The second half of 2022 saw a wave of class action litigation under state wiretapping laws against website operators that use widely deployed online technologies, such as chatboxes and session replay software.
For background, these lawsuits – particularly the California chatbox lawsuits filed by Scott Ferrell of Pacific Trial Attorneys – follow a nearly identical script. One of a handful of “litigation testers” will visit a website and (allegedly) use the ubiquitous chat feature on the target retailer’s website to voluntarily communicate with a customer service representative. And that’s really it. Early briefing has disclosed that in some cases, the repeat plaintiff simply clicks or types “returns,” and then immediately leaves the chat session. And voila, Ferrell sends out a form demand letter offering to settle a threatened California Invasion of Privacy Act (CIPA) lawsuit for six figures on an individual basis, or for tens of millions of dollars on a class basis. When that shakedown attempt doesn’t work, a cookie-cutter lawsuit is filed with hyperventilating allegations that the plaintiff was “shocked and appalled” to discover that the “Defendant secretly records those conversations and pays third parties to eavesdrop on them in real time.”
Got that? The plaintiff writes – records – something on a company’s public website, and because a third-party technology company is providing the underlying chat service, the lawsuit is based on unexplained “eavesdropping” by the service provider. That is, the website operators are not accused of being the primary violators of the state wiretapping law, but instead of “aiding and abetting” eavesdropping on their own websites because they use a technology vendor.
This theory of CIPA liability is conceptually no different than someone complaining, “how dare you keep that email I sent you” simply because you’re using Microsoft Outlook. (Ironically, if you ever get the pleasure of emailing Ferrell, you’ll find out after the fact that your “email has been scanned for spam and viruses by” his vendor before it arrives in his inbox. We are still waiting on an explanation of how that doesn’t violate his own view of CIPA, and are still literally shaking over this shocking and appalling discovery [end sarcasm]).
So how did we get to this point where plaintiffs are now attempting to criminalize longstanding and ubiquitous website technologies under state penal laws enacted to address Cold War-era wiretapping concerns? Simply put, by a few plaintiffs’ firms wishcasting holdings out of two recent Court of Appeals decisions from the Ninth and Third Circuits. As discussed below, however, these two decisions are in fact very limited, interim decisions that still leave the defendants multiple grounds to defeat the lawsuits on remand.
First, in the unpublished decision in Javier v. Assurance IQ, a Ninth Circuit panel considered whether retroactive consent obtained after a user had already begun interacting with a website could defeat a session-replay wiretapping claim under CIPA Section 631. Reversing the lower court, the panel concluded that CIPA requires prior consent – without ever analyzing the issue of consent with reference to the California Consumer Privacy Act (CCPA), California’s comprehensive privacy law that purposely addresses online data exchanges in the larger internet ecosystem.
Notably, the CCPA simply requires companies to “post a conspicuous link” to their privacy policies on their websites to satisfy California’s notice requirements, an important issue the panel never considered. In any event, because Javier is an unpublished opinion, it cannot be cited as precedent as a threshold matter. In addition, despite what Ferrell’s clients have claimed in a recent surge of California CIPA cases, the panel certainly never held that a violation of CIPA even occurred under the alleged facts. Again, the court was only addressing the defendants’ retroactive consent argument that carried the day before the district court. Thus, the defendants still have multiple defenses available to them on remand, including that the plaintiff impliedly consented to the recording, each of the defendants falls within the “party exception” to CIPA Section 631 claims and one cannot “intercept” a communication at the destination website.
In the second case, Popa v. Harriet Carter Gifts, the Third Circuit considered whether a session replay provider was exempt from liability under Pennsylvania’s Wiretapping and Electronic Surveillance Control Act (WESCA) because it was a direct recipient of a simultaneous communication sent whenever the user interacted with the website. The Third Circuit held that WESCA does not contain a broad party exception that exempts a party to a communication from potential wiretapping liability when recording their own communications. Compared to Javier, the Third Circuit went further in that it held an “acquisition” of the communication did occur under Pennsylvania law, based on the unique statutory language of WESCA and the allegations of that case. But at the same time, the panel likewise left open whether the plaintiff impliedly consented to the session replay tracking, which the court found “can be demonstrated when the person being recorded knew or should have known that the conversation was being recorded.”
So just like it wasn’t over when the Germans bombed Pearl Harbor, there are still plenty of viable outs left for these defendants. In fact, multiple decisions from the Northern District of California have held that software vendors are merely extensions of the website operator, and fall within the party exception noted above as a result.
Similarly, a number of Florida courts have rejected wiretapping claims based on session replay technology. For example, in Jacome v. Spirit Airlines, a Florida state trial court held that the Florida Security of Communications Act, and the Federal Wiretap Act on which it is modeled, does not extend to the commonplace use of analytics software on websites. Just as importantly, the court also found conclusory allegations of “interception in real time” are insufficient to state a wiretapping claim, and privacy policies posted on a website are sufficient to inform visitors of the company’s data handling practices.
Ultimately, while we continue to recommend a few best practices to guard against this new litigation scheme as it spreads to other two-party consent states like Massachusetts and Washington, if you are on the receiving end of a wiretapping demand letter or complaint, know that you do have options to fight it.