Businesses with consumer-facing websites face a bit of a legal “Wild West” when it comes to data collection these days. Most businesses collect some level of consumer or site visitor data using cookies, web beacons and/or session replay software. That data may be used for a variety of purposes, including improving the consumer experience and for advertising purposes.
However, such businesses should be aware of the growing number of class action lawsuits filed against businesses with consumer-facing websites alleging violations of state wiretapping laws. These outfits are causing many companies to pay more attention to the data they collect on their websites.
Recent class action lawsuits focus on session replay software, which is essentially the ability to replay a visitor’s journey through a website, mobile app, or web application, including what the visitor viewed, clicked, or spent time on. Basically, the software allows website operators to improve customer experience, compliance and other operational features. To this end, businesses retain session replay service providers to help them track basic user interactions, including mouse movements, keystrokes, browser data, search terms, and content viewed during website visits. The technology is relatively new, but many of the laws that plaintiffs use to bring claims against the companies in these lawsuits are very old.
Session replay software does not record users’ interactions with websites in the same way that video surveillance or audio recording does. Instead, most session replay software only receives and processes data accessible to the business through its own website and creates video-like recordings of user interactions.
Several class action lawsuits allege that the use of session replay software violates certain state anti-wiretap laws. Almost all 50 US states have some form of anti-wiretapping laws—primarily intended to prevent the recording or eavesdropping of phone calls. Approximately 13 states require “two-party” (or “all-party”) consent for recording purposes. Much of this litigation has centered on Pennsylvania, which is a “two-party” consensus state.
Accordingly, because the plaintiffs in these states did not express affirmative consent to use the session replay software or were not informed of its use, the website operators violated the state’s wiretapping and aiding and abetting laws and the session replay service provider eavesdropped on consumer communications.
Courts in most states have not yet decided whether anti-wiretap laws apply to the use of session replay software. The third district, however, Poppa and Harriet Carter Gifts, Inc. It ruled that transferring consumer information from a retailer’s website to a service provider is considered “hacking” under Pennsylvania’s Cybersecurity and Electronic Surveillance Act. Popa v. See Harriet Carter Gifts, Inc., 45 F.4th 687, 690 (3rd Cir. 2022). States such as California have taken a different approach to allegations of intentional wiretapping under California state law. Martin v. Sephora USA, Inc. Look., No. 1: 22-cv-01355-JLT-SAB, 2023 US Dist. LEXIS 55930, at *18 (ED Cal. Mar. 30, 2023). of Martin The court recommended dismissal of the differential action based on the California Invasion of Privacy Act (“CIPA”) claims. The court held that CIPA’s first and second sections, which include the intentional making of telephone calls and the intentional attempt to learn the content or meaning of a communication in a wire transfer, do not apply to direct parties to the communication. With respect to first-party or third-party liability for session replay software providers, the court agreed with Sephora, holding that “the ordinary course of business of using third-party software to facilitate customer web chats does not violate CIPA because software providers are software service providers.” It is protected by party distinction as it is considered an extension of the company and not third party eavesdroppers.
These cases suggest that litigation regarding the use of session replay software and related tracking technologies is just beginning. In fact, over the past several months, similar lawsuits have been filed against businesses for failing to obtain prior authorization or failing to report session usage by illegally tapping electronic communications from users visiting their websites using session replay technology. Replay software.
In addition to statutory claims, privacy actions are often brought as common law claims, particularly where the applicable state has not yet enacted comprehensive privacy laws, and where existing privacy laws do not provide individual rights of action. Such actions may include breach of contract, invasion of privacy, defamation, and more.
A possible answer
In short, there is no guaranteed protection against telecommuting lawsuits for businesses with consumer-facing websites that use session replay technology, but there are a number of practices that companies can employ to effectively mitigate the risk of such lawsuits being brought against them.
While neither Pennsylvania nor New Jersey currently have comprehensive data privacy laws in place, each has wiretapping and surveillance laws, which can subject businesses to liability for violating them.