Seyfarth Synopsis: In 2022, the Third Circuit Court of Appeals revived a class action lawsuit asserting violations of the Pennsylvania Wiretapping and Electronic Surveillance Control Act ("WESCA"). The lawsuit alleged that an online retailer and its marketing agency violated WESCA by tracking visitors' activity on the website through the use of session replay code. Following the Third Circuit's ruling that WESCA does not contain an exception for direct parties to a communication, plaintiffs across the country have begun filing similar lawsuits against companies whose websites use this type of tracking software. As businesses examine the privacy landscape in 2023, it is important to recognize and monitor this novel legal theory.

What is Session Replay Code?

At the center of this recent privacy trend is a software commonly known as "session replay." From a high level, session replay is a type of technology that allows companies to track every action that a user undertakes on a website or mobile application. More importantly, though, what sets session replay code apart in the internet marketing space is its ability to recreate a user's path through the website. As its name suggests, session reply code creates for businesses a visual record of any activity by a user, including their clicks, mouse movements, scrolls, and time spent on the website or application. While session replay does not literally record user's screen, it reconstructs every user move in a visual manner that many companies find useful for internet marketing and user behavior research.

3rd Circuit Decision Leads to Flood of Wiretapping Lawsuits

One of the early lawsuits related to session replay code is entitled Popa v. Harriet Carter Gifts & Navistone, Inc., No. 2:19-cv-00450 (W.D. Pa.). In this case, the plaintiff alleged that, while she shopped for pet stairs on Harriet Carter Gifts' website, the company's marketing agency Navistone secretly "intercepted" her online activity without her consent. The lawsuit, filed on behalf of all Pennsylvania residents who used Harriet Carter's website and had their data intercepted by Navistone, alleged violations of Pennsylvania's WESCA (as well as a common law cause of action for invasion of privacy that was later dismissed).

The Pennsylvania District Court initially granted the defendants' motion for summary judgment, holding the defendants not liable under WESCA because the plaintiff and defendants were direct parties to the communications, and thus could not have "intercepted" the communication. On appeal, a Third Circuit panel reversed that decision, reasoning that WESCA contains no exception from liability for direct parties.

In its motion for summary judgment, the defendants relied on two cases where Pennsylvania courts held that law enforcement officers did not "intercept" communications because they were direct recipients of the communications at issue. According to the Third Circuit, however, these decisions lost their precedential value in 2012 when the Pennsylvania legislature amended WESCA to clarify that the "direct recipient" exception only applies to law enforcement officers with prior approval from a supervisor. The defendants also sought summary judgment on two separate grounds-on jurisdictional grounds because Navistone did not intercept the data in Pennsylvania (but outside of the state), and on the basis that plaintiff consented to any interception by accepting the website's privacy policy-but the Third Circuit found these issues more appropriate for the District Court on remand.

After the Third Circuit's decision in Popa, a flood of wiretapping class actions were filed in Pennsylvania. Moreover, because the Third Circuit opted not to opine on the jurisdictional component of Popa, these subsequent complaints have also alleged wiretapping violations against businesses throughout the country (i.e., against businesses in every state).

This decision also fueled the expansion of wiretapping lawsuits under similar state and federal statutes that have spread to numerous states across the country. Plaintiffs also have raised these claims under broader state tort laws and statutes, including the California Invasion of Privacy Act, which allows consumers to recover damages of up to $5,000 per violation.

Implications for Businesses

Session replay lawsuits are flooding courts across the country, and these claims are evolving. Despite the marketing and customer research benefits associated with session replay, businesses using this software should keep a close eye on the privacy space as this trend continues to develop. Businesses everywhere also should pay close attention to their user tracking methods utilized on websites and mobile applications as well as their policies and procedures for consent.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.