20 October 2023

Internet Privacy Litigation Continues To Create Uncertainty For Websites Using Third-Party Technology While Expanding To More States

Goodwin Procter LLP


At Goodwin, we partner with our clients to practice law with integrity, ingenuity, agility, and ambition. Our 1,600 lawyers across the United States, Europe, and Asia excel at complex transactions, high-stakes litigation and world-class advisory services in the technology, life sciences, real estate, private equity, and financial industries. Our unique combination of deep experience serving both the innovators and investors in a rapidly changing, technology-driven economy sets us apart.
The Authors previously published the below client alert on June 8, 2023, analyzing privacy litigation under the California Invasion of Privacy Act (CIPA) and other wiretap statutes in Pennsylvania and Maryland.
United States Media, Telecoms, IT, Entertainment
To print this article, all you need is to be registered or login on

The Authors previously published the below client alert on June 8, 2023, analyzing privacy litigation under the California Invasion of Privacy Act (CIPA) and other wiretap statutes in Pennsylvania and Maryland. We provide this update to include analysis from recent decisions from Massachusetts, subsequent to our publication, which have broad implications for the nationwide scope of this litigation. Companies should know that more and more of these lawsuits are arising throughout the country, under both federal and state law. In addition to the states above, lawsuits have been filed in Washington, Illinois, Florida and other states.

The pace of internet consumer privacy class action litigation is skyrocketing. Remarkably, no specific legislative change in the law triggered the increase in litigation. Instead, the driver of this litigation explosion — in particular litigation under the California Invasion of Privacy Act (CIPA), Cal. Penal Code § 630, et seq. — follows two recent appellate court decisions involving whether a website's use of third-party technology can constitute an unlawful wiretap or eavesdropping under state law. The key issue lower courts at the federal and state level are grappling with following those decisions is how to treat third-party technology used by a website operator to enhance the consumer experience— such as session replay, keystroking, or chatbot technology. Courts consider whether the third-party technology provider is (a) a direct party to any communications or interactions by the consumer, (b) simply a tool used by the website operator, or (c) a third party that unlawfully intercepts such communications when not disclosed to the consumer. Courts addressing these issues are reaching opposing and divergent decisions, often on the same claims and technology, leading to uncertainty for companies.

The plaintiffs' bar — fueled by the potential recovery of high statutory damages that can reach $5,000 per violation — has seized on the opening provided by the appellate courts, filing dozens of consumer class actions, predominantly in California. Given recent developments making its statute potentially more plaintiff-friendly, Massachusetts may be developing into a prominent secondary forum. The targets of these lawsuits are companies in almost any consumer-facing industry. For instance, clothing retailers, tire companies, financial institutions, and online jewelry retailers have all been targets. No industry or company is safe from being targeted until such time as there is clarity in the law. Until then, companies should learn the risks presented by these lawsuits and take affirmative steps to reduce their profile as potential targets.

Two Appellate Decisions Sparked the Wave of Litigation

The current spate of consumer class action privacy litigation follows two 2022 decisions from federal appellate courts. First, the Ninth Circuit held in Javier v. Assurance IQ, LLC, 2022 WL 1744107(May 31, 2022), that consent to a website session recording technology cannot apply retroactively. In that lawsuit, the plaintiff alleged an unlawful wiretap over the session recording technology that helps companies protect against litigation abuse from the Telephone Consumer Protection Act (TCPA). The district court granted summary judgment because the consumer agreed to the website's terms of use (and consented to the use of the recording technology) when completing an online submission form. The Ninth Circuit overturned that decision, holding that the recording began as soon as the consumer visited the website, so her consent to that recording could not be captured later, after the fact.

Second, the Third Circuit's decision in Popa v. Harriet Carrier Gifts, Inc., 52 F.4th 121 (3d Cir. 2022) held that a party to a conversation can be liable for its own "interception" of (i.e., eavesdropping on) that conversation in violation of Pennsylvania's Wiretapping and Electronic Surveillance Control Act. The company in Popa used a third-party technology to track consumer interaction with the company's website. Plaintiff alleged this was an unlawful wiretap and interception. In overturning summary judgment in favor of defendants, the Third Circuit relied on a change in the law from a decade earlier by the Pennsylvania Legislature to hold that there was no longer a "party exception" to the statute's consent requirement for an interception, meaning that a website provider could be held liable for intercepting a communication where it is a party.

Following these decisions, enterprising plaintiffs' attorneys have sought to repurpose decades-old state wiretapping and eavesdropping statutes passed during the Cold War era (like CIPA) to generate claims arising from the use of 21st-century internet and website technologies intended to aid companies in enhancing the consumer experience. For example, a plaintiff in Maryland sued a prominent restaurant chain alleging violations of the Maryland Wiretapping and Electronic Surveillance Act, Md. Code Ann., Cts. & Jud. Proc. § 10-401, a 1970s-era statute, based on the alleged collection of her communications with the chain's website using session replay technology. See Curd v. TCF Co. LLC, No. 1:23-cv-472-JMC (D. Md. Feb. 21, 2023). Session replay technologies are widely used to understand consumer interaction with websites, test new products or services, and protect against fraud and abusive TCPA and other litigation.

Class action litigation has surged the most in California. The plaintiffs' bar has been emboldened by recent successes from claims asserted under CIPA, frequently the wiretapping provisions of Section 631, and by courts' continued inconsistent application of this decades-old law to modern-day technology. These claims are in vogue in large part due to some federal courts' unwillingness to dismiss claims at the Fed. R. Civ. P. 12(b)(6) stage. The result has been a growing class of repeat professional plaintiff "testers" who deliberately seek out allegedly noncompliant websites for purposes of sending settlement demand letters under the threat of filing class action lawsuits. For instance, on February 3, 2023, the US District Court for the Central District of California denied a CIPA defendant's motion to dismiss in Byars v. Goodyear Tire & Rubber Co., No. 5:22-cv-01358-SSS-KKx (C.D. Cal.).

But Goodyear represents a split in authority — not a unanimous trend. Indeed, the same plaintiff (with the same counsel) recently lost a motion to dismiss in another CIPA case against Hot Topic. Byars v. Hot Topic, Inc., No. 22-1652-JGB-KKx (C.D. Cal.). While California courts continue to struggle with applying CIPA, and with no relief from the appellate courts on the horizon, the best strategy for companies is to obtain consent and robust disclosures, if for no other reason than to warn would-be plaintiffs that the company is not an easy target.

The California Invasion of Privacy Act

CIPA Section 631(a) prohibits "wiretapping," specifically: "Any person who . . .intentionally taps, or makes any unauthorized connection . . . with any telegraph or telephone wire, line, cable or instrument . . .; or who willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report or communication while the same is in transit or passing over any wire, line, or cable or is being sent from, or received at any place within this state." Section 631(a) also imposes liability on any person "who aids, agrees with, employs, or conspires with any person" who violates the wiretapping prohibition.

Courts addressing Section 631 claims have identified potential liability for a party in any of four ways: (1) intentional wiretapping; (2) willfully reading or attempting to read the contents of any messaging over wire; (3) attempting to use or communicate information obtained as a result of either of those two things; or (4) aiding or abetting someone in violation of the prior three bases for liability. Because CIPA contains an exemption for direct party liability — meaning a party cannot wiretap or eavesdrop on its own conversation — it has been the fourth, aiding and abetting, prong driving the recent wave of CIPA consumer class action litigation. Under that prong, companies are being sued for employing third-party technology on their websites that may track or record consumer communications or interactions with the website. Litigants assert that by using such technology, the website is aiding and abetting in the third-party technology provider's unlawful wiretapping.

Litigants are also pursuing claims under CIPA Section 632.7, which prohibits the interception of "a communication transmitted between two cellular radio telephones, a cellular radio telephone and a landline telephone, two cordless telephones, a cordless telephone and a landline telephone, or a cordless telephone and a cellular radio telephone." The theory of Section 632.7 claims is that the use of a smartphone that can access the internet falls within the statute's coverage. Here again, courts are split in the application of such claims to this modern technology and whether this was intended by the California Legislature.

Above all else, the main driver of CIPA class actions is the $5,000 "per violation" or "[t]hree times the amount of actual damages" recovery provided for under Section 637.2.

California Courts Remain Split on How to Apply CIPA

The key issues that California courts — and, more particularly, California judges — are struggling to determine is whether third-party technology imbedded on websites to facilitate online chats, keystroking recording, or website analytics is (a) a third-party interception by the technology provider requiring prior consent of the consumer; (b) a technology simply being used as an extension of the host, so there is no third party and no consent required; or (c) a direct party to the communication such that there is no interception. Courts are also struggling with whether the nature of the communications — information submitted through a chat feature or on a website, or the user's actions taken on the website — is the type of confidential communication the legislature necessarily sought to protect or is outside the scope of the CIPA.

Contents of Communications
In Byars v. Goodyear Tire & Rubber Co. (C.D. Cal. Feb. 3, 2023)), the plaintiff (a repeat filer of CIPA class actions) alleged (1) that she visited Goodyear's website using her smartphone; (2) that, while there, she utilized Goodyear's chat feature; and (3) that Goodyear utilized a third-party chat service that "allows Goodyear to record and transcribe private conversations." Based on these allegations, she argued that Goodyear "aids, agrees with, employs, or conspire[d]" to violate the wiretapping provision of CIPA Section 631(a), and that her communications through the chat feature violated CIPA Section 632.7. Goodyear unsuccessfully moved for dismissal.

On the Section 631(a) claims, Goodyear argued that the plaintiff failed to adequately plead the "contents" of the subject communications. Without "contents" of a communication, there would be nothing for Goodyear's third-party chat provider to eavesdrop on — and thus, no liability for Goodyear as an aider or abettor. "Under the [federal] Wiretap Act, 'contents' is defined as 'any information concerning the substance, purport, or meaning of a communication.'" Saleh v. Nike, Inc., 562 F. Supp. 3d 503, 517 (C.D. Cal. 2021). Specifically excluded from this definition of contents are "record information" that is "generated in the course of the communication," which includes "name, address and subscriber number or identity of a subscriber or customer." Goodyear argued that the plaintiff's bare allegations that she communicated with the chat feature — of a tire website, no less — did not plausibly allege the provision of any "content" beyond such "record information," and therefore, her allegations were insufficient to state a claim under Section 631(a).

The court rejected that argument principally because it held that "there is no requirement that [plaintiff] specifically allege the exact contents of her communications." Instead, the court held that the bare allegation that "website visitors share sensitive personal information" was enough at the pleading stage to survive a motion to dismiss (no matter that the "sensitive personal information" was shared at a website promoting the sale of automobile tires). This is despite the fact that the court agreed that "contents" as used in CIPA and the Wiretap Act "is not intended to include record information such as the name, address or subscriber information of a website user" and so a plaintiff "needs to show that the contents were not record information, such as her name and address."

This holding evinces a split in authority among California federal district courts on the allegations sufficient to plead "contents." Some courts follow the lax pleading requirements exemplified by Goodyear. These cases, exemplified by Saleh v. Nike, Inc., and others, consider "contents" to include "the date and time of the [plaintiff's] visit [to the website], the duration of the visit, Plaintiff's IP address, his location at the time of the visit, his browser type, and the operating system of his device." See Katz-Lacabe v. Oracle America, Inc., 2023 WL 2838118 (N.D. Cal. April 6, 2023) (finding plaintiff adequately pled contents by alleging defendant captured "referrer URLs" and "data entered into forms").

Others, like the court in Graham v. Noom, Inc., 533 F. Supp. 3d 823, 833 (N.D. Cal. 2021), have been willing to dismiss allegations that are solely "predicated on non-content information." See Yoon v. Lululemon USA, Inc., 549 F. Supp. 3d 1073, 1082-83 (C.D. Cal. 2021) (dismissing claims for failure to allege "content" was intercepted). These courts have explicitly held that allegations about "the date and time of the visit, the duration of the visit, Plaintiff's IP address, her location at the time of the visit, her browser type, and the operating system of her device" are not "contents" for the purposes of CIPA. This split among the district courts, and courts within the same district, is keeping the door open to more CIPA consumer class action litigation.

The Interception of Communications
Unsurprisingly, based on its holding with respect to the "contents" of the communications, the Goodyear court likewise did not require that the plaintiff plead any specific allegations to plausibly allege that the communications were "intercepted while in transit" as required to state a claim under Section 631(a). Instead, the Court held that allegations of the website's use of a third party's chat technology that "intercepts in real time" a website visitors' conversation "must be taken as true at this stage."

Other courts have not been so generous to plaintiffs who fail to allege the means and location of the originating and terminating communications. For instance, mere weeks before the decision in Goodyear, another California federal district court held that CIPA Section 631(a) "concerns telephonic wiretapping specifically, which does not apply to the context of the internet." Williams v. What If Holdings, 2022 WL 17869275, at *2 (N.D. Cal. Dec. 22, 2022). In dismissing the plaintiff's claims, the Williams court cited the decision in In re Google Assistant Privacy Litigation where the court recognized that "California courts have often distinguished the essential concepts of eavesdropping under [CIPA § 632] and wiretapping under [CIPA § 631] on the ground that eavesdropping" does not require a physical connection whereas wiretapping does. See also Licea v. Cinmar, LLC, 2023 WL 2415592 (C.D. Cal. March 7, 2023) ("Courts have consistently interpreted [section 631(a)] as applying only to communications over telephones and not through the internet.").

In another divergent decision just two weeks after Goodyear in a case also brought by Byars — Byars v. Hot Topic, Inc. (C.D. Cal. Feb. 14, 2023) — the same California court (different judge) came to the opposite conclusion regarding a clothing store's use of a third-party chat service. In Hot Topic, the court concluded from virtually the same generic allegations as in Goodyear that the third-party chat feature was a "tool" and no more than an "extension" of the website provider. As such, the court held there was no plausible allegation of an unlawful third-party interception and rejected plaintiff's aiding and abetting theory of liability against Hot Topic.

Significant to the court's decision was its conclusion that the complaint's allegations "and inferences that can be drawn from them demonstrate that Defendant uses a third-party vendor to 'record and analyze its own data in aid of [Defendant]'s business,' not the 'aggregation of data for resale.'" That is, the court was comfortable that the third-party chat technology was an extension of Hot Topic (a party to the communication) and fell within the party exception to a CIPA wiretapping claim because there was no plausible allegations that the third-party chat provider was using recorded messages for its own alternative marketing or financial gain outside of providing the chat feature to Hot Topic. In so holding, the court relied upon a similar conclusion in Graham.

CIPA Section 632.7 May Apply to Smartphone Internet Use
Goodyear also challenged the plaintiff's claims under CIPA Section 632.7 because, as alleged in the complaint, plaintiff's alleged chat with Goodyear occurred via her smartphone connected to the internet (i.e., not between telephones). The court rejected this argument, too. It held that the alleged chat fell within the communications covered by Section 632.7 because "smartphones are cellular phones with web capabilities" and users of the Goodyear website "had a reasonable expectation of privacy."

In contrast, the Hot Topic court rejected the same argument and dismissed the same claim. Following the plain language of § 632.7, the court held that "[t]he unambiguous meaning of the statute is thus that it only applies to communications involving two telephones." Similarly, the court in Valenzuela v. Keurig Green Mountain, Inc., 2023 WL 3707181, (N.D. Cal. May 24, 2023), recently dismissed a Section 632.7 claim concerning the use of a chat feature from a smartphone, holding that this subsection of CIPA "unambiguously limits its reach to communications between various types of telephones. Plaintiff makes no persuasive argument the statute contemplates internet communications between a smart phone and an unspecified device on Defendant's end."

The Goodyear court's expansive interpretation of the reach of Section 632.7 creates yet another split in authority and has been repeated in later cases. See Licea v. Old Navy, LLC, 2023 WL 3012527 (C.D. Cal. Apr. 19, 2023). In reaching its conclusion, the Goodyear court appears to have expansively interpreted Brown v. Google, 525 F. Supp. 3d 1049 (N.D. Cal. 2021), as having held that CIPA Section 632.7 could apply to internet communications, where Brown dealt only with CIPA Section 632(a), a wholly different provision that prohibits eavesdropping on "confidential communications." This is a remarkable conclusion given that California state courts have yet to address whether Voice Over Internet Protocol (VoIP) phones (let alone the internet generally) qualify as "landline, cellular, or cordless phones" for purposes of liability under Section 632.7. See Gruber v. Yelp¸ 55 Cal. App. 5th 591, 611-613 (2020).

Massachusetts – Potentially Broader than CIPA

The plaintiffs' firms seeking to reimagine California Wiretapping and Eavesdropping statutes have taken the same playbook to Massachusetts, specifically targeting the Massachusetts Wiretap Act, M.G.L. c. 272 § 99. The Massachusetts Wiretap Act prohibits (1) willful interception; (2) attempt to commit an interception; and (3) "procur[ing] any other person to commit an interception or to attempt to commit an interception" "of any wire or oral communication." M.G.L. c. 272 § 99(C)(1). Under the Act, "interception" means "to secretly hear, secretly record, or aid another to secretly hear or secretly record the contents of any wire or oral communication through the use of any intercepting device." Id. § 99(B)(4). "Contents" in turn "means any information concerning the identity of the parties to [wire or oral] communication or the existence, contents, substance, purport, or meaning of that communication." Id. § 99(B)(5). An "intercepting device" is defined as "any device or apparatus which is capable of transmitting, receiving, amplifying, or recording a wire or oral communication . . . other than any telephone or telegraph instrument, equipment, or component thereof, (a) furnished to a subscriber or user by a communications common carrier in the ordinary course of business under its tariff and being used by the subscriber or user in the ordinary course of business; or (b) being used by a communications common carrier in the ordinary course of its business." Id. § 99(B)(3).

In, Alves v. BJ's Wholesale Club, Inc., 2023 WL 4456956 (Mass. Super. June 21, 2023), the plaintiff alleged that a grocery store chain violated the Massachusetts Wiretap Act by utilizing session replay to record his "mouse movements, clicks, keystrokes (such as text being entered into an information field or text box), URLs of web pages visited, and/or other electronic communications." The Superior Court of Suffolk County denied the defendant's motion to dismiss pursuant to Massachusetts' equivalent of Rule 12(b)(6). The court rejected the defendant's arguments (1) that the statute does not apply to internet-based communications, (2) that any recording did not capture the "contents" of a communication with plaintiff; and (3) that session replay is not an "intercepting device" under the statute. First, the court rejected defendant's argument that the Act did not cover the internet-based communications at issue. Because there was not a Massachusetts decision on point, the court analogized to the California cases of Hammerling v. Google Inc., 615 F. Supp. 3d 1069 (N.D. Cal. 2022) and Revitch v. NewMoosejaw, LLC, 2019 WL 5485330 (N.D. Cal. Oct. 23, 2019), and concluded that "Internet-based interactions" fall under the Massachusetts Wiretap Act.

Second, the court rejected the defendant's argument that "keystrokes, clicks, mouse movements, URLs, and other data allegedly recorded by" session replay technology are not "contents" under the Massachusetts Act. In so doing, it held that the Massachusetts Wiretap Act's definition of "contents" was broader than CIPA and the federal Wiretap Act. The court reached this conclusion because the Massachusetts definition of "contents" includes "information concerning the identity of the parties" and "the existence . . . of that communication." M.G.L. c. 272 § 99(B)(5). Based on the recency of this decision, the implications of such a potentially broad interpretation of "contents" under the Massachusetts Wiretap Act have not been fully realized. As of this writing, the Authors have identified no other decisions relying on or rejecting the expansive interpretation in BJ's Wholesale., which for now is limited to this single interpretation by a Superior Court judge and thus has no binding and minimal persuasive value.

Finally, the court also held that session replay technology constituted an "intercepting device" under the statute. The court rejected the defendant's analogy of session replay technology to an internet "cookie" and instead held that session replay was closer to a "key logger" which another court from 2011 had held was an "intercepting device." The court refused to read the exceptions for "telephone or telegraph instrument, equipment, or component thereof" to apply to "software."

Federal court defendants have so far been successful at fending off Plaintiffs use of the Massachusetts Wiretap Act through a lack of personal jurisdiction defense. See Rosenthal v. Bloomingdale's, Inc., 2023 WL 5179506 (D.Mass. Aug. 11, 2023); Alves v. Goodyear Tire & Rubber Co., 2023 WL 4706585 (D. Mass. July 24, 2023). The District of Massachusetts has been unwilling to assert jurisdiction over these defendants because all of the activities giving rise to the dispute—i.e., the "operation of [the subject websites], the licensing and procurement of Session Replay Code technology, and the gathering and usage of user data—undisputedly all took place outside Massachusetts" (2023 WL 4706585, at *1) and, thus, the alleged activity lacked a "'demonstrable nexus' between the plaintiff's claims and [the defendants' website[s]" (2023 WL 5179506, at *3). Consequently, the potential breadth of the Massachusetts Wiretap Act, for now, appears limited to in-state technology providers.

How Companies Can Protect Against the Evolving Maze of Internet Privacy Litigation

For now, this split among California courts and continued uncertainty in interpreting CIPA means peril for companies operating consumer-facing websites. The Goodyear decision and others since give plaintiffs' lawyers precedent to avoid well-founded motions to dismiss through artful pleading and vague allegations. On the other hand, decisions like Williams and Hot Topic show that some judges and courts are willing to apply proper statutory interpretation to CIPA claims and keep businesses that are operating lawfully from falling victim to frivolous CIPA class actions. Companies operating websites in California should be aware of the wide-ranging implications that these decisions have for them and their potential liability under CIPA. A proper compliance and defense strategy is key to mitigating the risk of protracted litigation.

For instance, when deploying third-party chat features, companies should consider beginning each unique chat with a disclosure informing the consumer that the chat is being recorded through the use of the particular third-party service. Likewise, until there is further clarity in the law, when using keystroking, session replay, and similar technologies, companies should consider pop-up disclosures informing website users their interactions are being monitored and recorded. While such disclosures may eventually prove unnecessary, for the time being they can help avoid the immense cost being foisted upon companies through the current wave of CIPA class action litigation.

Meanwhile, companies operating websites in Massachusetts, and particularly those based in the state, should be aware of the potentially expansive definition of "contents" under the Massachusetts Wiretap Act and the BJ's Wholesale court's holding that session replay technology is an "intercepting device." Watch this space as more courts weigh-in on the Massachusetts Wiretap Act's interpretation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More