In May 2022, the Ninth Circuit Court of Appeals held that prior express consent must be obtained in order to legally record a user's website visit or risk violating Section 631(a) of the California Invasion of Privacy Act (commonly known as the State's "wiretapping" law).

In Javier v. Assurance IQ, LLC, Plaintiff visited Assurance's website for the purpose of requesting an insurance quote. The Court noted that "Unbeknownst to Javier, Trusted Form [the company hired by Assurance to record user's interactions with the website] captured in real time every second of his interaction with Nationalfamily.com and created a" video recording of his website visit. In light of the absence of a decision by the California Supreme Court on what constitutes valid consent under Section 631, the Ninth Circuit reversed the decision of the lower court and held that Section 631(a) requires prior consent of all parties to a recorded communication, not retroactive consent.

JAVIER: The Match that Lit the Fuse

While the Ninth Circuit ruled on the narrow issue of retroactive consent, the Ninth Circuit left open other issues, such as whether Javier impliedly consented to the collection of his data. Having left this door open, it is no surprise that the plaintiffs bar has proceeded to file copycat lawsuits with the hope of piggybacking on the success of the Javier ruling.

In addition to the potential expansion of Javier, it now appears that other circuits will be following the Ninth Circuit decision as evidenced by a recent Third Circuit case.

In Popa v. Harriet Carter Gifts, Inc., the Plaintiff used her iPhone to visit the Harriet Carter Gifts website. Upon entering the site, she willingly provided her email address in response to a pop-up request. While Plaintiff was on notice that her information was being collected by Harriet Carter Gifts, she was unaware that her browser was also communicating with NaviStone, a third-party marketing company working with Harriet Carter Gifts. It seems that upon accessing the website, Plaintiff's browser sent a "GET request" to both the Harriet Carter Gifts server, as well as the NaviStone server. Java script code was then sent back to Plaintiff's browser, which allowed both parties to essentially record Plaintiff's website visit and capture her information. When Plaintiff later learned of this, she sued Harriet Carter and NaviStone for, among other things, violating Pennsylvania's Wiretapping and Electronic Surveillance Control Act ("WESCA").

The underlying district court found in favor of Defendants on the WESCA claims. On appeal, the Third Circuit reversed and remanded the case.

Perhaps most importantly insofar as the Internet marketing industry is concerned, on remand, the district court will be tasked with deciding whether Popa provided prior consent to the recording at issue. The main argument relied on by Defendants on this issue is that: (1) Popa impliedly consented to the recording because the website privacy policy specifically allowed Harriet Carter Gifts to share customer information with third parties; and (2) even if Popa saw the privacy policy, this is irrelevant, as prior consent under Pennsylvania law does not require actual knowledge. In light of the fact that Pennsylvania (like California) is a two-party consent state; however, it appears likely that the district court may well follow the decision arrived at by the Ninth Circuit in Javier.

How to Avoid Getting Burned When it Comes to Website Visit Recordings

While the plaintiffs in Popa and Javier may have won their respective early battles, the war continues. In the interim, copycat lawsuits are likely to be filed. Both decisions make clear that businesses are free to continue using third-party service providers to assist in website visit recording, provided that consent from consumers is first obtained to do so.

What happens if a marketing company does not obtain consent prior to recording a website visit? Unlike a violation of the Telephone Consumer Protection Act, the breach of wiretapping laws is technically a criminal offense. For example, a violation of California Section 631 is punishable by a fine of up to $2,500 (or $10,000 for repeat offenders), jail time, or both a fine and imprisonment.

Currently, there is no required singular way under the various laws for businesses to ensure compliance. However, there are things that businesses can do to protect themselves from ending up on the receiving end of a Javier type of lawsuit.

Regardless of what jurisdiction is concerned, the best way for a business to protect itself is to ensure up front consent before engaging in any sort of session replay recording. While it is not yet clear how every circuit will rule on the issue, best practices dictate including consent language above the "submit" button, as well as in the website privacy policy itself. This consent language should also make clear to consumers the names of the actual third-party vendors and service providers who assist with site recording.

Related Blog Posts:

Trusted Form Wiretap Case Sows TCPA Confusion

New FTC Data Privacy Laws?

Website Wiretapping Suit Dismissed in Florida

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.