Privacy & Information Security Law Blog

As reported in the the Retail Industry Law Resource blog:

Plaintiff’s firms continue to file variations of state law wiretapping lawsuits over “session replay” software and “live chat” or “chatbot” applications in various jurisdictions. These filings typically allege that companies use such software tools to record users’ interactions with a website without first obtaining users’ consent, thereby violating the wiretapping, eavesdropping, or interception provisions of various state laws. Session replay software allows companies to record and play back user’s interactions on its websites. The “live chat” or “chatbot” feature allows a website user to engage in text conversations with an assistant, to which chat the company has access. These wiretapping claims threaten substantial penalties. Companies that use these web-tracking tools, however, can take steps to protect themselves from these lawsuits by a careful examination of the software being used and by evaluating what disclosures or consent may be warranted.

Plaintiffs’ claims arise from the wiretapping or interception provisions of various state laws that prohibit the recording of confidential communications without the consent of all parties to the communication. California courts, for example, have experienced a surge of class action filings pursuant to the California Invasion of Privacy Act (“CIPA”). Specifically, section 631 of CIPA prohibits (1) intentional wiretapping of any telegraph or telephone wire, line, or cable; (2) willfully and without the consent of all parties attempting to learn the contents of a communication in transit; and (3) attempting to use or communicate information obtained as a result of engaging in either activity. CIPA entitles plaintiffs to $5,000 per violation. A violation arguably occurs each time a user visits a website. Thus, these penalties can grow quickly.

Further, recent case law has encouraged the Plaintiffs’ bar with favorable interpretations of these state statutes. For example, the Third Circuit recently took a narrow view of the direct-party exception defense under Pennsylvania’s Wiretapping and Electronic Surveillance Control Act, resulting in the initiation of several class actions. The direct-party exception works to exempt a party from liability pertaining to communications directly with another party. In Popa v. Harriet Carter Gifts, Inc., however, the Third Circuit held that the legislature “codified only a law-enforcement exception, thus limiting any direct-party exception to that context” and remanded the case for further consideration by the District Court, which had not reached the issue of consent. Thus, companies facing claims under the Pennsylvania statute cannot avoid liability merely by showing that plaintiff and the company were the direct parties to the communication. If successful, the Pennsylvania statute entitles plaintiffs to $100 a day for each day of violation, or $1,000, whichever is higher.

Accordingly, it is important for companies to be aware of how their website software is being utilized, what information they and their vendors are collecting from website users, and what disclosures or consents may be warranted in light of the above. User consent is consistently a defense under state wiretapping statutes. Therefore, companies should evaluate their website terms of service and privacy policies to confirm that they include sufficient and clear disclosures and/or obtain user consent depending on the type of activity taking place on company websites by the company and its service providers.