In today's world, information is key to ensuring a good customer experience. Especially in the post-COVID digital age, shoppers have come to expect retailers to provide easy-to-navigate, bug-free, quick-moving digital platforms, and instantaneous responses to customer service inquiries. This is accomplished through data collection. Although numerous retailers have turned to session-replay and chatbot technology to optimize their websites and meet customer demand, these software systems have been hit by a tidal wave of recent lawsuits and lawsuit threats, alleging that the use of these technologies, without customer consent, amounts to wiretapping. 

Since December 2020, over 65 lawsuits have been filed, in addition to many dozens of litigation warning letters sent to retailers. Almost 40 of these suits have been filed in California since May 31, 2022, when the Ninth Circuit Court of Appeals reversed a district court's decision granting a motion to dismiss on a session-replay case. On August 16, 2022, the Third Circuit Court of Appeals reached a similar decision, spurring additional claims in Pennsylvania. Although most of these new suits have been filed by law firms established in the website accessibility space, the steep damages at issue in these cases have led plaintiffs to expect much larger payouts than in the accessibility context. Retailers who use session-replay or chatbot technology should therefore act quickly to determine and understand potential litigation risks.

What Is Session-Replay?

Session-replay is software, usually provided by third-party vendors, that allegedly records data concerning customers' interactions with a given website. Unlike a video camera though, which records a customer or a customer's screen, session-replay collects specific actions like bounce rates, clicks, and views. These data collection points are then added to a log of the user's actions, which is used to reproduce (replay) the customer's interaction (session) with the website. These reproductions allow retailers to fix website bugs, investigate issues reported by customers, and optimize market engagement.

The Relevant Statutes

The session-replay and new chatbot suits are filed under so-called "two party consent" (or, more accurately, all party consent) statutes, which require companies to inform all parties who are part of a conversation that they are being recorded and further obtain their consent to the recording. Most notably:

  • The California Invasion of Privacy Act (CIPA), Section 631, provides that anyone who "reads, or attempts to read, or to learn the contents" of a communication "without the consent of all parties to the communication" is in violation of Cal. Penal Code § 631(a). The statute provides damages in the amount of $2,500 per violation or $10,000 per violation for repeat offenders, in addition to potential jail time.
  • Since this fall, plaintiffs have also begun bringing claims under Section 632.7 of CIPA, which focuses on cellular devices. This section provides that anyone who "without the consent of all parties to a communication, intercepts or receives and intentionally records ... communication transmitted between two cellular radio telephones, a cellular radio telephone and a landline telephone, two cordless telephones, a cordless telephone and a landline telephone, or a cordless telephone and a cellular radio telephone" violates the law. One reason plaintiffs may be trying to shoehorn their claims under Section 632.7 is that it provides for double the damages: $5,000 per violation or three times the amount of actual damages, in addition to potential jail time.
  • Pennsylvania's Wiretapping and Electronic Surveillance Control Act (WESCA), provides that a person who "intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept any wire, electronic or oral communication" is in violation of the law. 18 Pa. Cons. Stat. Ann. § 5703. The statute provides for both criminal and civil remedies. The civil remedy allows for actual damages, but no less than liquidated damages computed at the rate of $100 each day of violation or $1,000, whichever is higher, punitive damages, and attorney's fees and other litigation expenses.
  • The Florida Security and Communications Act (FSCA) provides any person who "[i]ntentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept any wire, oral, or electronic communication" is in violation of the law. Fla. Stat § 934.03. The statute provides for a minimum of $1,000 in liquidated civil damages per violation, in addition to potential prison time.

Generally speaking, plaintiffs allege that session-replay and chatbot technology amount to wiretapping under the above statutes. Specifically, they claim that a customer's interactions with a retailer's website is a "communication" between the customer and the retailer, which is being "intercepted" by the third-party vendor.

The First Wave of Session-Replay Cases

Up until 2018 or so, the vast majority of wiretapping claims involved allegations that companies recorded customer service phone calls without consent. Most of these suits were brought under Sections 632 and 632.7 of CIPA and many have settled for large sums. Earlier this year, for example, Fifth Third Bank and its vendor settled a CIPA case for a whopping $50 million; Wells Fargo settled a similar suit for $28 million.

Around 2018, lawsuits started targeting session-replay technology as a form of wiretapping, gaining momentum by 2020. These suits were generally brought in California, Pennsylvania, and Florida, and alleged that retailers and session-replay service providers violate state wiretapping statues by recording customers' communications with a retailer's websites. To be clear, the claim is not that session-replay technology violates the law—it is that retailers violate consumer privacy by using it to track them without their consent. Several of the early session-replay cases were dismissed at the motion to dismiss stage based on findings that: (1) online shopping is not a "communication" that can be wiretapped; (2) vendors are not "intercepting" anything because they are a party to the website interaction; and (3) customers do not have a reasonable expectation of privacy when online shopping.

On December 15, 2020, the Ninth Circuit held that website tracking was an "interception" of an "electronic communication", in violation of CIPA.1 The social media platform defendant in that case allegedly tracked logged-out users to third-party websites (through its tracking cookies placed in users' browsers via plugins), and then sold that data to advertisers. Although the Ninth Circuit's decision did not involve session-replay claims, plaintiffs saw the decision as bolstering their session-replay cases and shining the light on allegedly nefarious tracking practices. This was likely due to the fact that the Ninth Circuit found that CIPA and the Wiretap Act codified a "substantive right to privacy", satisfying the injury-in-fact element needed for Article III standing. As a result, the number of new filings increased exponentially in the months after the decision. However, almost all these new cases were voluntary dismissed, presumably because of individual settlements, and the first wave of session-replay suits trickled to a halt by September 2021.

The Ninth Circuit's Javier  Decision

On May 31, 2022, the floodgates reopened for session-replay claims brought under CIPA when the Ninth Circuit in Javier v. Assurance IQ, LLC et. al.2 reversed a trial court's dismissal. Specifically, the plaintiff in Javier alleges that the defendant violated Section 631 of CIPA by using a third party, deploying session-replay technology, to record his "communication" with Assurance's website, which included capturing information that the plaintiff had typed into the website concerning his demographic and medical history.

The Javier  decision does not offer much reasoning, but it does hit a few notable points. First, the court held that a plaintiff could base a CIPA claim on session-replay technology, which is a contention several district courts had previously rejected. Second, the court addressed retroactive consent, finding that the plaintiff's consent to the defendant's privacy policy after he provided his personal information was not a valid form of consent. In reversing the trial court's ruling that retroactive consent was valid, the Ninth Circuit found that CIPA prohibits companies from recording communications "without first informing all parties" of the recording.

The Rise of Chat Cases

On the heels of the Javier decision, many dozens of new wiretapping cases were filed in California under CIPA, and many dozens other retailers received warning letters threatening similar suits (Steptoe is defending many of these actions).

Although these new cases often include allegations relating to session-replay technology, their focus is primarily on retailers' use of chatbots. Chatbot technology is used to streamline customer service inquiries by using artificial intelligence to either answer customer questions directly, or to narrow down the customer's issues before connecting them with a human customer service agent (chatbots are also used for various other tasks, but the claims focus on these two areas).

Similar to the earlier session-replay cases, the plaintiffs in these cases allege that by using third-party vendors to provide chat services, and because those vendors allegedly record and store customers' chats, retailers are facilitating wiretapping by allowing chatbot vendors to "intercept" a customer's "electronic communications" with them. Additionally, plaintiffs are raising claims alleging that retailers unfairly trick customers into thinking they are communicating with humans, when in fact the chat is being conducted by a chatbot.

Although it is easy, in theory, to analogize customer service chats (using chatbots) as being the twenty-first century version of customer service calls, the statutory basis for these claims is different. Call-recording cases are brought under Section 632.7 of CIPA. Session-replay/chatbot cases, on the other hand, are predominately brought under Section 631, although we are starting to see some Section 632.7 allegations, based on the allegation that customers are accessing websites using their cellphones.

Both sections, 631 and 632.7, present hurdles for plaintiffs. As to Section 631, although these suits claim that companies engaged in wiretapping by "recording" conversations, Section 631 does not actually mention "recording"—instead, it prohibits "reading" and "learning," neither of which is alleged in session-replay cases. For Section 632.7, plaintiffs will need to grapple with the fact that the statute requires "communication transmitted between two cellular radio telephones"—and plaintiffs generally only allege the use of one cellular device in their complaints.

As discussed by the Third Circuit, below, jurisdiction presents another a hurdle for plaintiffs.

New Pennsylvania Suits Follow Recent Third Circuit Decision

On August 16, 2022, in Popa v. Harriet Carter Gifts, Inc.3, the Third Circuit joined the Ninth Circuit in reversing a trial court's dismissal of a session-replay case, finding Pennsylvania's Wiretapping and Electronic Surveillance Control Act (WESCA) applies to the use of session-replay technology. Like CIPA, WESCA provides that all parties involved in a communication must consent to the interception of that communication in order for it to be lawful.

In Popa, the plaintiff claims that retailer Harriet Carter violated WESCA by using session-replay technology, run by co-defendant NaviStone, to monitor her website movements. Although the plaintiff admitted to knowing that Harriet Carter was tracking her activities, she was allegedly unaware that NaviStone was also tracking her. The plaintiff claims that NaviStone violated WESCA by intercepting her communications with Harriett Carter's website, and that Harriet Carter, in turn, also violated WESCA.

The three-panel court found that the plaintiff properly plead a wiretap cause of action, alleging an "interception of communication" by both NaviStone and Harriet Carter, notwithstanding the fact that the plaintiff had been communicating directly with NaviStone's servers.

Notably, the Third Circuit raised the issue of jurisdiction, finding that “interception” in session-replay cases occurs where a third party routes a communication to its own servers, which is done at the location of the plaintiff's browser, rather than "where the signals were received at NaviStone's servers". In Popa, the plaintiff failed to specify crucial facts required for this analysis, including: (1) where her browser accessed Harriet Charter's website, and (2) where "NaviStone's JavaScript began telling the browser to communicate with its servers". The Court explained that if the answer to either question is outside of Pennsylvania, WESCA does not apply. 

How Retailers Can Protect Themselves

Notice and consent provide strong defenses to wiretapping cases, whether the case involves cell phones, session-replay, chatbots, or a new up-and-coming technology. As a frame of reference, retailers should look for online analogues to "this call may be recorded” warnings on customer service phone numbers. Just as those warnings are provided at the beginning of a phone call—before it is recorded—websites should tell customers that their website browsing, chat, etc. may be recorded in advance of any recording. It should be easy to add this kind of warning at the beginning of any chat, and several retailers have already implemented this kind of change in light of the litigation threat. Session-replay is slightly more difficult, given that it can start tracking customers' movements from the moment they navigate to a given website. Providing early consent—such as through a web banner or a pop-up box—is recommended.

More generally, in-house counsel should make sure they have a clear understanding of the information their companies record from visitors to their website, the purpose for which such data is collected, who the data is shared with or sold to, and what disclosures are made to customers in their privacy policies.

Finally, retailers should review vendor agreements to ensure they accurately reflect any legal obligations. For example, effective next year, California, Colorado, and Virginia require companies to have contracts with third parties that reflect and uphold the companies' privacy policy as it pertains to consumers' data. The legal landscape is constantly changing on this issue, and retailers should stay abreast of the most recently enacted requirements.

Footnotes

In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589 (9th Cir. 2020).

Javier v. Assurance IQ, LLC,  No. 21-16351, 2022 WL 1744107, at *1 (9th Cir. May 31, 2022).

Popa v. Harriet Carter Gifts, Inc., 45 F.4th 687 (3d Cir. 2022).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.