2022 has seen a new wave of class action lawsuits targeting companies that use technology to track consumers’ interfaces on their websites. These lawsuits generally allege that the use of technologies such as session replay tracking pixels, and chatbots, result in the interception of communications in violation of federal and state wiretapping laws. To minimize potential liability, companies need to be aware of what technologies are used on their platforms, how they are used and what consents need to be obtained from platform users.

Legal background of claims

Plaintiffs often ground their claims in the electronic interception provisions of federal and state wiretapping laws. Under the Federal Wiretap Act of 1968, a person is prohibited from “intentionally intercept[ing] … any … electronic communication.” 18 U.S.C. § 2511(1)(a) (2022). The FWA and many state statutes define “interception” as “acquiring the contents of that electronic communication.” Id. § 2510(4). “Content” is defined as “any information concerning the substance, purport[] or meaning of that communication.” Id. § 2510(8). Under the FWA, a court may require a defendant to pay $10,000 per violation. Id. § 2520(c)(2). Fines under similar state laws range from $1,000 to $50,000 per violation, depending on the state.

While most states generally follow the FWA and its definitions, some states materially differ in their consent requirements. The FWA and some states require consent from only one party to intercept a communication. By contrast, California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Oregon, Nevada, New Hampshire, Pennsylvania and Washington require all parties to the communication to give prior consent to an interception. While litigation most commonly occurs under state laws requiring all-party consent, wiretapping litigation for collection of website analytics has recently been brought under state statutes requiring one-party consent, such as those in Missouri. See Tucker v. BPS Direct, LLC, No. 6:22-cv-3285, at *14-15 (W.D. Mo. Nov. 7, 2022); Tucker v. Cabela’s LLC, No 6:22-cv-3288, at *1 (W.D. Mo. Nov. 9, 2022).

Practices triggering litigation

Session replay

Session replay technologies monitor interactions on websites and other platforms, often recording mouse clicks, keyboard strokes, zooming or cursor movements. Session replay software is designed to capture information at regular intervals to allow the consumer’s interface to be recreated by overlaying a consumer’s inputs over an image of the website.

These programs assist with consumer experience, compliance and website operation. For example, website owners can use this technology to validate acceptance of contractual terms, identify broken hyperlinks or identify areas of consumer confusion. Depending on the type of software utilized, sensitive information can sometimes be redacted or excluded from capture, depending on which settings are enabled.

Recent decisions in the U.S. Courts of Appeals for the Third and Ninth circuits may have opened the door to a potential surge in this type of litigation. See Javier v. Assurance IQ, LLC, No. 21-16351, 2022 WL 1744107, at *2 (9th Cir. May 31, 2022) (reversing dismissal of a session replay claim); Popa v. Harriet Carter Gifts, Inc., 52 F.4th 121, 128 (3d Cir. 2022) (same). These decisions have spawned numerous session replay lawsuits against companies like Goodyear, Michaels and Cabela’s.¹

Chatbots

Chatbots enable website and other platform operators to engage with users to answer questions and provide information and technical support. Chatbots are often cost-efficient tools allowing companies to communicate with consumers without the need for live website customer service. Many companies record communications between consumers and chatbots. Recording these conversations can improve the user experience by identifying areas of consumer confusion or creating better automated options for the chatbot.

Plaintiffs have recently filed numerous chatbot lawsuits against companies like Columbia Sportswear, Old Navy, Goodyear and M.A.C. Cosmetics.² These are original claims and could result in damages of $5,000 per individual violation.

Meta Pixel

Meta Pixel is a tracking code developed by Meta that enables the collection of a website user’s activity and links that activity with the user’s Facebook ID such that their activity is shared with Meta. Meta Pixel can be implemented with only a few lines of JavaScript and works by collecting data about a user and, in combination with certain fingerprinting technologies, can be connected with other cookie data to compile or add to a “profile” of the given user. Meta Pixel is not visible to an untrained user and is capable of data collection irrespective of whether an individual actively utilizes Meta services such as Facebook, Instagram or WhatsApp.

Recent cases focus on website operators that allegedly use Meta Pixel to record and analyze the user’s website usage and as a result enable Meta to access such information. Since the website user did not consent to this tracking, plaintiff’s counsel claims that the website operator’s recording of it is in violation of various wiretapping and other laws. Claims have also been brought directly against Meta.³ In the context of state wiretapping laws, website hosts may face exposure if they enable Meta Pixel, thereby allowing Meta to “intercept” electronic communications without prior consent.

In addition to claims under State wiretapping laws, hospitals that have enabled Meta Pixel on patient facing portals are also facing claims under the Health Insurance Portability and Accountability Act (HIPAA). In one recent case, the hospital is alleged to have set Meta Pixel to track patient communications through its patient portal, thus enabling Meta to capture patients’ protected health information without obtaining prior consent from the data subjects.⁴ This sharing of PHI with Meta was recently disclosed under data breach notification laws and is now the subject of class action litigation related to the unauthorized disclosure of PHI.

What to watch for

Type of consent required

While some courts interpreting state laws have left open the possibility of implicit or contemporaneous consent as a defense to this type of litigation, other courts indicate that prior consent is required. Recently, both the Third and Ninth circuits have signaled that the California and Pennsylvania state statutes may require prior consent before an interception or recording of website analytics can be made. See Javier v. Assurance IQ, LLC, No. 21-16351, 2022 WL 1744107, at *2 (9th Cir. May 31, 2022) (determining that the wiretapping provision of the California Information Privacy Act “require[s] the prior consent of all parties to a communication,” which standard is not met by providing notice in a linked privacy notice); Popa v. Harriet Carter Gifts, Inc., 52 F.4th 121, 128 (3d Cir. 2022) (determining the same for the wiretapping provision of the Pennsylvania Wiretapping and Electronic Surveillance Control Act). Other courts, by contrast, have left open the possibility of implicit or contemporaneous consent. See, e.g., Goldstein v. Costco Wholesale Corp., 559 F. Supp. 3d 1318, 1322 (S.D. Fla. Sept. 9, 2021) (dismissing a session replay claim on statutory interpretation without considering consent); Swiggum v. EAN Services, LLC, No. 8:21-cv-493, 2021 WL 3022735, at *2 (M.D. Fla. July 16, 2021) (deciding the Florida Security of Communications Act does not apply to novel session replay).

Who is a party to the communication

Courts are split on whether third-party technology service providers are “parties” to a communication between a website operator and a consumer for the purpose of determining whether parties gave consent for the interception. In In Re Facebook Internet Tracking Litigation, the Ninth Circuit found that Facebook was not a party to the communication when its plug-ins duplicated users’ messages to third-party sites. 956 F.3d 589, 608 (9th Cir. 2020) (adopting similar reasoning as the First and Seventh circuits). By contrast, in In Re Google Inc. Cookie Placement Consumer Privacy Litigation, the Third Circuit found that Google was a party to the communication because the plaintiff’s web browser communicated directly with Google’s servers through services embedded in the web browser. 806 F.3d 125, 140-43 (3rd Cir. 2015); see also In Re Nickelodeon Consumer Privacy Litigation, 827 F.3d 262, 274-76 (3rd. Cir. 2016) (citing to Google and concluding the same).

What constitutes the ‘content’ of a communication

State wiretap statutes only prohibit eavesdropping on the “content” of the communications, but courts are divided over what constitutes content. Some courts have determined that recordings of mouse movements, keystrokes and clicks is noncommunicative, comparable to what a security camera detects at a physical storefront. See Goldstein v. Costco Wholesale Corp., 559 F. Supp. 3d 1318, 1321-22 (S.D. Fla. 2021) (finding the keystrokes and search terms are the “cyber analog” to in-person movements). Other courts have determined that these recordings could be content because they communicate precisely what the user intended. See Alhadeff v. Experian Info. Sols., Inc., 541 F. Supp. 3d 1041, 1045 (C.D. Cal. 2021) (finding the defendant obtained information from the plaintiff’s movements, such as “personal interests, browsing history, queries[] and habits”). This issue can be an important turning point in litigation because defendants may not violate wiretapping statutes if they are not intercepting “content.”

Mitigating risk

The common theme in all these cases, regardless of technology deployed, is that the website user was not aware of, and did not consent to, the monitoring/recording of their communications. The courts have generally held that when a website user is aware of the use of these technologies and provides consent prior to the use of the website, there is no violation of wiretapping laws. In practice, this means providing notice to users of the enablement of Meta Pixel (and other cookies) and session replay technologies on the website via the site’s cookie banner and notice. Where chat functions are used, consent language should be included in the chat feature before the user inputs their information. Finally, appropriate language should be included in the site’s privacy notice and terms of use, which notice and terms should be affirmatively accepted (or at least acknowledged) by the website user.

Health care providers should also carefully consider the technologies enabled on their websites to understand what information may be collected by, or transferred to, the technology provider. To the extent the technology enables the sharing of PHI, consideration should be given to whether a business associate agreement is in place with the technology provider (and other requirements under HIPAA are complied with) and/or disabling applicable functionality.

¹ Alves v. Goodyear Tire and Rubber Co., No. 1:22-cv-11820, at *1 (D. Mass. Oct. 24, 2022); Farst v. Michaels Stores, Inc., No. 1:22-cv-01433 (M.D. Penn. Sept. 14, 2022); Tucker v. Cabela’s LLC, No. 6:22-cv-3288, at *1 (W.D. Mo. Nov. 9, 2022).
² Cody v. Columbia Sportswear Co., No. 8:22-CV-01654 (C.D. Cal. Sept. 7, 2022); Licea v. Old Navy, LLC, No. 5:22-CV-01413 (C.D. Cal. Aug. 10, 2022); Byars v. The Goodyear Tire and Rubber Co., No. 5:22-cv-01358 (C.D. Cal. Aug. 1, 2022); Valenzuela v. M.A.C. Cosmetics Inc., No. 5:22-cv-01360 (C.D. Cal. Aug. 1, 2022).
³ See, e.g., Stewart v. Advocate Aurora Health, Inc. & Meta Platforms, Inc., No. 1:22-cv-5964 (N.D. Ill. Oct. 28, 2022).
⁴ See above.