Emerging Class Action Risk: Does Use of Online Session Replay and Chat Features = Wiretapping?

A wave of U.S. privacy litigation is targeting corporate usage of online session replay and chat features. The plaintiffs filing session replay and online chat class actions are alleging that use of such technologies violates wiretapping laws because users’ interactions and chat communications are being intercepted, used, and/or disclosed without their prior consent.??

Session replay technologies can record website/mobile application users’ interactions with a website or mobile application. Data is often captured about a user’s clicks, mouse/screen scrolling, keystrokes, searches, and more. After the data is collected, a company and/or its third-party vendor can “replay” the user’s website/application “session” utilizing such data to better understand the user’s browsing behavior and habits on the company’s site.??

Online/mobile chat features enable companies to communicate directly with their website/application users via chat boxes. It is common practice for companies to utilize chatbots to gather initial information from users and then to either connect users to a live customer service representative or have the chatbot answer users’ questions directly.?

Plaintiffs’ lawyers have started to employ website “testers” to: (1) browse through targeted corporate websites/applications; and/or (2) communicate with a chat host via targeted corporate chat features. If a “tester” concludes?that a company is allowing a third-party vendor to intercept, use, and/or disclose?the tester’s website/application interactions or chat communications without the tester’s consent, plaintiffs’ lawyers file a lawsuit against the company and/or its third-party vendor alleging that users’ interactions with the website/application and/or the tester’s online chat communications are being intercepted, used, and/or disclosed in direct contravention of a wiretapping statute. Such violations can expose a company to both civil and criminal liability.??

Overview of Wiretapping Law??

There are wiretapping statutes at both the federal and state level. In 1967, the United States Supreme Court, in two separate decisions, found that a person’s Fourth Amendment right (i.e.,?the right against unreasonable searches and seizures) protects against the interception of a person’s communications when the person has a “reasonable expectation of privacy.” See?Katz v. United States, 389 U.S. 347 (1967);?Berger v. New York, 388 U.S. 41 (1967). In 1968, in direct response to these Supreme Court decisions and increased Congressional interest in the amount of wiretapping being performed by government agencies and private individuals, Title III of the Omnibus Crime Control and Safe Street Act (the “Wiretap Act”) was passed into law. The Wiretap Act originally protected against only “oral” and “written” communications.?In 1986, Congress enacted the?Electronic Communications Privacy Act?(the “ECPA”) in order to supplement the Wiretap Act with additional protection against “electronic” wiretapping. The ECPA requires only one party to the communication to provide consent before the communication can be intercepted, used, and/or disclosed.??

Many states began enacting wiretapping statutes around the same time or after the original Wiretap Act was enacted. Almost all states currently have wiretapping statutes in place.?Most state statutes require the consent of only one party before a communication can be intercepted, used, and/or disclosed.?However, there are states that require “all-party consent.”?

Not surprisingly, the majority of session replay and chat technology cases filed to date are being filed in states with “all-party consent” wiretapping laws, including, but not limited to, laws in California (the?California Invasion of Privacy Act?(“CIPA”)), Pennsylvania (the?Wiretapping and Electronic Surveillance Control Act?(“WESCA”)), and Florida (the?Florida Security and Communications Act).?It is worth noting, however, that there have been some cases filed under one-party consent wiretapping laws (see e.g., Balanzar v. HP Inc., No. 3:22-cv-02030 (S.D. Cal. Dec. 22, 2022);?Tucker v. Cabela’s, LLC, No. 6:22-cv-3288 (W.D. Mo. Nov. 9, 2022)).??

Wiretapping statutes generally provide for a civil cause of action as a remedy against those who illegally intercept, use, and/or disclose a communication while in transit. Plaintiffs’ lawyers have been creative in using wiretapping laws as a vehicle for bringing claims falling well outside of the original purpose of such laws (i.e.,?protecting against unconstitutionally obtained criminal admissions). Because many of the wiretapping statutes have an “aiding and abetting” provision (or similar type of provision), plaintiffs’ lawyers have been suing not only the company’s third-party technology vendor (i.e.,?the interceptor), but also the company that owns the website/application (i.e.,?the abettor).?

These cases are particularly attractive to plaintiffs’ lawyers because plaintiffs do not have to prove actual damages in order to recover damages. If a defendant intercepts, uses, and/or discloses a plaintiff’s communications without the plaintiffs’ consent, wiretapping statutes generally provide plaintiffs with a right to statutory damages (e.g., $5,000 per violation under CIPA).??

A Brief History of Session Replay and Online Chat Feature Litigation?

Beginning in 2018 and continuing into 2020, the first wave of session replay lawsuits were filed in California, Pennsylvania, and Florida courts.?In this first wave, plaintiffs alleged that the use of session replay technology to track website users’ interaction behavior was a violation of applicable state wiretapping law. Many of the first wave?cases were dismissed based on one or more of the following reasons: (1) website browsing is not a “communication” that can be intercepted, used, and/or disclosed; (2) third-party vendors cannot “intercept” a user’s “communication” from website browsing because the third-party vendor is an actual “party” to that “communication;” or (3) users do not have a reasonable expectation of privacy when browsing on a website.?The total number of session replay lawsuits began to die down by the fall of 2021.??

However, beginning in the spring of 2022, two United States Court of Appeals’ decisions opened the door for a new wave of session replay lawsuits. First, in May of 2022,?Javier v. Assurance IQ, LLC, No. 21-16351, 2022 WL 1744107 (9th Cir. May 31, 2022) was decided. In this case, the United States Court of Appeals for the Ninth Circuit found that: (a) California’s wiretapping law, CIPA, is applicable to usage of session replay technologies; and (b) companies using session replay technologies must obtain a website users’ consent prior to recording the contents of any website user’s communications.?Id. at *2.?

Then, in August of 2022, the United States Court of Appeals for the Third Circuit followed?Javier?with a similar decision in the context of Pennsylvania’s WESCA. In this case, the Third Circuit vacated the district court’s granting of summary judgment in favor of the defendant.?Popa v. Harriet Carter Gifts, Inc.,?45 F.4th 687, 690-91 (3rd Cir. 2022). In overturning the district court, the Third Circuit found that: (a) WESCA applies to the usage of session replay technologies; and (b) third-party session replay vendors are deemed to be “intercepting” a plaintiff’s communications with a website under WESCA even if such communications are directly routed to a company’s third-party vendor’s own servers. Id. at 692-95. The Third Circuit rejected the Defendant’s argument that a third-party vendor intercepting a user’s interactions in live time is a “party” to the communication, and thus, there can be no liability for wiretapping.?Id. at 695. The Third Circuit also re-enforced the decision in?Javier?that prior consent by a website user is required before any communications may be intercepted by a company’s third-party vendor.?Id. at 698-99.??

Status of Session Replay and Chat Communication Litigation??

The?Javier?and?Popa?decisions resurrected the session replay cases. Opportunistic class action lawyers have also been filing lawsuits alleging that the interception, use, and/or disclosure of online chat communications without users’ prior consent violates wiretapping laws. A slew of additional session replay and new online chat communications lawsuits were filed in late 2022 and early 2023. Many of these newly filed cases are still pending, but they are in the early stages of litigation.?It is noteworthy, however, that at least one court has denied a defendant’s motion to dismiss a CIPA claim in an online chat context (i.e., finding that plaintiff sufficiently pled a claim under CIPA alleging that defendant intercepted plaintiff’s online chat conversations in real time).?See Byars v. Goodyear Tire and Rubber Co.,?2023 WL 1788553 at *4 (C.D. Cal. Feb. 3, 2023).?Because testers are continuing to check out corporate websites for potential new targets, it is important for corporate leaders to consider actions they could take now that would reduce the risk that their company will become the next target of session replay or online chat communication class action litigation.??

Actions Corporations Can Take to Reduce their Risk of Becoming the Next Target??

We are highlighting below actions you may want to take to minimize the risk of your company becoming the next target of a session replay and/or online chat communication class action lawsuit:?

1.?Develop a Thorough Understanding of Website/Application Technologies. Identify and analyze the technologies utilized on your corporate website[s] and application[s], including but not limited to session replay and online chat features. Consider potential class action risks posed by usage of such technologies, including risks of violating wiretapping laws or other laws that are currently being used as a vehicle for class action litigation targeting website and application technology practices, such as the Video Privacy Protection Act (VPPA).??

2.?Update Your Company’s Privacy Policy, as Necessary. Review your company’s privacy policy to confirm you are providing an accurate and complete privacy notice, in accordance with applicable laws, that covers, along with all other required information, all personal information collection, usage, disclosure, and storage practices, including, with respect to all website/application technologies.?Update your company’s privacy policy as necessary.?

3.?Update Your Company’s Terms of Use, as Necessary.??Review your company’s website and/or application terms of use.?Identify opportunities to strengthen the terms of use, including but not limited to incorporating an arbitration clause and a class action waiver clause.

4.?Obtain a Users’ Express Consent Prior to Their First Website/Application Interaction or Chat Communication.?Obtain express consent from users before any personal information is collected for session replay purposes. If your company has an online/mobile chat feature, obtain separate express consent from users prior to permitting users to communicate with a chatbot or chat representative.??

5.?Properly Manage Consent. Manage consent processes.?This includes not only obtaining and tracking the original collection of consent, but also permitting and tracking withdrawals of consent.?Consider utilizing reliable consent management platforms to help manage consent.?Retain consent records for the timeframe in which your company may be required to prove that a user’s consent was, in fact, received.?

6.?Enter into Appropriate Agreements with Third-Party Vendors. Enter into appropriate agreements with third-party vendors providing session replay and/or chat-related services. Confirm legal obligations are appropriately placed on the correct party.?For example, consider whether it makes sense to place the obligation to obtain users’ consent on the third-party vendor.??Also, confirm that liability and indemnity clauses are written in an appropriately protective manner.?

7.??Monitor Class Action Litigation Developments. Finally, as this latest wave of class action litigation moves forward, we recommend that you continue to monitor wiretapping case developments.??

Laura Clark Fey, current chair of DRI’s Electronic Privacy Working Group and one of the first twenty-seven U.S. attorneys recognized as Privacy Law Specialists through the International Association of Privacy Professionals (IAPP), leads Fey LLC, a global data privacy and information governance law firm. She and her team help multinational and U.S. organizations develop and implement practical solutions to their unique data privacy and information governance challenges. Laura is the former Chair of DRI’s Cybersecurity and Data Privacy Committee.?Laura also is a member of the inaugural class of IAPP Fellows of Information Privacy (FIP), a Certified U.S. and European Privacy Professional (CIPP US/E), and a Certified Information Privacy Manager (CIPM). The U.S. Department of Commerce and the European Commission selected her as an arbitrator in connection with the former E.U.-U.S. Privacy Shield Framework Binding Arbitration Program. Laura, who is also an IADC member, teaches Global Data Protection Law at the University of Kansas School of Law.?She has also taught International Issues at Baylor Law School.?Email:?[email protected].

Will Davis is an associate attorney at Fey LLC. Will assists Fey LLC clients in addressing a wide variety of global privacy, information security, and information governance challenges. He is an IAPP certified U.S. and European Information Privacy Professional (CIPP/US/E) and an IAPP Certified Information Privacy Manager (CIPM).?Will has also received the ACEDS eDiscovery Executive Certificate (eDEx).??Email:?[email protected].??

The authors?would like to extend a special thank you to Blake Lines, Privacy Analyst at Fey LLC, for his contributions to this article.?