Wave of class-action lawsuits alleging wiretapping violations targets companies that track user activity on their websites
A new wave of class action lawsuits filed in California, Pennsylvania and Florida targets companies that use technology to track user activity on their websites, alleging that such practices, when carried out without obtaining the consent of user, violate the electronic interception provisions of various state laws. The two technologies involved are: 1) session replay software and 2) coding tools built into chat functionality. Session replay software tracks a user’s interactions with the website (clicking, scrolling, swiping, hovering, and typing) and creates a styled record of those interactions and inputs. Coding tools create and store transcripts of user conversations in a website’s chat function. The plaintiffs in this new class action lawsuit allege that recording their interactions with a website and sending that recording to a third party for analysis without their consent constitutes an unlawful invasion of their privacy.
State Wiretapping Laws
The plaintiffs base their claims on the electronic interception provisions of state statutes, for example, the California Invasion of Privacy Act, the Pennsylvania Wiretapping and Electronic Surveillance Act, and the Florida Security of Communications Act. Generally, these wiretap laws prohibit the unauthorized interception or disclosure of electronically transmitted communications. At least 15 states require mutual consent for any recording, which means the interception is “unauthorized” if the intercepting party has not obtained consent from everything parties to the communication. It is in these states of bipartisan consent that plaintiffs driving this new litigation trend allege that a company’s recording or storage of its interactions with a website (for exampletheir clicks, scrolls and chat entries) and sending these recordings to a third party for analysis without their prior consent is illegal.
Recent Ninth and Third Circuit Rulings
Recent rulings from the Ninth and Third Circuits are fueling the wave of lawsuits alleging violations of state wiretap laws. In May, the Ninth Circuit was held at Javier v Insurance IQ, LLC that California’s invasion of privacy law requires prior consent and has explicitly rejected the argument that this wiretap law allows a company to obtain consent for the use of session replay after recording starts. However, the Ninth Circuit has not commented on what would amount to effective consent for websites to use session response software under the wiretap law.
A few months later, the third circuit of Popa Gifts vs. Harriet Carter ruled that an electronic interception violating the Pennsylvania Wiretapping and Electronic Surveillance Act occurred when the plaintiff visited a website to purchase a pet product and her interactions on that site were recorded and forwarded to a company third-party marketing. The Third Circuit further found that the location of the interception was the plaintiff’s browser, rejecting the defendants’ argument that the wiretap law did not apply because the third-party marketing company’s servers – where the information was sent – were located in Virginia. Thus, if other circuits follow the approach of the third circuit, companies could be held liable under a state wiretap law whenever a user accesses their website from that state.
The risks posed by lawsuits
This new wave of lawsuits alleging wiretap violations threatens to subject the companies to a substantial amount of penalties. Fines range from $1,000 to $50,000 per offense, depending on the state. Since a violation arguably occurs every time a user accesses a website in one of these states, the amount of penalties a business can face can skyrocket quickly. For example, in each of the three lawsuits filed so far in Pennsylvania, the class allegedly consisted of more than 5,000 plaintiffs.
What guarantees can companies use?
Companies can use several proactive measures to protect them from exposure to a class action lawsuit or potential fines under state wiretapping laws.
- First, because user consent is a defense under state wiretap laws, companies should review the terms of service and privacy policies of their websites and determine whether they provide substantial information about how a user’s interactions with the website are recorded and shared with service providers.
- Companies should ensure that disclosure of these terms is sufficiently prominent to enforce user consent. Since there is not yet a clear standard as to what constitutes enforceable consent to the use of these technologies, obtaining affirmative consent from website users before commencing any chat recording or transcription may be the best protection against lawsuits alleging violations of state wiretap laws.
- Additionally, companies can negotiate indemnification rights when selecting a provider of software that tracks user interactions on the website.
- Second, companies should have a lawyer review what defenses exist under relevant laws. The case law in this area is still developing, and each state wiretapping law provides an array of defenses, ranging from demonstrating that a user has expressly or impliedly consented to the use of the technology, to establishing that the party charged with intercepting or disclosing an electronic communication was a direct party to the communication.