The Privacy Class Action Review - 2023 - Report - Page 13
The plaintiffs’ bar grounded these claims in the electronic interception provisions of
various state laws. Wiretap statutes like the California Invasion of Privacy Act, the
Pennsylvania Wiretapping and Electronic Surveillance Act, and the Florida Security of
Communications Act generally prohibit the unauthorized interception or disclosure of
communications transmitted electronically.
The plaintiffs’ bar targeted
technologies that track a
user’s interactions with the
website (e.g., clicking,
scrolling, swiping, hovering
and typing) and create a
recording of those
interactions and inputs –
known as session replay
software.
They also attacked coding tools that create and store transcripts of conversations with
users in a website’s chat feature. The plaintiffs in this new string of class actions allege
that recording users’ interactions with a website and sending that recording to a third
party for analysis without their consent is an illegal invasion of their privacy.
Recent decisions from the Ninth and Third Circuits fueled the swell of lawsuits alleging
violations of these wiretap statutes.
In May 2022, in Javier, et al. v. Assurance IQ, LLC, 2022 U.S. App. LEXIS 14951 (9th
Cir. May 31, 2022), the Ninth Circuit held that the California Invasion of Privacy Act
requires prior consent and explicitly rejected the argument that this wiretap statute
allows a business to obtain consent to the use of session replay software after the
recording has already begun.
The Ninth Circuit, however, did not comment on what would amount to effective consent
to the use of session reply software under the wiretap statute.
A few months later, the Third Circuit in Popa, et al. v. Harriet Carter Gifts, 45 F.4th 687
(3d Cir. 2022) ruled that an electronic interception violating the Pennsylvania
Wiretapping and Electronic Surveillance Act occurred when the plaintiff visited a website
to purchase a product and her interactions on that site were recorded and transmitted to
a third-party marketing firm. The Third Circuit concluded that the location of the
interception was plaintiff’s browser, and it rejected the defendants’ argument that the
wiretap statute did not apply because the third-party marketing firm’s servers – where
the information was sent – were located in Virginia.
If other circuits follow the Third Circuit’s approach, it could subject companies to liability
under a state wiretap statute each time a user accesses its website from that state.
In each of the three lawsuits brought thus far in Pennsylvania, the class consisted of
12
© Duane Morris LLP 2023
Duane Morris Privacy Class Action Review – 2023
