How it began: A woman used her smartphone to browse once for accessories on her favorite retailer’s website.

How it’s going: The retailer and an online consumer tracking software company find themselves in the long slog of defending a class action lawsuit for illegal wiretapping and criminal eavesdropping under a state wiretap act – probably passed in the midst of the Cold War and almost certainly passed before the Internet was even a known concept, much less a daily life necessity.

These businesses are not the first ones targeted … and they are far from being the last.

How did we get here?

Class action lawsuits alleging violations of federal and state anti-wiretapping laws are a higher-tech version of an old story in the class action space – where plaintiffs’ counsel try to outrun each other to put their proverbial stakes in the ground of a new source of liability. This time, counsel are claiming session replay software and other technologies, which track and record visitors’ movements on a site, are wiretapping. The session replay class is the newest in a line of cases using federal and state anti-wiretapping laws as an avenue to sue software developers and the businesses that contract with them for the routine and pervasive use of pixels, cookies and other software that track consumer browsing activity on the Internet – even though such activity is almost always fully disclosed in the website privacy policy. Most concerning for companies is that these suits are brought against the software company as well as against the customers that contract to utilize such services for their websites.

Despite the unknowns in novel litigation such as this, it is not hard to see why it is worth plaintiffs’ counsel’s efforts to try to turn something such as consumer tracking into a wiretapping liability. Because these are criminal statutes, the penalty per violation in a civil context could be materially significant. The majority of states (and the federal statute) permit a person to record a conversation if at least one participant consents. This ensures that only surreptitious recording by third parties is prohibited. However, at least 15 states – California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Oregon, Pennsylvania, Vermont and Washington – require consent from all parties when a communication is recorded or intercepted. Penalties in those states are steep, ranging from $1,000 to $50,000 per violation. The potential staggering statutory damages place a tremendous amount of pressure on defendants to settle instead of fighting these novel claims.

Fitting a square peg into a round hole

Attempting to squeeze the technology used in consumer tracking into a decades-old eavesdropping statute has presented challenges to the courts. When faced with these types of claims, courts often have more questions and few answers. When the actual text of these statutes is reviewed, it is not hard to see why. For example, the Pennsylvania Wiretap Act creates a civil cause of action to enforce Section 5703, which provides:

Except as otherwise provided in this chapter, a person is guilty of a felony of the third degree if he:

(1) intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept any wire, electronic or oral communication;

(2) intentionally discloses or endeavors to disclose to any other person the contents of any wire, electronic or oral communication, or evidence derived therefrom, knowing or having reason to know that the information was obtained through the interception of a wire, electronic or oral communication; or

(3) intentionally uses or endeavors to use the contents of any wire, electronic or oral communication, or evidence derived therefrom, knowing or having reason to know, that the information was obtained through the interception of a wire, electronic or oral communication.

The Pennsylvania Wiretap Act defines the term “intercept” to mean the “[a]ural or other acquisition of the contents of any wire, electronic or oral communication through the use of any electronic, mechanical or other device.” 18 Pa. C.S.A. § 5702 (brackets added). “Contents” means “any information concerning the substance, purport, or meaning of that communication.” Id. The penalty for violating the Pennsylvania Wiretap Act is up to $1,000 per violation.

As with many of these historical wiretap statutes, there is no language that updates the Pennsylvania Wiretap Act to clearly apply (or not apply) to online websites and consumer tracking software. Thus, when class actions are filed claiming a violation of the Pennsylvania Wiretap Act related to online consumer tracking, courts are left grappling with the application of the general terms of the act to the developing technology of electronic commerce and web browsing. For example:

• Where does the alleged intercept occur? In Pennsylvania, where the retailer is located and where the consumer viewed the website? Or out of state, where the consumer tracking software company is located?
• Does the interplay between a consumer tracking software company’s code on a retailer’s servers qualify as a “device” or an “apparatus”?
• Does the privacy statement on the retailer’s website disclosing the services conducted by the consumer tracking software company constitute “consent” to the “wiretapping”?
• Did the consumer tracking software company’s code intercept any “content” of any “communication”?

These types of questions reveal the challenge of squeezing new technologies into old statutes. How they will ultimately be answered by the courts remains to be seen.

Pennsylvania is just one example of a state with a wiretapping statute on the books and hardly the only state to see these types of class action suits. Florida is one new territory in this latest plaintiffs’ counsel gold rush, with new suits being filed under the Florida Security of Communications Act (FSCA). In fact, this year has seen the filing of multiple class actions against retailers, claiming liability under the FCSA for use of session replay software.

So, what can businesses do?

Because these claims are novel and the trend is new, there is little guidance in terms of how courts view these claims, though there is a growing body of lower court decisions dismissing them. However, there are a couple of steps that companies with an online presence can take to protect and defend themselves against wiretapping and eavesdropping claims. Make sure that the website privacy policy provides clear and substantive disclosure of how user information is collected and/or shared with third parties. Consider requiring visitors to the website to affirmatively consent to use of the technology or to acknowledge they have reviewed the privacy policy (i.e., a “clickwrap” agreement as opposed to a “browsewrap” agreement, where the privacy policy is in the footer of the website or available by clicking on a link). Online businesses should also include strong indemnification rights in contracts with any software provider that engages in any type of consumer tracking. Finally, it is important to monitor litigation trends in consumer tracking. Whether any material number of these types of claims will have success remains to be seen.