6 minute read
ACTION LAWSUITS UNDER STATE WIRETAP LAWS
Session Replay Technology Puts Websites in Crosshairs of New Wave of Class Action Lawsuits Under State Wiretap Laws
By Ashley L. Shively and William F. Farley
Plaintiffs' class action lawyers routinely seek out new liability theories to apply to existing statutes. One of the latest trends is the use of state anti-wiretap laws as a vehicle to sue retailers and software developers for the use of ubiquitous cookies, pixels and other website software that track and monitor user activity online.
WHAT THE LAWS SAY
Early wiretap cases dealt primarily with businesses' undisclosed recording or monitoring of customer service telephone calls. These new cases, by contrast, are brought under electronic interception provisions of state wiretap laws. The California Invasion of Privacy Act (CIPA), California Penal Code §§ 630 et seq., for example, imposes liability on "[a]ny person who … willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within [California]…" Cal. Penal Code § 631(a). Likewise, the Florida Security of Communications Act (FSCA) prohibits any person from intentionally intercepting, or endeavoring to intercept, any wire, oral or electronic communication, or disclosing or using the contents of such communications without the consent of all parties. Fla. Stat. § 934.03(1); 934.03(2)(d).
HOW THE LAW IS BEING APPLIED TO NEW TECHNOLOGIES
Businesses that maintain a significant online presence or process a large number of retail transactions online are increasingly implementing third-party analytics tools to evaluate the efficiency and performance of their sites. The software enables retailers to better understand visitors' use of their websites and troubleshoot issues that prevent successful transactions. In other cases, the software serves a compliance function; for instance, to reduce risk and prove consent under the Telephone Consumer Protection Act (TCPA). Plaintiffs have reframed the use of this technology as a privacy violation by retailers and developers.
More than 50 putative class action suits have been filed since fall 2020 in California and Florida based on retailers' alleged use of software that captures customers' keystrokes, scrolling, mouse movements and clicks on websites in real time, thus allegedly creating a recording of users' browsing history as well as personal and financial information entered (but perhaps not submitted) on website forms. Plaintiffs claim that businesses' use of such software constitutes an interception and impermissible disclosure to a third party (i.e., the software developer) in violation of state laws. Other digital wiretap cases pending around the country involve (at least arguably) less intrusive and more commonplace website activity tools, such as the use of third-party cookies that track the pages visited or search terms entered on a business' site. These cases all represent a risk to a vast number of companies currently using such tools on their websites.
At least 15 states require consent from all parties when a communication is recorded or intercepted, including California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Oregon, Pennsylvania, Vermont and Washington. The laws protect residents of the state, regardless of where the business or, its servers, are located. Penalties can range from $1,000 to $50,000 per violation. 1 In the context of user website activity, potential risk therefore can quickly climb to hundreds of millions of dollars.
HOW ARE COURTS REACTING?
These cases turn on a variety of evolving legal issues that seem easy to apply in the context of traditional eavesdropping but awkward, if not bizarre, in the context of the internet. These issues include 1) whether clicks and the like are "communications," 2) whether the party exception to eavesdropping claims (the notion that parties to a communication cannot eavesdrop on it) applies here and to what extent and 3) whether the statute covers the technology at issue.
WHAT CAN A BUSINESS DO?
Most of the cases filed so far are still in the early stages. Nevertheless there are many lessons from call recording and other consumer class action trends that businesses can apply in this new context to protect against electronic wiretap claims and defend themselves in the event that a lawsuit is filed. For example, before implementing session replay and similar tools, businesses should substantively review and, if appropriate, negotiate vendor contracts, with particular attention to data usage restrictions on the vendor, limitations of liability, insurance coverage and contractual indemnification. Companies may also need to augment website privacy policies to provide more substantive disclosures about how user information is collected and shared with service providers. In addition, businesses may consider whether any update is needed to website terms of use, particularly arbitration, class waiver, limitation of liability, choice of law and venue provisions, which serve important roles in limiting exposure to class litigation and damages.
Legal disclosures are only useful if they are enforceable, and businesses should proactively assess whether their website terms of use and privacy policies are communicated in a sufficiently conspicuous way to create the best case for enforceability. Where practicable, it is generally beneficial to obtain express consent from website visitors; for instance, by requiring users to check a box agreeing to the terms and privacy policy as part of the email sign-up or checkout process. Business will also typically inform users about material changes to practices and policies; this is often done via email or a banner / pop-up on the website and in the app.
If facing a lawsuit under state wiretap statutes, businesses should first look to any available indemnity rights under the contract with the software vendor as well as potential insurance coverage under cyber liability or other policies. It is also important to quickly identify and enforce arbitration and/or choice of law and venue provisions against the consumer; delay risks potentially waiving those protections. Other available defenses may include: showing that the plaintiff implicitly consented to the collection and disclosure by providing the information as part of the transaction or expressly consented under the applicable website terms and privacy policy. At least one court has found that a user's consent to the privacy policy – which disclosed website monitoring – obtained during the checkout process applied retroactively to all of the user's preceding activity on the site. demonstrating that the website activity at issue was not a protected communication. Some state wiretap laws protect only "confidential" communications from interception. In these states, a business may argue that a user's shopping or other online activity does not qualify for protection. establishing that the business was a party to the communication and thus cannot be liable as the alleged "eavesdropper." proving that the technology at issue is not a "device" within scope of the relevant state statute.
WE CAN HELP
Holland & Knight's Data Strategy, Security & Privacy Team has decades of experience defending lawsuits involving the loss, theft or misuse of personal information. If you have any questions regarding best practices for handling customer information or defending data privacy litigation, contact the authors or Holland & Knight's Data Strategy, Security & Privacy Team.
