Consumer privacy litigation based on websites is skyrocketing. This is due to two appellate court decisions involving whether a website’s use of third-party technology can be an unlawful wiretap or eavesdropping under state law. The critical issue is how to treat third-party technology a website operator uses to enhance the consumer experience— like session replay, keystroking, or chatbot technology.
Courts consider whether the third-party technology provider is (a) a direct party to any communications or interactions by the consumer, (b) simply a tool used by the website operator, or (c) a third party that unlawfully intercepts such communications when not disclosed to the consumer. Courts addressing are reaching opposing and divergent decisions, often on the same claims and technology, leading to uncertainty for companies.
Fueled by the potential for statutory damages that can reach $5,000 per violation, plaintiffs have seized on the opening provided by the appellate courts, filing dozens of consumer class actions, predominantly in California.
Given recent developments making its statute more plaintiff-friendly, Massachusetts may be developing into a prominent secondary forum.
The targets of these lawsuits are companies in consumer-facing industries. Clothing retailers, tire companies, financial institutions, and online jewelry retailers have all been targets. Until there is clarity on the law, companies should learn the risks presented by these lawsuits and take steps to reduce their profile as potential targets.
This new privacy litigation follows two decisions from federal appellate courts.
The Ninth Circuit held that consent to a website session recording technology cannot apply retroactively. The plaintiff alleged an unlawful wiretap over the session recording technology that helps companies protect against litigation abuse from the Telephone Consumer Protection Act (TCPA). The district court granted summary judgment because the consumer agreed to the website’s terms of use when completing an online submission form. The Ninth Circuit overturned, holding that the recording began as soon as the consumer visited the website, so consent to that recording could not be captured later, after the fact.
The Third Circuit held that a party to a conversation could be liable for its own “interception” of (eavesdropping on) that conversation, violating Pennsylvania’s Wiretapping and Electronic Surveillance Control Act. The company used a third-party technology to track consumer interaction with its website. The plaintiff said this was an unlawful wiretap and interception. In overturning summary judgment for defendants, the Third Circuit relied on a change in the law from a decade earlier by the Pennsylvania Legislature to hold that there was no longer a party exception to the statute’s consent requirement for an interception, meaning that a website provider could be held liable for intercepting a communication where it is a party.
Plaintiffs seek to repurpose decades-old state wiretapping and eavesdropping statutes passed during the Cold War era to generate claims arising from 21st-century internet and website technologies intended to aid companies in enhancing the consumer experience. A plaintiff in Maryland sued a restaurant chain, alleging violations of the Maryland Wiretapping and Electronic Surveillance Act based on collecting her communications with the chain’s website using session replay technology.
Class action litigation has surged the most in California. Plaintiffs have been emboldened by recent successes from claims asserted under CIPA and courts’ continued inconsistent application of this law to modern-day technology. The result is a class of repeat professional plaintiff testers who deliberately seek out allegedly noncompliant websites for purposes of sending settlement demand letters under the threat of filing class action lawsuits.
While courts struggle to apply CIPA and other state laws, and with no relief from appellate courts, the best strategy is obtaining consent and robust disclosures.
Massachusetts – Potentially Broader than CIPA
Plaintiffs seeking to reimagine CIPA have taken the same playbook to Massachusetts, targeting the Massachusetts Wiretap Act. The Massachusetts Wiretap Act prohibits (1) willful interception, (2) attempt to commit an interception, and (3) procuring any other person to commit an interception or to attempt to commit an interception of any wire or oral communication. Interception means to secretly hear, secretly record, or aid another to secretly hear or secretly record the contents of any wire or oral communication through any intercepting device. Contents means any information concerning the identity of the parties to wire or oral communication or the existence, contents, substance, purport, or meaning of that communication. An intercepting device is any device or apparatus that is capable of transmitting, receiving, amplifying, or recording a wire or oral communication other than any telephone or telegraph instrument, equipment, or component thereof (a) furnished to a subscriber or user by a communications common carrier in the ordinary course of business under its tariff and being used by the subscriber or user in the ordinary course of business; or (b) being used by a communications common carrier in the ordinary course of its business.
In a pending case, the plaintiff said a grocery store chain violated the Massachusetts Wiretap Act by using session replay to record mouse movements, clicks, keystrokes, URLs of web pages visited, and other electronic communications. The Superior Court denied a motion to dismiss. The court rejected the defendant’s arguments (1) that the statute does not apply to internet-based communications, (2) that any recording did not capture the “contents” of communication with the plaintiff, and (3) that session replay is not an intercepting device. First, the court rejected the argument that the Act did not cover internet-based communications. The court analogized to California cases because no Massachusetts decision was on point. It concluded that Internet-based interactions fall under the Massachusetts Wiretap Act.
Second, the court rejected the argument that keystrokes, clicks, mouse movements, URLs, and other data allegedly recorded by session replay technology are not content under the Massachusetts Act. It held that the Massachusetts Wiretap Act’s definition of content was broader than CIPA and the federal Wiretap Act. The court reached this conclusion because the Massachusetts definition of content includes information concerning the identity of the parties and the existence of that communication.
The implications of such a broad interpretation of content under the Massachusetts Wiretap Act have yet to be fully realized.
The court also held that session replay technology was an intercepting device under the statute. The court held that session replay was closer to a key logger, which another court from 2011 had held was an intercepting device. The court refused to read the exceptions for telephone or telegraph instrument, equipment, or component thereof to apply to software.
Federal court defendants have been successful at fending off the use of the Massachusetts Wiretap Act through a lack of personal jurisdiction defense. The District of Massachusetts has been unwilling to assert jurisdiction over these defendants because all of the activities giving rise to the dispute all took place outside Massachusetts. Consequently, the potential breadth of the Massachusetts Wiretap Act, for now, appears limited to in-state technology providers.
How Companies Can Protect Themselves
For now, this split among California courts and continued uncertainty in interpreting CIPA means peril for companies operating consumer-facing websites. Companies should be aware of the wide-ranging implications these decisions have. A proper compliance and defense strategy is critical to mitigating the risk of protracted litigation.
Companies should consider beginning each unique chat with a disclosure to consumers that the chat is being recorded using a third-party service. Until further clarity in the law, companies should consider pop-up disclosures informing users that their interactions are monitored and recorded when using keystroking, session replay, and similar technologies. While this may eventually prove unnecessary, it can help avoid the immense cost of litigation.
Companies operating websites in Massachusetts, particularly those based in the state, should be aware of the potentially expansive definition of contents under the Massachusetts Wiretap Act, holding that session replay technology is an intercepting device.