A hot button topic for any company conducting business in the digital marketing industry is the matter of consumer  consent. Whether businesses successfully obtain the requisite consumer consent can mark the difference between a legal website experience and one that could violate various data privacy regulations. Recently,  courts have confronted issues of user consent in the context of the utilization of website recording technology. One such technology is known as "session replay" spyware. It enables website owners to intercept and observe the way users interact with webpages, including observing and recording movements of a mouse, clicks, keystrokes, page and content views, as well as information inputted into websites by consumers. 

What is Acceptable Consent to Engage in Website Recording?

Several states, most notably California, are in the process of strengthening their data privacy laws and related user consent requirements. In addition, old consumer protection regulations are now being applied to the use of website recording technologies. In a recent  blog, we covered the pivotal decision in  Javier v. Assurance IQ, LLC, which held that prior express consent must be obtained in order to legally record a user's website visit. Failure to do so poses the risk of violating Section 631(a) of the California Invasion of Privacy Act (commonly known as the State's "wiretapping" law or "CIPA"). In Javier, the Ninth Circuit specifically held that retroactive consent does not satisfy the requirements of Section 631(a). Due to an increase in copycat lawsuits, website owners using session replay technology must adhere to the rapidly-evolving caselaw.

New Complaint Alleges that Use of Website Recording Technology Violates California Law

In a recent class action,  Kauffman vs. Papa John's International, Inc., Plaintiff and a proposed class of consumers are seeking damages and injunctive relief from the popular pizza chain for violations of the Federal Wiretap Act and the CIPA. Specifically, Plaintiffs argue that Defendant used, without authorization, and without Plaintiffs' knowledge or prior consent, session replay spyware. In so doing, Defendant was able to "contemporaneously intercept, capture, read, observe, re-route, forward, redirect, and receive Plaintiff's and Class Members' electronic communications." The allegations characterized use of this website recording technology as effectively being able to record and playback a user's interaction with a website, "as if someone is looking over [one's] shoulder when visiting Defendant's website." Additionally, Plaintiffs allege that this technology enables Papa John's to create a detailed profile of visitors to its site. Plaintiffs are suing for damages that include the greater of $10,000 or $100 per day for each violation of the Wiretap Act and $2,500 to each class member for CIPA violations, as well as costs and reasonable attorneys' fees. 

Companies using Website Recording Technology Must Take Heed

Internet marketing companies must be aware of the depth and breadth of evolving data privacy laws, or risk facing civil and, in some cases, criminal liability. Collecting consent and personal information through a website is almost universal. But the different types of consent that a business must obtain and in what order can be complicated, to say the least. Hiring experienced marketing and privacy attorneys can save your business the expense and headache of trying to resolve these issues on your own.

Related Blog Posts:

9th Circuit Sets Trend On Valid Consent For Website Visit Recordings

Trusted Form Wiretap Case Sows TCPA Confusion

Was NFL Enterprises Sued For Alleged Automatic Renewal Law Violations?

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.