A flurry of recent cases shows that if your company operates websites that track consumers' visits using session-replay software or integrates third-party software to facilitate customer-service chats, you're a potential target. Over the past year, creative plaintiff attorneys have initiated a string of class-action lawsuits alleging that session-replay software violated state wiretap acts—notably in California, Florida, Illinois, and now Pennsylvania. At the same time, a district court decision blessing a theory of aiding and abetting against a website owner, allowing a third party to facilitate its chat function, has emboldened class action attorneys in California. If your company is facing a “session-replay” or “chat-wiretapping” legal threat, Buchanan is here to help.

Session-Replay Cases

Session-replay software allows website operators to record mouse movements, keystrokes, and search information inputted into websites, as well as pages and content viewed. In this way, session-replay software allows a website operator to “replay” a visitor's journey on a website or within a mobile or web application. Rather than focusing on user activity after leaving a particular website, session-replay software focuses on how a user interacts with a specific website. Marketing departments are increasingly using it to better understand the users' experiences and gain visibility into the bugs, errors, or confusing moments they may encounter.

The current jump in lawsuits has been spurred by a recent Third Circuit decision, Popa v. Harriet Carter Gifts, Inc., 45 F.4th 687 (3d Cir. 2022). There, the court reinstated a Pennsylvania plaintiff's claims of unlawful surveillance after shopping on Harriet Carter's website while co-defendant NaviStone's session-replay software was installed on that website. Popa's lawsuit attempted to apply Pennsylvania's Wiretapping and Electronic Surveillance Control Act (WESCA), a decades-old wiretapping law, against Harriet Carter and NaviStone, arguing that defendants violated WESCA by simultaneously sending her interactions with Harriet Carter's website to NaviStone. While the District Court originally dismissed the case, finding that WESCA did not apply, the Third Circuit disagreed and remanded the case for further proceedings.

Class action lawyers have now filed a spate of similar lawsuits in Pennsylvania and elsewhere against a wide range of companies claiming that session-replay software violates WESCA and other states' wiretapping statutes. If successful, these lawsuits could result in significant damages. Moreover, the plaintiffs' bar has started transferring the same tactics to companies whose websites track users' online video viewing habits, alleging similar violations of the federal Video Privacy Protection Act (VPPA).

Chat-Wiretapping Cases

Meanwhile, California courts have seen a significant uptick in putative class actions under Section 631 of California's “wiretapping” statute (California Invasion of Privacy Act (CIPA), California Penal Code Sections 630 et seq). There, plaintiffs claim that where a third-party provider of chat functionality has simultaneous, real-time access to website chat communications, without the website user's knowledge or consent, the website operator is “aiding and abetting” the third-party vendor's Section 631 violation.

There is at least some good news for website operators on this front: one court held that session-replay technology cannot form the basis of a CIPA claim because a service provider does not use the data for its own purposes; it is an extension of the website provider, and a party cannot “tap its own wire.” See, e.g., Graham v. Noom, Inc., 533 F. Supp. 3d 823, 831 (N.D. Cal. 2021).

But, on the other hand, in Saleh v. Nike, Inc., 562 F. Supp. 3d 503 (C.D. Cal. 2021), the court found that where a third-party software provider has simultaneous, real-time access to a customer's website communications, without the customer's consent, that third-party vendor cannot avail itself of the rule that parties to a communication cannot also be wiretappers under CIPA. Although that logic would seem to implicate the vendor as the “wiretapper” and not the website operator, the Saleh court went on to find that the website operator “aided and abetted” the violation, creating a real risk for website operators embedding chat software to communicate with California customers. Id. at 520-21.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.