The class action plaintiffs’ bar has repeatedly shown that old dogs can learn new tricks by weaponizing decades-old privacy laws for the e-commerce era.
We previously commented on their recent success leveraging a 1980s video rental privacy law to assert class actions against businesses whose websites use Facebook’s Pixel ad targeting technology. Now the plaintiffs’ bar has found success arguing that session replay technology that records a user’s activity on a company’s website violates state wiretapping statutes.
Session Replay Technology
The technology – commonly referred to as session replay – is frequently used by companies’ marketing departments to collect data on how users interact with their websites. Companies then use that data to obtain insights into how they could improve their user experience or identify customers who may be interested in certain products or promotions.
While this technology may be valuable to marketing departments, the plaintiffs’ bar alleges that the technology is often embedded in the HTML code underlying the company’s website without the user’s knowledge or consent. Further still, the technology is often deployed by third-party vendors. While the user may believe they are simply browsing the website of one of their favorite brands, their activity is actually getting routed to an unknown third-party vendor that is recording and analyzing their actions. The plaintiffs’ bar alleges that this undisclosed recording of consumers’ online activity violates wiretapping statutes.
Recent Ruling in Favor of Plaintiffs
In 2022, the plaintiffs obtained a significant victory from a federal appeals court, which agreed that the plaintiffs have a viable cause of action. In Popa v. Harriet Carter Gifts, Inc., 45 F.4th 687 (3d Cir. 2022), the Third Circuit held that a company’s use of a third-party’s session replay technology would violate Pennsylvania’s wiretapping statute if the company failed to obtain the plaintiff’s consent to use the technology. Moreover, the Third Circuit held that Pennsylvania’s wiretapping law applied regardless of whether the company or its vendor were actually located in Pennsylvania, so long as the plaintiff accessed the company’s website from a browser located in Pennsylvania.
Notably, the Third Circuit did not definitively state that the company’s use of session replay technology did in fact violate Pennsylvania’s wiretapping statute. The appellate court noted that the statute makes an exception if the user consents to the recording, and the appellate court directed the trial court to hold an evidentiary hearing on whether the company’s online privacy policy was sufficient to create consent.
Important Differences Between State and Federal Law
It is important to note that the plaintiffs are pursuing these session replay lawsuits under state wiretapping laws. In prior years, the plaintiffs’ bar attempted to use the federal wiretapping statute to assert unlawful data collection claims against website operators and online advertisers, but many of those claims failed because the federal wiretapping statute makes an exception for parties to the electronic communication. Defendants successfully argued in many of those cases that they cannot be held liable under the federal wiretapping statute for collecting data on their own interactions with their own customers. In contrast, Pennsylvania’s wiretapping statute does not make as broad of an exception in the consumer context and instead makes an exception only when all parties consent.
Third-Party Vendors
While federal law makes an exception for the parties to electronic communications, the analysis gets more complicated when companies use third-party vendors to deploy session replay technology. As an example, a federal court in California found that Nike’s direct use of session replay technology would not violate California’s wiretapping statute, but Nike’s use of an undisclosed third-party vendor who operated the technology could create liability because, from the user’s perspective, the vendor was not an intended party to the communication. See Saleh v. Nike, Inc., 562 F.Supp.3d 503 (C.D. Cal. 2021). While the court explained that Nike would not be liable if it had implemented the technology itself, the court found that the plaintiff plausibly alleged that Nike was liable for aiding and abetting the third-party vendor’s violation of the law. Id.
Take Aways
In our increasingly online economy, there is no shortage of vendors selling technology platforms to help businesses improve their e-commerce. However, the litigation over session replay technology demonstrates that companies need to fully vet the legal implications of these technologies before implementing them.
Vendors are not always forthright about these legal risks, and they may seek to negotiate contractual provisions allocating the cost of any such legal risks to the company, so companies often need to advocate for themselves in these negotiations.
If companies decide to use session replay technology, they may need to update their privacy policy to adequately disclose the technology to their customers. As noted above, the recent Third Circuit decision may ultimately hinge on whether the defendant’s privacy policy adequately disclosed its use of third-party session replay technology.
The session replay litigation also demonstrates that it is not enough to look at your home state’s laws, because e-commerce can potentially trigger the laws of your customers’ home states, which may have more stringent protections. More and more states are enacting or considering data privacy laws, but beyond those, the session replay litigation demonstrates the need to evaluate less obvious laws, like wiretapping statutes.
Octillo’s experienced team of privacy professionals routinely works with companies to evaluate data privacy concerns that may emerge as part of their technology platforms, including session replay technology. If you have any questions or concerns regarding the privacy implications of session replay or similar technology, please contact a member of our team.
*Attorney advertising: Prior results do not guarantee a similar outcome.