This article was first published on Legaltech News.
Countless companies leverage third-party analytics tools to help improve website design, update user interfaces, and otherwise enhance users’ online experience. One such tool—“session replay” software—captures certain user interactions (e.g., mouse movements, page scrolling, keystrokes, and error messages) on a website or application running the tool.
Over the last year, the widespread use of session replay software has attracted the attention of the plaintiffs’ bar, and dozens of nearly identical putative class action lawsuits have been filed, marking a new trend in privacy-related litigation. Plaintiffs in these actions allege that companies’ use of third-party session replay tools to capture users’ interactions with websites or applications violate their privacy rights, focusing on claims under state wiretap laws.
A series of recent federal and state court decisions, however, appears to have shifted the tide in defendants’ favor. While these decisions may have blunted the wave of session replay litigation, companies still can take steps to help mitigate the risk and cost of becoming a target of a copycat lawsuit.
One federal judge in Goldstein v. Costco Wholesale Corp recently described the spate of litigation as a “flurry of virtually identical cases wherein creative class action litigants have seized on a novel reading of [ ] decades-old wiretapping statute[s] . . . to attack the use of so-called session replay software on commercial websites.” Indeed, lawsuits targeting the use of session replay software almost uniformly assert causes of action under state wiretap laws—and in particular, the Florida Security of Communications Act (FSCA) and the California Invasion of Privacy Act (CIPA).
State wiretap statutes
Plaintiffs’ focus on these statutory claims is not surprising. Both the FSCA and CIPA require consent from all parties to a communication—not just some of the parties—when that communication is recorded or intercepted. And both the FSCA and CIPA provide for statutory damages, subjecting defendants to significant potential exposure. For example, the FSCA allows for damages not less than $100 a day for each day of a violation or $1,000 (whichever is higher), and the CIPA permits $5,000 in statutory damages per violation or three times the amount of actual damages (again, whichever is higher).
These and other state wiretaps laws predate the Internet, however, and the challenge for plaintiffs has been to fit emerging session replay technology within the ambit of decades-old laws.
A developing body of case law appears to favor defendants
While a number of federal and state court cases have been resolved early via settlement or voluntarily dismissal, others have proceeded to the motion to dismiss phase. Of these cases, a recent group of federal and state court decisions (Goldstein, Jacome v. Spirit Airlines and Graham v. Noom, Inc.) shows that plaintiffs’ claims are facing considerable skepticism.
Defendant website operators and software vendors have advanced several key arguments in seeking dismissal, including:
- The FSCA (like the Federal Wiretap Act on which it was based) was not intended to—and does not—cover session replay software designed to capture users’ interactions on a specific website or application and improve the online interface and user experience. Rather, the legislative history clarifies the statute’s limited purpose to prohibit third-party eavesdropping and illegal recordings regarding the substance of communications or personal and business records.
- Session replay software does not intercept the “contents” of a user’s communication, which under federal and state law means the intended message conveyed by the communication—not information regarding the characteristics of the message generated in the course of the communication.
- Consistent with prior court decisions addressing other software and e-mail servers, session replay software is not a “device” as defined by federal and state wiretap statutes.
- Users affirmatively consented to tracking by session replay software, either because they were on inquiry notice of a website operator’s privacy policy or because they affirmatively consented to that policy and/or terms of use.
Numerous courts have found these arguments persuasive in dismissing plaintiffs’ state law claims, agreeing with defendants that state wiretap laws were not intended to cover session replay software and the capture of users’ interactions on a specific website or application.
Defendants have not won early dismissal uniformly, however. In Alhadeff v. Experian Info. Sols., Inc., for example, the court held that a plaintiff had adequately alleged interception of contents of his communications because the at-issue information—e.g., clicks, movements, keystrokes, search terms, etc.—is “very communicative.” But the weight of authority understands “contents” differently and has rejected that line of reasoning. The oft-cited decision in Jacome, for example, explained that whether information allegedly intercepted is communicative is not the appropriate inquiry, which instead should examine whether the information constitutes the intended message conveyed by the communication
Implications and next steps
The recent string of decisions rejecting plaintiffs’ wiretap claims—along with a number voluntary dismissals—suggests that this novel trend in privacy litigation is losing steam. But court decisions to date have sometimes cut against defendants, and there are steps companies with consumer-facing websites can take to mitigate litigation risk and better position themselves to defend against potential wiretap claims under state law.
Companies, for example, should consider reviewing their online policies and consent procedures. A readily accessible privacy policy that clearly discloses the use of session replay tools to collect and/or share user information with third parties may bolster motion to dismiss arguments. Similarly, requiring online users to provide unambiguous consent to the use of session replay technology or otherwise acknowledge that they have reviewed a privacy policy that discloses such use also may support an early challenge to claims under state wiretap laws.
The months ahead will reveal whether plaintiffs continue to press state wiretap suits or whether defendants have succeeded in further blunting this front of privacy litigation. Companies and their counsel surely will be closely monitoring developments in this evolving area of the law.
Authored by Michelle Kisloff, Adam Cooke, and Andrew Bank.
