Last month in the Northern District of Illinois a class action complaint was filed that alleges two defendants, TikTok and ByteDance, violate Federal and State wiretapping laws. The complaint alleges the conduct violates the Federal Wiretap Act and Massachusetts, Maryland, and Missouri state equivalent laws. The complaint does not allege violation of California, Florida, or Pennsylvania wiretapping laws despite similar claims being filed most often in these jurisdictions. The complaint also does not allege violation of any Illinois statute despite being filed in the Norther District of Illinois.

In this post, we explain what session replay technology is and how courts across jurisdictions have handled claims that the technology violates wiretapping statutes in two-party (also known as “all party”) consent states to date.

This article is part of our ongoing series of articles examining different types of privacy lawsuits filed across the country. Please click here to read our prior article on Video Privacy Protection Act lawsuits.

Approximately a dozen states currently require two-party consent to record conversations. Most notably are California, Florida, Illinois, and Pennsylvania, each of which saw an increase in class action lawsuits alleging “session replay” technology—originally designed to help websites better understand how to improve the way in which visitors interact with the site or, ironically, to capture users’ consent—violates website visitors’ privacy. Federal law only requires one-party consent to record a conversation, so these claims will likely remain at the state law. Last month’s complaint against TikTok, however, alleges the defendants’ use of session replay technology violates Federal law because it was used to track not just the plaintiffs’ communications with Tik Tok, but also with third-party websites the plaintiffs browse from within the TikTok app. If the plaintiffs’ claims against TikTok are successful, we may see an uptick in Federal claims against similar defendants who allow access to third-party websites from within their own program.

What is session replay technology?

Session replay technology allows a website to monitor and capture how a visitor interacts with the website, including the visitor’s behavior (e.g., mouse clicks, page scrolls, etc.) and keyboard clicks, including what information the visitor provides in forms or online chats between the user and the website operator.

Website operators that use the technology to capture only a user’s behavior are at reduced risk of a wiretapping violation claim as several courts across jurisdictions have held session replay technology does not violate wiretapping statutes when it is only used to record a visitor’s behavior because this is more akin to a CCTV recording of a shopper’s movements in a store.

How have courts handled these claims so far?

Courts in California, Florida, and Pennsylvania have handled most of these session replay claims since their rise in popularity in the past few years. Florida-courts have been most critical of these claims, repeatedly finding that plaintiffs’ complaints failed to state a claim under the Florida state law because the complaints alleged un-sanctioned recording of behavior and not the content of communications covered by the law. See, e.g., Goldstein v. Costco Wholesale Corp., 559 F. Supp. 3d 1318, 1321 (S.D. Fl. 2021) (holding “the mere tracking of Plaintiff’s movements on Defendant’s website” did not violate the Florida Security of Communications Act (FSCA) because it is akin to information obtained through a security camera at a brick-and-mortar store); Cardoso v. Whirlpool Corp., 2021 WL 2820822 (S.D. Fl. July 6, 2021) (adopting state-court reasoning and dismissing complaint after finding that FSCA does not apply to claims regarding session replay technology on a commercial website). Where session replay technology is used to capture chat-based communications, however, Florida courts have allowed the claims to proceed beyond the pleading stage. See Makkinje v. Extra Space Storage, Inc., 2022 WL 80437 (M.D. Fl. Jan. 7, 2022) (“Plaintiff has sufficiently demonstrated how her claim’s involvement of live chat communications distinguishes it from the other session replay software cases recently dismissed by courts in Florida.”).

California-courts have been less favorable to defendants than Florida-courts. In 2021, a California-court examined a claim that session replay technology violated Florida law by recording “mouse clicks and movements, keystrokes, search terms, information inputted by Plaintiff, pages and content viewed by Plaintiff, and scroll movements, and copy and paste actions.” Alhadeff v. Experian Info. Sols., Inc., 541 F. Supp. 3d 1041 (C.D. Cal. 2021). The California-court denied the motion to dismiss, finding “at this early stage” the plaintiff had sufficiently alleged what the defendant intercepted were “contents” under the FSCA. Id. at 1045.

In May 2022 the Ninth Circuit overturned a Northern District of California’s dismissal of a plaintiff’s California Invasion of Privacy Act (CIPA) claim after finding that although the plaintiff consented to the recording, the plaintiff did so only after using the website for some time. Javier v. Assurance IQ, 2022 WL 1744107 (9th Cir. May 31, 2022). The Ninth Circuit concluded the California Supreme Court would interpret Section 631(a) of CIPA, California’s wiretapping statute, to require the prior consent of all parties to a communication. Id. at *2. On remand, however, the case was again dismissed, this time under the statute of limitations. 2023 WL 114225 at *7.

Notably, in the Ninth Circuit decision, Justice Bumatay issued a concurring opinion that, although it agreed with the ultimate decision that reversed the lower court’s dismissal of the claim, stated the case should be viewed “through a torts lens” because the CIPA codified the common law of invasion of privacy. Id. at *2 (J. Bumatay, concurring) (citing In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 598 (9th Cir. 2020). It remains to be seen whether plaintiffs will take up session replay technology under a tort lens.

California-courts have also split over whether the software provider should be considered a third-party or an extension of the website operator. Compare Johnson v. Blue Nile, Inc., 2021 WL 3602214 at *1 (N.D. Cal. Aug 13, 2021) (dismissing claims because vendor “is not an outsider and instead is a software vendor that provides a service that allows [the website operator] to analyze its own data”) and Graham v. Noom, Inc., 2021 WL 3602215 at *1 (N.D. CAl. Aug.13, 2021) (same) with Saleh v. Nike, Inc., 562 F. Supp. 3d 503, 521 (C.D. Cal. 2021) (finding the same vendor as in Blue Nile and Noom was a third-party and allowing Section 631 claim to proceed) and Revitch v. New Moosejaw, LLC, 2019 WL 5485330, at *2 (N.D. Cal. Oct. 23, 2019) (denying motion to dismiss claim that website operator violated Section 631 (b) by helping third-party software provider to eavesdrop).

Website operators that rely on session replay technology cannot rely on how courts in their home jurisdiction have handled these claims and should ensure they are compliant with the most-strict requirements from any jurisdiction. The Third Circuit held under the Pennsylvania wiretapping law that “the place of interception is the point at which the signals were routed to [the third-party’s] servers.” Popa v. Harriet Carter Gifts Inc., 52 F.4th 121, 132 (3d Cir. 2022). If other circuits adopt this reasoning, defendants may face these claims in any of the all-party consent states so long as the plaintiff(s) accesses the websites in that state.

What should companies do?

The first step for any company is to determine whether it is using session replay technology on its website. If so, the next step is deciding whether the benefits of using the technology outweigh the risks discussed above as simply not using session replay technology is the most conservative approach. If a company wants to continue using session replay technology, however, companies can take steps to reduce their risk of litigation, including by adding proper disclosures to their applicable policies and obtaining user consent consistent with the requirements of applicable laws.

[View source.]