Website session replay technology continues to fuel class action litigation alleging violations of anti-wiretap laws in all-party consent states. In 2021, we issued an alert highlighting that session replay lawsuits were beginning to gain traction. Plaintiffs filed even more cases in 2022, and such class actions present legal risk for any company using session replay technology or other technology that captures a website user’s communications without their consent in states where all parties to a communication are required to give consent under applicable anti-wiretap laws. Collecting a consent for online tracking (including for a company’s use of session replay technology) is the best way to reduce a company’s risk of litigation alleging violation of anti-wiretap laws.
Session replay tools record a person’s entire interaction with a website or mobile application, including details such as mouse movements, clicks, keystrokes, and even text entered in an entry field that is deleted before submission. While this technology is relatively new, the laws used by plaintiffs’ lawyers to bring session replay cases are not.
The lawsuits allege that session replay technology used on websites/apps violates state anti-wiretapping laws in states like California, Florida, and Pennsylvania that require all parties to a communication (traditionally a telephone call) to consent to the communication being recorded. About a dozen states have all-party consent laws – the states potentially in play vary depending on the specific facts.
For now, let’s keep our focus on California due to the surge of anti-wiretap cases there in 2022.
California’s “Two-Party Consent” Anti-Wiretapping Statute
The session replay class action cases in California are generally brought under the California Invasion of Privacy Act (“CIPA”), among other causes of action. This 1967 law prohibits reading, attempting to read, or learning the contents of a communication without the consent of all parties to the communication. CIPA allows for a private right of action with no burden to prove actual damages, and allows for statutory damages, making CIPA an attractive mechanism for class action litigation.
In 2022, the Ninth Circuit Court of Appeals held that CIPA applies to internet communications, Javier v. Assurance IQ, LLC, 21-16351, 2022 WL 1744107, at *1 (9th Cir. May 31, 2022), thus greenlighting the plaintiff’s bar to bring more lawsuits against website operators that intercept their users’ interactions with the website without adequate consent.
Get Proper Consent to Reduce Legal Risk
If your website uses session replay technology or other technology that captures a website user’s communications without their consent in states where all parties to a communication are required to give consent under applicable anti-wiretap laws, obtaining website users’ consent for such tracking reduces legal risk. Companies should obtain consent for session replay at the outset of a user’s interaction with the website.
It is also important to ensure that a record of user consent is saved should the need arise to prove that user consent was given. Many companies outsource this task by selecting a vendor that will store consent on the website publisher’s behalf.
Some Examples of Recent Litigation
The Ninth Circuit held that CIPA requires prior consent. By the time Mr. Javier had clicked the “View My Quote” button, the session replay software had already been recording his activities. His consent was given after-the-fact and, therefore, it was given too late. The case was remanded to the District Court for further proceedings. Earlier this month, the District Court dismissed the case, holding that the plaintiff’s claim was time-barred, but allowed the plaintiff to amend his complaint to satisfy the statute of limitations.
Companies that use session replay technology should collect consent at least from users in all-party consent states like California, Florida, and Pennsylvania to reduce potential exposure under state anti-wiretap statues. Such companies should also monitor legal developments. The Javier case, if decided on the merits, will likely provide additional guidance on what proper consent looks like.
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.