New Class Action Trend: Website Session Replay Tools Alleged to Violate All-Party Consent Recording Requirements

“This call may be recorded for quality assurance or training purposes.” We have all heard the outgoing announcement while on hold. One benefit of this announcement is that this common courtesy is part of good customer service, that is, to inform the user of the fact of the recording. In truth, however, it is most important because through the announcement, the caller provides implied consent to the recording, as the caller ostensibly has the option of hanging up or requesting that the agent turn off the recording feature. This consent to record the phone conversation is crucial for compliance with certain states’ laws that legally require all parties to a call to consent to its recording (sometimes called “two-party consent” although these state laws require all parties to the call to consent (“All-Party Consent”)). Companies that fail to obtain all party consent to recording phone calls violate the laws in these states. 

Creative class action lawyers are now alleging that website “session replay” tools violate these same All-Party Consent state laws. Session replay tools allow for the recording of a person’s entire interaction with a website and mobile application, including all details such as mouse movements, clicks, keystrokes, and even text entered into an entry field that is deleted before clicking submit. These tools are used to help website owners with website design, user interface updates, marketing, and in other ways to enhance their users’ website or mobile app experience.  

The class action lawsuits allege that companies utilizing session replay tools violate the state All-Party Consent laws because users do not provide their consent to the recording of their online usage session. Major retailers, including The Home Depot, Frontier Airlines, WebMD, and T-Mobile, have been the targets of such lawsuits under Florida’s All-Party Consent law, the Security of Communications Act. Similar lawsuits have also been filed under California’s law, the California Invasion of Privacy Act. Some claims have been brought against providers of session replay technology in addition to the providers’ retail customers.

Quantum of Consent

California and Florida are among the 12 or 13 states (the number varies depending on the specific situation) whose laws require All-Party Consent for the recording of a call by a device before any party may record the communication. The ultimate outcome of these new class action cases will depend on how the courts interpret website usage – if using a website qualifies under the state law as an electronic communication, as defined by the state law, then it may follow that use of session replay tools to record the website interaction would require consent from the user prior to deployment of the session replay recording technology (subject to the recording also meeting other statutory requirements for a violation). 

These lawsuits are in the early stages of litigation, and courts have yet to offer any substantive rulings on whether All-Party Consent laws apply to session replay tracking (i.e., whether recording mouse movements and other online interactions qualify as a “communication”). For example, defendants in a similar context have successfully argued under California law that certain online tracking is not subject to wiretap laws since software, rather than a “device” (as required by the applicable statute), is used perform the tracking. That defense might also prove effective against claims brought under the Florida statute because the Florida Security of Communications Act requires the use of a device for a recording to violate the statute.

Collecting Consent Using Session Replay Tools is not Mission Impossible

Organizations that use session replay tools should consider collecting express consents from visitors to their websites or mobile apps as one option to preempt potential claims that the organization recorded a “communication” without sufficient consent. Organizations may collect such consent through a pop-up banner requesting a user’s affirmative click consent prior to deploying the technologies, which may require requesting the consent prior to a web browser’s interaction with a website. To tie the consent to a description of the tracking, the consent should link to an updated cookie policy and/or updated privacy policy that accurately describes the session replay tools. By revising the website policies and obtaining consent, a company may materially limit its legal risks of getting targeted by these class action lawsuits.  

Knowledge assets are defined in the study as confidential information critical to the development, performance and marketing of a company’s core business, other than personal information that would trigger notice requirements under law. For example,
The new study shows dramatic increases in threats and awareness of threats to these “crown jewels,” as well as dramatic improvements in addressing those threats by the highest performing organizations. Awareness of the risk to knowledge assets increased as more respondents acknowledged that their