Pitfalls of Keystroke Recording in Light of Pennsylvania’s Wiretap Statute

By Lauren E. Kirchner, Firstrust Bank

Businesses across Pennsylvania, and indeed, outside of Pennsylvania, are behooved to stay apprised of recent litigation filed against two companies under the Pennsylvania Wiretapping and Electronic Surveillance Control Act of 1978 (“WESCA”) (18 Pa. C.S.A. §§ 5701 et seq.). In Popa v. Harriet Carter Gifts, Inc. et al. (1), the Plaintiff alleges that an online merchant and a data collection company intercepted her data while she shopped online, in violation of WESCA. As Popa clicked links, used the search function, and tabbed through form fields on the merchant’s website (arguably the techy equivalent of browsing the racks at a department store), her browser simultaneously communicated with two entities: the online merchant and a third-party marketing service. The merchant’s HTML code included some JavaScript that told Popa’s browser to send a GET request (2) to the marketing service’s server in Virginia (3). That server responded by sending its own code to Popa’s browser, which allowed two things to happen. First, the code placed cookies on Popa’s browser so that her activity on the webpage had an associated visitor ID. Second, the code told Popa’s browser to begin sending information, including her name, residential address, email address, and every keystroke and mouse click, to the marketing service as Popa navigated through the merchant’s website. The marketing service could later use this information to identify which of the merchant’s customers may be receptive to promotional mailings.

Popa alleged invasion of privacy—intrusion upon seclusion, which was dismissed by the trial court, and violation of WESCA against both the merchant and the marketing service. WESCA prohibits the intentional interception of any wire, electronic, or oral communication (4) and offers a private right of action to individuals whose communications have been intercepted (5). As used in the statute, “interception” means the “[a]ural or other acquisition of the contents of any wire, electronic or oral communication through the use of any” device or apparatus, including, but not limited to, an induction coil or a telecommunication identification interception device, that can be used to intercept a wire, electronic or oral communication, other than certain enumerated exceptions not applicable here (6). It is worth noting that on appeal to the United States Court of Appeals for the Third Circuit the Defendants did not argue that the JavaScript was not a device; thus, the Court assumed for purposes of its Opinion that the code was a routing “device” under WESCA. The Third Circuit, however, remanded to the trial court to determine the factual question of whether the interception by the marketing service occurred in Pennsylvania (Popa’s location) or in Virginia (the location of the marketing service’s servers). If the trial court determines that the interception occurred in Pennsylvania, notwithstanding that the marketing service’s servers are outside of Pennsylvania, then, pending any appeals, even businesses located outside of the state will be subject to WESCA if they “intercept” communications in Pennsylvania.

On appeal, Defendants argued that Popa impliedly consented to the interception of her communications, thereby satisfying the all-party consent exception, because the merchant included a privacy policy on its website. In this case the privacy policy was a “browerserwrap” agreement, which provides the website’s terms of use but does not require affirmative consent. This differs from a “clickwrap” agreement, which requires users to click on an “I agree” box after being presented with terms and conditions. The trial court indicated that browserwrap agreements consistently are enforced when users have actual knowledge, and the Third Circuit confirmed that Pennsylvania does not require actual knowledge in order to give prior consent. Popa’s issue with the privacy statement, however, was that it never explicitly stated that user personally identifiable information was being collected in real time by embedded code of a third-party marketing service. The Third Circuit remanded to the trial court to determine whether the merchant’s privacy policy sufficiently alerted Popa that her communications were being sent to a third party.

There are several facts in this case that likely will determine the trial court’s findings and thus inform businesses’ best practices going forward, including record retention practices, privacy policy language, and affirmative consent. First, the parties dispute the existence and language of the privacy policy at the time of the alleged interception. Although the merchant’s witness attested in a declaration that the privacy policy was on the merchant’s website at the relevant period, the witness later testified in a deposition that he could not provide the privacy policy as it existed at the time. This demonstrates the importance of record retention. Even assuming that the merchant’s privacy policy as posted on its website at the relevant time clearly and unequivocally disclosed that a third party would receive communications such as name, address, email address, mouse clicks, etc., the merchant will have difficulty asserting the “all party consent” defense if it cannot produce a copy of the policy. Second, the parties dispute whether the policy disclosed that a third party was receiving Popa’s communications. Businesses should be certain that their privacy policies are clear and unambiguous about what information the business collects and with whom the business will share it. If the trial court finds that the merchant’s privacy policy did not clearly indicate that a third party was receiving Popa’s data, it is likely that the court will hold that Popa could not have consented to the collection. Third, the privacy policy at issue in this case was a browserwrap agreement. Businesses should consider providing such disclosures in a clickwrap, rather than a browserwrap, agreement to avoid allegations such as the one at issue in this case. While we all know that very few people actually read terms and conditions in their entirety before clicking “I agree” (except for us lawyers, of course), adding that speed bump and preventing a user from continuing without indicating their affirmative consent can provide another layer of protection for businesses.

Lastly, the reason for the third-party marketing service’s interception of data was to use such data to identify which of the merchant’s customers might be receptive to promotional mailings. While WESCA does not address the interceptor’s reason for acquiring or disclosing a communication, except in the context of law enforcement and other situations not applicable here (7), it will be interesting to see whether courts distinguish between the purposes of the data collection and grant more deference to collection for quality control purposes as opposed to marketing.

Footnotes:

1. In addition to the Popa case, two more complaints alleging violations of WESCA under similar circumstances have been filed in the United States District Court for the Eastern District of Pennsylvania as of the date of this publication.
2. A GET request is a HTTP, or hypertext transfer protocol, method to retrieve and transmit data over the web. The requester of the data sends a request to a server asking for certain information. The server processes the request and sends the requested information over the web. Think of logging in to your online banking portal. Your browser sends a request to the bank’s server asking for account information, and the server provides the requested information (e.g. account balances, transaction data, etc.).
3. The trial court stated that the servers were in Ohio. Subsequent briefs filed by the parties and the Opinion of the United States Court of Appeals for the Third Circuit clarify that while the marketing service provider is headquartered in Ohio, its servers are in Virginia.
4. 18 Pa.C.S.A. § 5703(1).
5. 18 Pa.C.S.A. § 5725(a).
6. 18 Pa.C.S.A. §§ 5702, 5704(15).
7. WESCA provides for penalties for unlawful access to stored communications, with higher fines where the offense is committed for commercial advantage, but it does not appear that Popa raised this section of WESCA in her pleadings, and neither court addressed this section in their respective opinions.

Lauren E. Kirchner is associate counsel at Firstrust Bank in Conshohocken.