Third Party’s Collection of Website Visitor Data Not Considered “Intercepted” Under New Pennsylvania WESCA Ruling
By Anokhy Desai
A few weeks ago, U.S. District Judge William Stickman IV of the Western District of Pennsylvania held that there was no interception of communication per the Pennsylvania Wiretapping and Electronic Surveillance Control Act (WESCA) when a third-party company collected data from a user’s browser as she visited another website, writing that the issues in the case “undoubtedly have the potential to broadly impact the manners and methods by which individuals and entities collect and transmit information across web platforms in Pennsylvania.”
In 2018, Ashley Popa searched through the gift website Harriet Carter, added some items in her cart, and provided the site with her email address. Popa alleged that Harriet Carter retained Navistone, an advertising and analytics group that allows companies to reach their site visitors through “direct mail,” in order to unlawfully, automatically, and secretly “spy on, and intercept, Harriet Carter’s website visitors[‘] electronic communications,” putting both companies in violation of WESCA.
While Popa claims Navistone’s code intercepts communications between her computer and Harriet Carter’s, Carter and Navistone argued that there wasn’t an interception because communications occurred separately between two parties at a time, with no third party necessarily eavesdropping. Any communication between Harriet Carter’s servers and Popa’s computer were separate from the line of communication between Navistone and Carter, and Navistone and Popa.
Several other Pennsylvania cases have historically interpreted “interception” narrowly. In Commonwealth v. DiSilvio, the Superior Court held that there was no WESCA interception when officers forced entry into a bookkeeper’s home, picked up ringing telephones, and “receiv[ed] communication directly over [the phone]” because they “were in fact themselves parties to the call.” In Commonwealth v. Proetto, the Superior Court held that when a detective posed as a minor online and collected the chat log between the fictional minor and a predator, there was no interception of information because the detective was a direct party to the communication. In Commonwealth v. Cruttenden, the state Supreme Court held that an interception does not take place when an individual is a direct party to a communication, even if the person, in this case an officer, reveals their true identity. For a more direct comparison of electronic communication interception, the Court reviewed In re Google, in which the Third Circuit held that there was no interception because users’ web browsers and third-party advertising companies’ servers were communicating directly through both GET requests and the third-parties’ cookies placed on the user’s browser. In all of these cases, there was no interception because party A communicated directly with party B, even if party A did not intend to provide those communications.
The Court held that there was no interception per 18 Pa. C.S. §5703 in this scenario because, like in DiSilvio, Proetto, Cruttenden, and In re Google, all the parties involved were direct parties to the communications. It further held that even if there was an interception, the communications were outside the scope of WESCA because they were received by Navistone’s servers outside of Pennsylvania.
What this Means for Businesses
For now, this outcome means businesses who either provide analytics or purchase such a service in Pennsylvania can continue business as usual. The issue that was not considered in this case was the misunderstanding about consent; it is implied that Popa did not know that third-party analytics companies hired by a primary company must collect user data and site activity on the primary company’s website in order to provide usable data for the primary company to act on and better sell their goods or services, and that primary companies disclose this data collection through cookie banners. Thanks to privacy bills like the California Consumer Privacy Act (CCPA), sites are making cookie consent banners more visible and user-friendly, and are occasionally allowing users to deselect cookies they prefer not to opt into. While this decreases the amount of information sent from the user’s browser to the primary company’s third-party analytics service, it does not eliminate it. Businesses using third-party advertising and analytics services can take steps to avoid similar litigation by writing their data collection and cookie policies in plain language, clarifying what users are consenting to, by making those policies clear and conspicuous, and by allowing users to opt out of any cookies that are not necessary for their sites to function.
Anokhy Desai is a law student at the University of Pittsburgh School of Law with an expected graduation in May 2022.