Since the Commonwealth of Pennsylvania does not have a comprehensive consumer data privacy statute, it relies on a patchwork of other statutes and regulations to protect its citizens’ data from unwanted access, collection and use. Among them, Pennsylvania’s Wiretapping and Electronic Surveillance Control Act, 18 Pa. C.S. § 5701 et seq. (WESCA) is at the center of a recent decision arising from a third-party marketing company’s surreptitious interception of a consumer’s communications while she was shopping online.
In Popa v. Harriet Carter Gifts, Inc. and NaviStone, Inc. the Third Circuit determined that an interception indeed occurred under WESCA, but could not determine where – a critical question since WESCA does not apply to conduct outside of Pennsylvania. Importantly, the Third Circuit did not deal a complete knockout blow to the use of cookies or third-party marketing data collection, acknowledging several WESCA exceptions, including all-party consent and again emphasizing the importance of the terms of service and privacy policies.
Background
Plaintiff Ashley Popa navigated her way to the Harriet Carter Gifts website on her iPhone to shop for pet stairs. Popa eventually added a set to her cart and started but did not complete the checkout process. As she clicked through the website, Popa’s browser unsurprisingly communicated with Harriet Carter, but it also surreptitiously interacted with NaviStone, a third-party marketing service engaged by Harriet Carter. Popa left the Harriet Carter website without buying anything, but not before NaviStone sent a “OneTag” code to her browser allowing it to collect, among other things, pages Popa visited when she entered her email address and items she added to her cart.
Popa filed a lawsuit in the Western District of Pennsylvania asserting that Harriet Carter and NaviStone violated WESCA and common law invasion of privacy. (On appeal, the Third Circuit recognized that WESCA provides a private right of action for individuals, meaning that consumers can file lawsuits for purported violations without the need for waiting for government or regulatory action.) The District Court quickly disposed of the invasion of privacy claim and later granted summary judgment in favor of the defendants on the WESCA claim. Popa appealed the dismissal of her WESCA claim to the Third Circuit.
Third Circuit Appeal
Popa’s appeal hinged on whether NaviStone “intercepted” her communications with Harriet Carter under the Act, which “prohibits the interception of wire, electronic, or oral communications, which means it is unlawful to acquire those communications using a device.” The Third Circuit first recognized that in the context of wiretaps, “intercept” under WESCA is defined as “acquiring certain communications using a device.” While the issue sounds straightforward, unlike the days of traditional telephone taps, the Third Circuit had to consider technical evidence that addressed not only whether JavaScript code used by NaviStone to direct communications to its server was indeed an intercept under WESCA but also where the intercept occurred. Interestingly, the defendants did not challenge whether such code was a “device” under the statute.
The Third Circuit rejected defendants’ primary argument that Pennsylvania courts have excluded direct recipients of communications from WESCA culpability. In doing so, it noted that the holdings of the criminal suppression cases that the defendants relied on were later codified in amendments to WESCA, which shielded law enforcement officers from liability for interceptions when they are or posing as an “intended recipient.” It was noted that the Pennsylvania Legislature had the opportunity, but passed on adopting more expansive language defining intended recipients.
The Third Circuit found that the Pennsylvania Supreme Court would determine that WESCA does not include a broad direct-party exception and that the defendants could not avoid liability because Popa’s browser “unknowingly communicated directly with NaviStone’s servers.” In a broader context, in footnote 6, the Third Circuit acknowledged that this contradicts its holdings in cases brought under the Federal Wiretap Act, which has an expressed direct-party exception. For instance, in In re Google Inc. Cookie Placement Consumer Privacy Litigation and In re Nickelodeon Consumer Privacy Litigation, the claimants’ browsers sent GET requests directly to the defendants converting them to parties to the communication under the Federal Wiretap Act.
The Third Circuit then turned its attention to determining where NaviStone intercepted Popa’s communications, a critical question here because WESCA does not apply to conduct completely outside Pennsylvania. In other words, if the intercept occurred in Virginia, where NaviStone’s servers are located, then a court would have to conduct a choice-of-law analysis to determine if WESCA applied. The Third Circuit found that NaviStone’s intercept occurred at Popa’s browser, not where NaviStone routed the communications. Although the parties assumed the intercept occurred in Pennsylvania, the Third Circuit found no support in the record to identify where Popa’s browser met Harrier Carter’s website and where NaviStone’s code started directing her browser to communicate with its servers.
The Third Circuit remanded the case back to the District Court to determine whether there is a genuine issue of material fact about where the interception occurred.
The Third Circuit also noted that WESCA does not reflexively prohibit the use of cookies or the use of third-party marketing companies to collect data because it includes a number of exceptions. For example, the “all-party consent exception,” which, as it sounds, allows parties to give prior consent to an interception. The defendants gave consent and contended that Popa impliedly consented because the Harriet Carter website included a privacy policy that purportedly disclosed that communications were being sent to a third-party company. This issue is still before the District Court and will focus on whether the privacy policy on the web browser accessed by the plaintiff adequately notified her of the interception.
Conclusion
The Popa opinion underscores the need for Pennsylvania businesses and digital marketing firms providing services in the Commonwealth to obtain consent from consumers prior to collecting their data or installing cookies on a browser. It also emphasizes that courts will give broad meaning to what “interception” of a communication is under WESCA. In doing so, this could create precedent for similar cases before the court until a comprehensive data privacy law is enacted in the Commonwealth of Pennsylvania.