Imagine you’re the CEO of a Midwest-based company operating an e-commerce website. You just attended the monthly sales and marketing presentation, and are pleased with the customer satisfaction and sales revenue numbers since launching the company’s new website. Then you read a five-word email subject line: Class Action Lawsuit for Wiretapping. You are likely to be caught off guard, and perhaps now defending a class action in California.
Recently, a spate of class action lawsuits has been filed in California state and federal courts asserting violations of section 631(a) of the California Invasion of Privacy Act (CIPA), claiming that website operators are intentionally wiretapping or eavesdropping on users by recording and sharing information gathered during use of the site’s chat feature without user consent. The complaints seek significant statutory damages and other relief. Businesses operating websites accessible in California that use chat features or other marketing and analytics tools to collect user information should be aware of the allegations underpinning these new class actions.
At least 50 class action lawsuits have recently been filed based on allegations of wiretapping in violation of the CIPA, alleging the companies share chat data without first obtaining the user’s consent. These lawsuits follow the Ninth Circuit’s unpublished decision in Javier v. Assurance IQ, LLC, No. 21-16351, 2022 WL 1744107 (9th Cir. May 31, 2022), which held that user consent obtained after collecting their personal information did not defeat wiretapping claims. While Javier did not involve a website chat feature, nor a finding of liability for wiretapping, plaintiffs now argue the case requires that user consent be obtained before recording or sharing their chat content.
In many cases, the plaintiffs allege that the companies embed third-party code in their websites that allows those third-parties to intercept, eavesdrop upon, and store website users’ chat transcripts, all without obtaining prior express consent. They argue this conduct constitutes aiding and abetting wiretapping, and thus subjects the website operators to potential liability.
In addition to the chat feature allegations, some plaintiffs base their wiretapping claims on companies’ use of session replay software. Such software allegedly records the keystrokes, mouse clicks, and data entry of every visitor interaction with the companies’ websites, which the third-party software provider—claimed by the plaintiffs not to be a party to the communication—intercepts without consent.
While these claims are not novel—plaintiffs filed putative class action wiretapping cases involving session replay software even before Javier—the law over such software use is unsettled and so invites litigation. For example, some courts have dismissed claims that companies aided and abetted wiretapping when the third-party session replay providers did not use the collected information for their own benefit. Meanwhile, other courts have allowed such claims to survive regardless of whether the third-parties used the information for their own benefit.
Privacy law is constantly changing and new types of class actions keep arising as web analytics and tracking tools become more commonplace and complex. Companies that use chat features or tracking technologies on their websites should review their notice disclosures and consent mechanisms to evaluate their risks. Consulting experienced counsel in such areas may help avoid expensive and protracted litigation.