The latest wrinkle in the ever-changing world of data privacy litigation is the recent surge in state wiretap claims. What began as a trickle over the summer of 2020 has grown into a clear wave as plaintiffs have filed dozens of lawsuits against prominent tech, eCommerce, entertainment, and retail companies under state wiretap laws. These lawsuits seek statutory damages for the alleged interception of consumers’ electronic communications through the defendant’s use of various website analytic tools. Insofar as the use of website analytics tools is ubiquitous on the internet, privacy litigators are carefully watching the progress of these state wiretap claims. If successful, state wiretap claims could become the next TCPA, threatening virtually every company with a sizable web presence in the U.S.
Plaintiff’s attorneys have long tried to use the federal Wiretap Act as a vehicle for seeking damages relating to the sharing of personal information between websites and third-party applications. Many of these cases, such as the In re Google Cookie Placement Consumer Privacy Litigation, have foundered in the past, typically for two reasons: (1) because the information collected by websites, such as search requests or location information, did not constitute “contents” within the meaning of the Wiretap Act; or (2) because a website operator’s sharing of a website user’s activity on the website with a third party wasn’t an interception because the website operator is a party to the communication.
The landscape shifted significant in the summer of 2020 with the Ninth Circuit’s decision in the In re Facebook Internet Tracking Litigation. That case involved Facebook’s collection of users’ search requests on third-party websites that had the Facebook Like button embedded on the website. Facebook collected this information by having its plug-in direct users’ browsers to send duplicate “GET requests”—which contain the users’ personally-identifiable URL information—to both the third-party website and Facebook. Plaintiff alleged that consumers were not aware that Facebook could track their search history on third-party, and that doing so constitutes an “interception” under federal and California state wiretap laws.
The Ninth Circuit agreed, holding that “simultaneous, unknown duplication and communication of GET requests do not exempt a defendant from liability under the [federal and state wiretap statutes’] party exception.” In so holding, the Ninth Circuit deepened a growing divide between federal circuit courts interpreting the proper application of the wiretap statutes’ party exemption.
In the wake of Ninth Circuit’s decision, plaintiffs have filed dozens of putative class actions, alleging the illicit tracking of users’ online activities. Many of these lawsuits focus on the use of “session replay” software that tracks users’ mouseclicks, keystrokes and site navigation and are capable of providing a video recreation of a user’s online experience on a website. Plaintiffs have brought suit under a variety of state wiretap laws, particularly California and Florida, that require two-party consent and provide for statutory damages. For example, Florida’s wiretap law provides for damages of $100 per day of violation or $1000, whichever is greater.
There are, however, a number of reasons to question the viability of these state wiretap claims. To begin, there is a significant difference between Facebook’s capture of GET requests at issue in the Facebook Tracking Litigation and website operators’ use of website analytic software. Facebook’s capture of search requests occurred on third-party websites whereas the typical defendant in the recently filed lawsuits is alleged to have tracked user activity on its own website. It is black letter law that a party to a communication cannot intercept the communication. It is also unclear whether the activity that is being tracked by website operators constitutes “contents of a communication” within the meaning of the Wiretap Act and state analogs. It is also unclear whether a website operator’s tracking of user activity on that website is surreptitious. Indeed, many website operators disclose the use of website analytics tools in their privacy policies or cookie banners.
There is also a larger policy issue at stake, as the use of website analytics is very common by website operators and serves to advance the legitimate goal of improving website performance and security controls. Facebook, joined by amici curiae, has petitioned the United States Supreme Court to review the Ninth Circuit’s decision. That petition is still pending and will be considered by the Supreme Court at its March 19, 2021 conference.
Many of the state wiretap claims filed nationally are still in the pleadings stage. Numerous defendants have filed motions to dismiss, which are still pending. Privacy litigators should pay careful attention as courts begin to rule on these motions, which are very likely to determine whether state wiretap claims focused on use of website analytic tools gains momentum or withers on the vine.