If your company has a website and does not disclose the use of session replay software or that the chats on its website are being transcribed, please read this important alert.
There have been a slew of class action lawsuits that have been filed alleging that companies violated California’s Invasion of Privacy Act (CIPA), and other state wiretapping statutes, by allegedly intercepting (i.e., wiretapping) visitors to their websites’ electronic communications. There are a few easy changes your company can make to try and stay out of the crosshairs.
Background
CIPA was originally enacted as a prohibition against wiretapping (i.e., listening and recording telephone conversations) and eavesdropping and recording private confidential conversations (which may occur without telephone equipment). In the past few years, plaintiff firms have filed dozens of cases trying to stretch CIPA to use it as a vehicle to sue software developers and businesses for using “session replay” software to monitor consumer interactions with websites (a very common practice).
In May, the Ninth Circuit issued an unpublished decision called Javier v Assurance IQ, which unleashed a new wave of class action lawsuits in California based on new wiretapping theories. Specifically, the Ninth Circuit found that CIPA applied to “internet communication” and found that Javier’s use of the website did not provide the requisite prior express consent to overcome CIPA.
The underlying theory for most of the CIPA cases threatened or filed since Javier has been that by creating transcripts of online chats with customers (which is a very common practice) and hosting those transcripts with third parties, the website host is violating California’s anti-wiretapping statute by recording or transcribing customers’ communications without their consent. A similar theory is that website hosts violate CIPA by using session replay software, which allows a vendor to recreate an anonymized session showing a website visit.
Since the Javier decision was decided there have been hundreds of demand letters sent and cases filed alleging CIPA violations based on the chat feature. Although we believe that it will be extremely difficult to get any CIPA violation class action certified, and courts will ultimately find these cases meritless, in the first chat box CIPA motion to dismiss to be decided, Byars v. Goodyear Tire and Rubber Co., Judge Sunshine Sykes of the Central District of California denied the defendant’s motion to dismiss, found that the plaintiff pled sufficient facts to support a wiretapping claim and rejected many arguments defendants have been making to try and get these cases dismissed at the pleading stage. Because of this decision, and other recent decisions in the “session replay” CIPA cases that arguably leave the door open for plaintiffs to survive a pleading challenge, we believe there will be a significant increase in cases filed alleging CIPA violations.
Wiretapping Claims in Other Jurisdictions
We are seeing an uptick in session replay cases outside of California as well, including recent ones filed against clients in Florida, Missouri, Massachusetts and Pennsylvania, alleging violations of both federal and state wiretap statutes. We have briefed motions to dismiss in each of these jurisdictions. Plaintiffs in Florida have voluntarily dismissed their cases, just as they did in the earlier wave of cases in which Shook obtained the first Florida federal court dismissal in the session replay litigation. Litigation is ongoing in Massachusetts, Missouri and Pennsylvania.
Takeaways
Companies should engage experienced counsel knowledgeable in website tracking technology and state privacy laws to help proactively minimize risks of a wiretap lawsuit. At a minimum, in-house counsel should ask questions to understand how their company’s website use session replay, and other tracking technology, and whether the company is transcribing chats on its website. Effective notice and consent mechanisms should then be implemented to accurately disclose and obtain consent for the use of session replay and the transcriptions of chats. Lastly, companies should evaluate risk transfer opportunities like third-party indemnification or acquiring insurance that would provide coverage for third-party losses associated with this new wave of lawsuits.
