In May 2022, the Ninth Circuit Court of Appeals held that prior express consent must be obtained in order to legally record a user's website visit or risk violating Section 631(a) of the California Invasion of Privacy Act (commonly known as the State's "wiretapping" law).
In Javier v. Assurance IQ, LLC, Plaintiff visited Assurance's website for the purpose of requesting an insurance quote. The Court noted that "Unbeknownst to Javier, Trusted Form [the company hired by Assurance to record user's interactions with the website] captured in real time every second of his interaction with Nationalfamily.com and created a" video recording of his website visit. In light of the absence of a decision by the California Supreme Court on what constitutes valid consent under Section 631, the Ninth Circuit reversed the decision of the lower court and held that Section 631(a) requires prior consent of all parties to a recorded communication, not retroactive consent.
JAVIER: The Match that Lit the Fuse
While the Ninth Circuit ruled on the narrow issue of retroactive consent, the Ninth Circuit left open other issues, such as whether Javier impliedly consented to the collection of his data. Having left this door open, it is no surprise that the plaintiffs bar has proceeded to file copycat lawsuits with the hope of piggybacking on the success of the Javier ruling.
In addition to the potential expansion of Javier, it now appears that other circuits will be following the Ninth Circuit decision as evidenced by a recent Third Circuit case.
In Popa v. Harriet Carter Gifts, Inc., the Plaintiff used her iPhone to visit the Harriet Carter Gifts website. Upon entering the site, she willingly provided her email address in response to a pop-up request. While Plaintiff was on notice that her information was being collected by Harriet Carter Gifts, she was unaware that her browser was also communicating with NaviStone, a third-party marketing company working with Harriet Carter Gifts. It seems that upon accessing the website, Plaintiff's browser sent a "GET request" to both the Harriet Carter Gifts server, as well as the NaviStone server. Java script code was then sent back to Plaintiff's browser, which allowed both parties to essentially record Plaintiff's website visit and capture her information. When Plaintiff later learned of this, she sued Harriet Carter and NaviStone for, among other things, violating Pennsylvania's Wiretapping and Electronic Surveillance Control Act ("WESCA").
The underlying district court found in favor of Defendants on the WESCA claims. On appeal, the Third Circuit reversed and remanded the case.
How to Avoid Getting Burned When it Comes to Website Visit Recordings
While the plaintiffs in Popa and Javier may have won their respective early battles, the war continues. In the interim, copycat lawsuits are likely to be filed. Both decisions make clear that businesses are free to continue using third-party service providers to assist in website visit recording, provided that consent from consumers is first obtained to do so.
What happens if a marketing company does not obtain consent prior to recording a website visit? Unlike a violation of the Telephone Consumer Protection Act, the breach of wiretapping laws is technically a criminal offense. For example, a violation of California Section 631 is punishable by a fine of up to $2,500 (or $10,000 for repeat offenders), jail time, or both a fine and imprisonment.
Currently, there is no required singular way under the various laws for businesses to ensure compliance. However, there are things that businesses can do to protect themselves from ending up on the receiving end of a Javier type of lawsuit.
Related Blog Posts:
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.