Recently, US companies are experiencing a surging wave of consumer class action lawsuits alleging businesses and their software providers are violating state anti-wiretapping statutes and invading consumers’ privacy rights based on their websites’ use of “session replay” technologies without obtaining sufficient consent. 

Session replay, or the ability to replay a visitor’s journey on a website or within a mobile application or web application, including what they viewed, clicked on, or hovered over, is relatively new, but the laws under which plaintiffs are suing are relatively old. As a result, businesses that operate consumer-facing websites that employ session replay technologies (which is very common) should consider proactive measures to obtain affirmative consent within states that require all-party consent to record a conversation and should be prepared to argue sufficient consent if complaints are filed.

Consent to cookies is also a way to mitigate risks under the emerging number of state privacy laws, including the California Consumer Privacy Act. 

Background:

Session replay software is essentially a tool used by website operators that allows them to analyze users’ interactions with their consumer-facing website.¹ Businesses retain session replay service providers, such as Synatrace and FullStory, to help the business monitor basic user interaction, including mouse movements, keystrokes, browser information, search terms, and content viewed during the website visit. The session replay software assists website operators with improving customer experience, compliance, and other operational features. More specifically, the software allows website operators to review individual user interactions and subsequently allows them to evaluate issues users experienced to help the website operators tweak their consumer-facing website to provide for better experiences and increase overall user satisfaction. 

Notably, session replay software does not record users’ interactions the same way as video surveillance or audio recording would; instead, the software merely receives and processes only the data that has already been accessible to the business through its own website, and creates an anonymized, video-like recordings of users’ interactions. 

State Anti-Wiretapping Statutes & Rise Class Actions:

Recently, plaintiffs’ attorneys have begun filing putative class action lawsuits alleging that the use of session replay software violates certain state anti-wiretapping statutes. Almost all 50 US states have some sort of anti-wiretapping statutes—originally intended to prevent surreptitious recording of or eavesdropping on phone calls—but approximately 13 states require “two-party” (or “all-party”) consent.² To date, litigation in this area has been focused in California, Florida, and Pennsylvania—all of which are “two-party” consent states.

Accordingly, plaintiffs in these states typically allege that because they did not affirmatively consent to the use of session replay software or were not made aware of its use, website operators violated the applicable state’s wiretapping statute by eavesdropping and aided and abetted eavesdropping, and the session replay service provider eavesdropped on consumers’ communications.³

These lawsuits began to emerge exponentially after the Ninth Circuit ruling in  Javier v. Assurance IQ LLC —where the court held that website operators must obtain prior express consent from users in order to escape liability for their use of session replay software under the California Invasion of Privacy Act.⁴ And although courts in most states have not yet determined whether or not anti-wiretapping laws apply to the use of session replay software, the Third Circuit in Popa v. Harriet Carter Gifts, Inc. previously ruled that the transfer of consumer data from a retailer’s website to service providers was considered “interception” under the Pennsylvania Wiretapping and Electronic Surveillance Control Act.⁵

The combined impact of these two rulings suggests that session replay software litigation is just beginning. In fact, in the past two months, we’ve seen similar class action lawsuits filed against various businesses— American Airlines, Papa John's, Alaska Airlines, etc.—over allegations that their websites used session replay technology to illegally tap electronic communications from users visiting their websites while failing to obtain prior consent or disclose the use of session replay software use.⁶

Best Defense & Looking Forward:

Consent is the best defense—and the earlier and clearer the better. When a user is aware of the website operators’ use of session replay software and has provided consent via accepting applicable cookies or privacy policies prior to using the consumer-facing website, courts generally hold there was no violation of state anti-wiretapping law.⁷

Although penalties vary state by state, generally there are statutory damages incorporated in every state anti-wiretapping statute, allowing for damages on a “per incident” basis for each consumer or user that was affected (i.e., California Invasion of Privacy Act provides for $2,500 in statutory damages for each violation; Florida Security of Communications Act provides for $1,000 in statutory damages for each violation).

Because these laws provide for statutory damages, efforts by plaintiffs’ attorneys and consumers are only likely to increase the desire to expand the scope of the law to include the use of website support tools such as session replay software.

___________

[View source.]