How it began: A woman used her smartphone to browse once for accessories on her favorite retailer’s website.
How it’s going: The retailer and an online consumer tracking software company find themselves in the long slog of defending a class action lawsuit for illegal wiretapping and criminal eavesdropping under a state wiretap act – probably passed in the midst of the Cold War and almost certainly passed before the Internet was even a known concept, much less a daily life necessity.
These businesses are not the first ones targeted … and they are far from being the last.
How did we get here?
Despite the unknowns in novel litigation such as this, it is not hard to see why it is worth plaintiffs’ counsel’s efforts to try to turn something such as consumer tracking into a wiretapping liability. Because these are criminal statutes, the penalty per violation in a civil context could be materially significant. The majority of states (and the federal statute) permit a person to record a conversation if at least one participant consents. This ensures that only surreptitious recording by third parties is prohibited. However, at least 15 states – California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Oregon, Pennsylvania, Vermont and Washington – require consent from all parties when a communication is recorded or intercepted. Penalties in those states are steep, ranging from $1,000 to $50,000 per violation. The potential staggering statutory damages place a tremendous amount of pressure on defendants to settle instead of fighting these novel claims.
Fitting a square peg into a round hole
Attempting to squeeze the technology used in consumer tracking into a decades-old eavesdropping statute has presented challenges to the courts. When faced with these types of claims, courts often have more questions and few answers. When the actual text of these statutes is reviewed, it is not hard to see why. For example, the Pennsylvania Wiretap Act creates a civil cause of action to enforce Section 5703, which provides:
Except as otherwise provided in this chapter, a person is guilty of a felony of the third degree if he:
(1) intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept any wire, electronic or oral communication;
(2) intentionally discloses or endeavors to disclose to any other person the contents of any wire, electronic or oral communication, or evidence derived therefrom, knowing or having reason to know that the information was obtained through the interception of a wire, electronic or oral communication; or
(3) intentionally uses or endeavors to use the contents of any wire, electronic or oral communication, or evidence derived therefrom, knowing or having reason to know, that the information was obtained through the interception of a wire, electronic or oral communication.
The Pennsylvania Wiretap Act defines the term “intercept” to mean the “[a]ural or other acquisition of the contents of any wire, electronic or oral communication through the use of any electronic, mechanical or other device.” 18 Pa. C.S.A. § 5702 (brackets added). “Contents” means “any information concerning the substance, purport, or meaning of that communication.” Id. The penalty for violating the Pennsylvania Wiretap Act is up to $1,000 per violation.
As with many of these historical wiretap statutes, there is no language that updates the Pennsylvania Wiretap Act to clearly apply (or not apply) to online websites and consumer tracking software. Thus, when class actions are filed claiming a violation of the Pennsylvania Wiretap Act related to online consumer tracking, courts are left grappling with the application of the general terms of the act to the developing technology of electronic commerce and web browsing. For example:
- Where does the alleged intercept occur? In Pennsylvania, where the retailer is located and where the consumer viewed the website? Or out of state, where the consumer tracking software company is located?
- Does the interplay between a consumer tracking software company’s code on a retailer’s servers qualify as a “device” or an “apparatus”?
- Does the privacy statement on the retailer’s website disclosing the services conducted by the consumer tracking software company constitute “consent” to the “wiretapping”?
- Did the consumer tracking software company’s code intercept any “content” of any “communication”?
These types of questions reveal the challenge of squeezing new technologies into old statutes. How they will ultimately be answered by the courts remains to be seen.
Pennsylvania is just one example of a state with a wiretapping statute on the books and hardly the only state to see these types of class action suits. Florida is one new territory in this latest plaintiffs’ counsel gold rush, with new suits being filed under the Florida Security of Communications Act (FSCA). In fact, this year has seen the filing of multiple class actions against retailers, claiming liability under the FCSA for use of session replay software.
So, what can businesses do?