In recent months there has been a wave of class action litigation asserting novel claims under state wiretap laws against website operators that use session replay software and chatbots on consumer websites. Although these are commonplace technologies used by many commercial websites, the recent lawsuits allege that website operators are violating state wiretap laws by recording users’ interactions with websites without users’ consent. State wiretapping laws often include statutory damages per violation, and the potential exposure for a certified class action could therefore be significant.
While this is not the first wave of session replay litigation, this latest wave is driven by two recent federal circuit court decisions — Javier v. Assurance IQ from the Ninth Circuit and Popa v. Harriet Carter Gifts from the Third Circuit. In Javier, the Ninth Circuit considered whether consent obtained after a user had already begun interacting with a website could defeat a wiretap claim under the California Invasion of Privacy Act (CIPA). Reversing the lower court, the Ninth Circuit concluded that CIPA requires prior consent in order to record a website user’s communications.[1]
In Popa, the Third Circuit considered whether a marketing software provider was exempt from liability under Pennsylvania’s Wiretapping and Electronic Surveillance Control Act (WESCA) because it was a direct recipient of a simultaneous communication sent whenever the user interacted with the website where the software was installed. The Third Circuit held that the WESCA does not contain a broad party exception that exempts a party to a communication from potential wiretapping liability when recording their own communications.[2]
In contrast to the Third Circuit decision, decisions from California and Florida courts have rejected wiretap claims based on session replay technology. For example, Covington guided its client FullStory to favorable decisions in the Northern District of California by arguing that FullStory was merely a service provider that acted as an extension of the website operator, which was a party to the communication and thus could record the communication consistent with CIPA’s party exception.[3]
Courts in Florida have also dismissed a series of session replay wiretapping cases brought under the Florida Security of Communications Act (FSCA). In Jacome v. Spirit Airlines, a Florida state trial court held that the FSCA, and the Federal Wiretap Act on which it is modeled, does not extend to the commonplace use of analytics software on websites.[4] Federal district courts in Florida have adopted this reasoning and dismissed numerous session replay cases.[5] Because of these decisions in California and Florida, plaintiffs’ attorneys have shifted focus to other all-party consent jurisdictions such as Pennsylvania, Washington, and Massachusetts.
There are additional legal arguments for defending these claims, which also are highly fact-specific, dependent on the technology at issue and disclosures made to website users.
If you have any questions concerning the material discussed in this client alert, please contact the members of our Data Privacy and Cybersecurity and Litigation practice groups.
[1] Javier v. Assurance IQ, LLC, 2022 WL 1744107 at *2 (9th Cir. May 31, 2022).
[2] Popa v. Harriet Carter Gifts, Inc., 52 F.4th 121, 129 (3rd Cir. 2022).
[3] Graham v. Noom, Inc., 533 F. Supp. 3d 823, 832–33 (N.D. Cal. 2021); Johnson v. Blue Nile, 2021 WL 1312771 at *3 (N.D. Cal. Apr. 8, 2021).
[4] Jacome v. Spirit Airlines, 2021 WL 3087860 at *3 (Fla. 11th Cir. Ct. June 17, 2021)
[5] Goldstein v. Luxottica of America, Inc., 2021 WL 4093295 at *2 (S.D. Fla. Aug. 23, 2021); Cardoso v. Whirlpool Corporation, 2021 WL 2820822 at *2 (S.D. Fla. July 6, 2021); Connor v. Whirlpool Corporation, 2021 WL 3076477 at *2 (S.D. Fla. July 6, 2021).
Back
