When was the last time you browsed a website on the internet? Earlier this morning? Maybe even an hour ago? Ten minutes ago? One of the data privacy litigation trends in 2021 that you may not have heard of is session replay software litigation, which has targeted dozens of website operators for purportedly violating the privacy rights of website visitors. However, a string of recent rulings in favor of defendants may signal that the hottest new legal theory in consumer privacy litigation is already on the decline. Read on to learn more.
Some background. Session replay software captures certain aspects of a user’s interactions on web applications (think mouse movements, clicks, typing, etc.) along with underlying contextual user data to help website operators enhance users’ experiences. To put it otherwise, session replay software allows a website operator to recreate (or “replay”) a visitor’s journey on a web site or within a mobile application or web application. Rather than focusing on user activity after leaving a particular website, session replay software concerns how a user interacts with a specific website.
Well, creative plaintiffs lawyers have filed dozens of putative class action litigations this year alleging that a website operator’s use of session replay software violates certain state wiretap acts—including those of California and Florida. This is because a minority of states have all-party consent wiretap laws (requiring all parties to a conversation or interaction to consent to a recording). Plaintiffs in these cases have alleged that because they did not affirmatively consent to the defendant’s use of the session replay software, the website operator has violated the applicable state’s wiretap law.
There were a few early instances in which courts allowed such claims to survive a motion to dismiss—suggesting that this theory of liability may be here to stay. See, e.g., Alhadeff v. Experian Information Solutions, Inc., No. 8:21-00395-CJC (C.D. Cal. May 25, 2021) (denying motion to dismiss Florida wiretap litigation). However, a string of rulings have sided squarely with defendants—suggesting that the peak of session replay software litigation may already have passed. These decisions rely on similar reasoning to reject imposing liability on commercial website operators, summarized below.
First, courts have held that state wiretap laws do not regulate the use by a website operator of analytics software to monitor visitors’ interactions with that website operator’s own website. Rather, legislative history makes clear that the purpose of these statutes was to prohibit eavesdropping and illegal recordings regarding the substance of communications or personal/ business records. See Fla. Stat. § 934.01 (discussing Florida wiretap act legislative history).
Second, and in any event, courts have held that the use of session replay software does not intercept the “contents” of communications. This is because the word “contents” as used in state wiretap laws (and the federal wiretap act which includes similar language) “refers to the intended message conveyed by the communication, and does not include record information regarding the characteristics of the message that is generated in the course of the communication.”
Third, courts have also found as a matter of law there can be no reasonable expectation of privacy from a third-party website owner when a plaintiff voluntarily browses through that third-party’s website (particularly when certain activities are disclosed in a defendant’s privacy policy).