuits alleging violations of state wiretap statutes.
- Additionally, companies can negotiate for indemnification rights when selecting a provider of the software that tracks users’ website interactions.
- Second, companies should seek counsel to consider what defenses exist under the relevant statutes. The case law in this area is still developing, and each state wiretapping statute provides a set of defenses, from showing that a user expressly or impliedly consented to the use of the technology, to establishing that the party accused of intercepting or disclosing an electronic communication was a direct party to the communication.
About Duane Morris
Duane Morris attorneys assist clients both in implementing safeguards that will prevent them from facing a lawsuit alleging a wiretapping violation and in defending any wiretapping lawsuit brought against them.
For More Information
If you have any questions about this Alert, please contact J. Colin Knisely, Michael S. Zullo, any of the attorneys in our Trial Practice Group or the attorney in the firm with whom you are regularly in contact.
 California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Oregon, Pennsylvania, Vermont and Washington.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.