By Krishna A. Jani, CIPP/US, Flaster Greenberg PC
Businesses with consumer-facing websites face a bit of a legal “Wild West” with regard to the collection of data at the moment. Most businesses collect some degree of consumer or site visitor data using cookies, web beacons, and/or session replay software. That data may be used for a variety of reasons, including to enhance consumer experience and for advertising purposes.
Such businesses should be aware, however, that there has been a recent surge of class action lawsuits alleging violations of state wiretap statutes against businesses with consumer-facing websites. These suits are causing many companies to pay closer attention to the data collected by their websites.
Recent class action lawsuits focus on session replay software, which is essentially the ability to replay a visitor’s journey on a website, within a mobile application or a web application, including what that visitor viewed, clicked on or hovered over. In essence, the software allows website operators to improve customer experience, compliance, and other operational features. To this end, businesses often retain session replay service providers to help monitor basic user interaction, including mouse movements, keystrokes, browser information, search terms and content viewed during the website visit. The technology is relatively new but many of the laws that plaintiffs are using to bring claims against companies in these suits are quite antiquated.
Session replay software does not typically record users’ interactions with websites in the same way that a video surveillance or audio recording would. Instead, most session replay software receives and processes only the data that has already been accessible to the business through its own website and creates video-like recordings of users’ interactions.
Several class action litigations allege that the use of session replay software violates certain state anti-wiretapping statutes. Almost all 50 US states have some sort of anti-wiretapping statutes—originally intended to prevent the recording of, or eavesdropping on, telephone calls. Approximately 13 states require “two-party” (or “all-party”) consent for recording purposes. Much of this litigation has focused on Pennsylvania, which is a “two-party” consent state.
Accordingly, plaintiffs in these states typically allege that because they did not express affirmative consent to the use of session replay software, or were not made aware of its use, website operators violated the applicable state’s wiretapping statute by eavesdropping and aided and abetted eavesdropping, and the session replay service provider eavesdropped on consumers’ communications.
Courts in most states have not yet determined whether or not anti-wiretapping laws apply to the use of session replay software. The Third Circuit, however, in Popa v. Harriet Carter Gifts, Inc. ruled that the transfer of consumer data from a retailer’s website to service providers was considered “interception” under the Pennsylvania Wiretapping and Electronic Surveillance Control Act. See Popa v. Harriet Carter Gifts, Inc., 45 F.4th 687, 690 (3d Cir. 2022). States like California have taken a different approach to allegations of intentional wiretapping under California state law. See Martin v. Sephora USA, Inc., No. 1:22-cv-01355-JLT-SAB, 2023 U.S. Dist. LEXIS 55930, at *18 (E.D. Cal. Mar. 30, 2023). The Martin court recommended dismissal of a putative diversity class action premised on California Invasion of Privacy Act (“CIPA”) claims. The Court determined that the first and second clauses of CIPA, which include intentional wiretapping and willfully attempting to learn the contents or meaning of a communication in transit over a wire, respectively, do not apply to direct parties to the communication. As for derivative or third-party liability for session replay software vendors, the Court agreed with Sephora that “the common business practice of using software from a third-party vendor to facilitate customer website chats does not violate CIPA, as the software service providers are not third-party eavesdroppers but considered to be an extension of the company itself, and therefore protected by the party exception.”
These cases suggest that litigation surrounding the use of session replay software, and related tracking technologies, is just beginning. In fact, in the past several months, similar class action lawsuits have been filed against various businesses over allegations that their websites used session replay technology to illegally tap electronic communications from users visiting their websites while failing to obtain prior consent or disclose the use of session replay software.
In addition to statutory claims, privacy actions are often brought as common law claims, particularly where the relevant state has yet to adopt a comprehensive privacy law, and where existing privacy statutes do not provide a private right of action. Such actions can include breach of contract, invasion of privacy, intrusion upon seclusion, and more.
The Potential Answer
In short, there is no guaranteed protection against wiretap lawsuits for businesses with consumer-facing websites that utilize session replay technology, but there is a myriad of practices that companies can employ to effectively mitigate the risk that such a lawsuit will be filed against them.
While neither Pennsylvania nor New Jersey currently employ comprehensive data privacy laws, each have wiretapping and surveillance statutes, which could lead to liability for businesses in violation of them.
Krishna A. Jani is a member of Flaster Greenberg’s Litigation Department focusing her practice on complex commercial litigation. She is also a member of the firm’s cybersecurity and data privacy law practice groups.