What You Need To Know In A Minute Or Less

Session replay generally refers to a common analytics tool that captures certain website activity data—such as mouse movements, clicks, and page visits—and then reconstructs this data into “sessions” that may be analyzed to understand and enhance customers’ online experiences. In the past year, the California plaintiffs’ class action bar has launched a spate of lawsuits and demand letters challenging the use of this ubiquitous session replay technology in consumer-facing websites. As a result, companies are facing untested claims that a specific provision of the California Invasion of Privacy Act (CIPA), originally enacted in 1967, is intended to restrict the current use of such technology.

Below is an update on the recent wave of session replay lawsuits, defenses being asserted, courts’ reactions, and strategies that companies may consider to respond to this influx of litigation and demand letters.

Opening the Floodgates

Section 631(a) of the CIPA generally restricts a third party’s unauthorized wiretapping or eavesdropping on an ongoing communication between two parties.¹ Plaintiffs’ core theory in these cases is that the use of session replay technology constitutes illegal wiretapping or eavesdropping in violation of Section 631(a).

The theory is not entirely new, and in fact had previously been rejected by federal district courts. Last year, however, an unpublished Ninth Circuit decision² breathed new life into the theory, with the panel holding that Section 631(a) requires prior consent to the alleged use of session replay technology. Certain plaintiffs’ counsel interpreted this as opening the door to Section 631(a) claims against virtually every company utilizing session replay technology in their websites.

The Litigation Influx

Courts have since been inundated with scores of session replay lawsuits—and multiple companies have received one or more demand letters threatening such litigation. One plaintiffs’ law firm has filed over sixty such lawsuits in the past year.

The complaints are nearly identical to each other in most instances, with generic cut-and-paste allegations and serial plaintiffs, many of whom appear to be “testers” of companies’ websites. The named defendants include a broad range of retailers, manufacturers, and online service providers, but notably not the third-party session replay providers themselves.

Stemming the Tide

Defendants have sought dismissal of these lawsuits on several grounds, including:

Lack of Standing

Plaintiff lacks standing because plaintiff visited the website as a purported “tester,” and/or because plaintiff purposefully ignored the landing page banner notifying users of the involved technologies and/or linking to the online privacy policy.

Party Exemption

Since a company cannot eavesdrop on communications with its own website, a company is generally exempt from liability as a party to the communication. This party exemption also precludes claims that the company “aided and abetted” the session replay vendor in violating Section 631(a)—particularly those in which the session replay technology merely recorded and stored users’ interactions with the site.

No Interception “In Transit”

To be actionable under Section 631(a), a communication must be intercepted “in transit” between the user’s device and the website server. Given that online communications are nearly instantaneous, courts have concluded that the challenged access to the communication did not occur “in transit.”

No Interception of “Contents”

Section 631(a) only prohibits the interception of the “contents” of communications. Courts have construed “contents” as limited to information constituting the intended message, as opposed to “record” information, such as keystrokes, mouse movements, and similar interactions typically stored via session replay technology.

Judicial Reaction

Most of the recent lawsuits are still in the motion to dismiss stage. Early decisions have generally been favorable to defendants, but courts have granted most plaintiffs leave to amend. Although some plaintiffs are choosing to dismiss their cases outright, many are shifting gears to add specific factual allegations and/or new legal theories. These amended complaints are expected to be tested in Q2 to Q3 of 2023.

At least one recent court decision sheds light on this dynamic—in particular, the tactic of filing (or threatening to file) multiple copycat lawsuits based on cut-and-paste allegations and minimal, if any, factual investigation. In dismissing the lawsuit, the court admonished plaintiffs’ counsel for this tactic, chiding counsel’s “determination to file deficient cookie-cutter pleadings at massive scale, rather than fewer cases that adhere to the plausibility pleading standards.”³ Further decisions of this nature may indicate that the tide is turning.

What Companies Can Do

Given the uncertain litigation landscape, companies understandably may ask whether, and how, to update their online operations, even if these Section 631(a) claims are ultimately shown to be meritless.

One key consideration is whether any involved session replay vendor or service provider is limited by agreement (or otherwise) to using the website activity data only to analyze the website’s functionality for the company’s benefit, rather than for the provider’s own independent purposes.

Additionally, companies may benefit from establishing users’ consent, prior to the deployment of session replay technology, to analyze the users’ interactions with the site.

Finally, companies should critically review demand letters invoking CIPA claims or the federal Wiretap Act, considering whether the claimant or counsel are among those serial litigants who may be subject to increased judicial scrutiny in these cases.

¹ Cal. Pen. Code § 631(a).

² Javier v. Assurance IQ, LLC, 2022 WL 1744107 (9th Cir. May 31, 2022).

³ Byars v. Hot Topic, Inc., 2023 WL 2026994 (C.D. Cal. Feb. 14, 2023).