Seyfarth Synopsis: In 2022, the Third Circuit Court of Appeals reinstated a class action lawsuit alleging violations of the Pennsylvania Wiretapping and Electronic Surveillance Control Act (“WESCA”). The lawsuit alleged that an online retailer and its marketing agency violated WESCA by tracking visitor activity on the site through the use of session replay codes. Following the Third Circuit’s decision that WESCA did not include an exemption for direct parties to a communication, plaintiffs across the country have begun filing similar lawsuits against companies whose websites use this type of tracking software. As companies examine the privacy landscape in 2023, it is important to recognize and monitor this emerging legal theory.
What is the session replay code?
At the heart of this recent privacy trend is software commonly known as Session Replay. At a high level, session replay is a type of technology that allows organizations to track every action a user takes on a website or mobile application. More importantly, however, what sets session replay code apart in the internet marketing space is its capability Create new a user’s path through the website. As the name suggests, the Enterprise Session Response Code creates a visual record of all a user’s activity, including their clicks, mouse movements, scrolls, and time spent on the website or application. While session replay doesn’t literally record the user’s screen, it does reconstruct each user’s movement in a visual way that many companies find useful for internet marketing and user behavior research.
3rd Circuit decision leads to spate of wiretapping lawsuits
One of the early complaints related to the session replay code is valid Popa vs. Harriet Carter Gifts & Navistone, Inc., No. 2:19-cv-00450 (WD Pa.). In that case, the plaintiff alleged that while she was purchasing a pet staircase on Harriet Carter Gifts’ website, the company’s marketing agency, Navistone, “intercepted” her online activity without her consent. The lawsuit, filed on behalf of all Pennsylvania residents who used Harriet Carter’s website and whose data was intercepted by Navistone, alleges violations of Pennsylvania’s WESCA (as well as a common law cause of action for invasion of privacy, which was later dismissed). became).
The Pennsylvania District Court initially granted the defendants’ motion for summary judgment and held the defendants not liable under WESCA because the plaintiff and the defendants were direct parties to the communications and therefore could not “eavesdrop” on the communications. On appeal, a Third Circuit Panel overturned that decision on the grounds that WESCA does not provide a direct party liability waiver.
In their motion for summary judgment, the defendants relied on two cases in which Pennsylvania courts found that law enforcement officials did not “intercept” any communications because they were direct recipients of the communications in question. However, according to the Third Circuit, those decisions lost their precedent in 2012 when the Pennsylvania legislature amended WESCA to clarify that the “direct recipient” exception only applies to law enforcement officials with prior approval from a supervisor. The defendants also sought summary judgment on two different grounds — court claims that Navistone did not intercept the data in Pennsylvania (but out of state) and that the plaintiff consented to an interception by complying with the privacy policy of the website has accepted – but the The Third Circuit deemed these matters more appropriate for the District Court on remand.
After the decision of the Third Circuit in father, a spate of wiretapping class action lawsuits was filed in Pennsylvania. In addition, because the Third Circuit has chosen not to comment on the judicial component of fatherthese subsequent complaints also allege wiretapping violations against companies across the country (ie., against corporations in each state).
This decision also fueled the expansion of wiretapping lawsuits under similar state and federal laws, which have spread to numerous states across the country. Plaintiffs have also asserted these claims under broader state tort laws and statutes, including the California Invasion of Privacy Act, which allows consumers to seek damages of up to $5,000 per violation.
Impact on business
Lawsuits over re-sessions are flooding courts across the country, and these claims are evolving. Despite the marketing and customer research benefits associated with session playback, companies using this software should keep a close eye on the privacy area as this trend continues to evolve. Businesses around the world should also pay close attention to their user tracking methods used on websites and mobile applications, as well as their consent policies and procedures.