United States: UPDATE: Litigation Related To Website Technology & Data Sharing

As we previously covered in February, there has been an increase in lawsuits, including class actions, filed against website operators in various states (including California, Florida, Indiana, Illinois, and Pennsylvania) for violations of state wiretapping laws or the Video Privacy Protection Act of 1988 (VPPA). Since then, there have been some updates to such pending litigation. For purposes of this post, the pending litigation can be broken out into three categories: (1) Chat window wiretapping claims; (2) Session replay technology claims; and (3) claims under the VPPA.

1. Chat Window Wiretapping Claims.

These lawsuits specifically claim that the use of chat windows, without the proper disclosures and notices, violates laws in states that have two-party consent or all-party consent requirements. This is because the website uses a third-party vendor to provide the chat window, which involves the recording of the chats between the user and the company allegedly without the user's knowledge or consent.

The most movement in these lawsuits has been in California. A few of the claims have been dismissed as the courts have found that the complaints failed to sufficiently plead that the chat communications were intercepted by a third party that used the communications for its own purposes. Instead, as part of their services to the website operator and often pursuant to a contract, these third parties are using the recordings solely for the website operator's benefit. We will likely see more movement on the remaining lawsuits in the next few months.

As of now, the courts have been inconsistent when determining if the posting of a publicly available privacy policy can prevent such claims from being sufficiently established. However, one thing is clear. The defendants could not affirmatively show that the user had notice of the privacy policy and accepted the terms of that privacy policy. This may have been because the privacy policy was made available after the claim was filed or the defendant did not have a mechanism in place to show when users consented to the privacy policy.

2. Session Replay Technology Claims.

Similar to the chat window wiretapping claims, there are broader claims that the use of specific technology and tools on a website that records the user's behavior on the website violates wiretapping laws in two-party consent or all-party consent states. This technology involves the website's ability to capture or track a user's behavior, including but not limited to, which screen is being viewed, the user's inputs (keyboard and mouse clicks) on a page, and other user movements around the website. While there has not been much movement regarding the session replay technology claims, the Southern District of California and the Ninth Circuit Court of Appeals held that a browse-wrap agreement was insufficient to compel arbitration.

A browse-wrap agreement is an agreement (e.g. privacy policy or terms of service (TOS)) that a user accepts simply by virtue of the fact that the user browsed the website on which the privacy policy or TOS were posted. A click-wrap agreement is different in that it requires a user to accept the terms of that agreement by selecting "I agree," "I accept," a check box, or some other verifiable, manual consent mechanism.

Here, the Court held that the e-commerce defendant did not provide adequate notice of a change to the terms of its TOS. So, in effect, the 2019 TOS never replaced the original 2016 TOS. The Court of Appeals determined that the burden was on the e-commerce defendant to show that the users consented to the new 2019 TOS. Finally, the Court of Appeals found no evidence that an email that was allegedly sent to the users adequately notified them of the updated TOS, which also contained an updated arbitration clause.

3. VPPA Claims.

Generally, the VPPA (1988) prohibits a video tape service provider (extended to apply to any online video provider) from knowingly disclosing the personal information of a consumer unless certain enumerated exceptions apply. 18 U.S.C. § 2710(b)(1). Thus, the theory is that when a website uses specific cookies to target ads to visitors (the most common example being the Meta Pixel or Facebook Pixel) where video content is provided, the website is effectively sharing third-party information about the user, including what the user is watching and for how long.

In a lawsuit involving Home and Garden TV's website (hgtv.com), the website provided options to its users to sign up for a newsletter by providing an email address and asking them to choose from various themes for the website. The plaintiffs reported that they had accounts on popular social media networks and alleged to which that the HGTV website transmitted to such social media companies their personal information and viewing habits on the HGTV website.

However, the Court disagreed and dismissed the complaint. Generally, the Court agreed with the defendant in that "there is no suggestion that plaintiffs purchased or rented a covered good or service from HGTV. Plaintiffs' claim turns on whether their subscriptions to HGTV newsletters make them "subscribers" of a good or service covered by the VPPA. HGTV argues that the newsletters were distinct from plaintiffs' video-streaming activities, and that, for the purposes of the VPPA, plaintiffs do not plausibly allege that they were subscribers." The Court concluded that the term "consumer" under the VPPA is narrow and must be paired or connected to a "video tape service provider," not to a broader category of consumers. Specifically, "a reasonable reader would understand the definition of 'consumer' to apply to a renter, purchaser or subscriber of audio-visual goods or services, and not goods or services writ large." Therefore, the Court dismissed the complaint for failure to state a claim.

Takeaways. As we previously covered in February, even with the updates to the pending litigation, a lot remains to be seen as to how to implement controls that will potentially safeguard companies against such claims. That said, at a minimum, businesses should do the following:

• Review website technologies. Review all publicly-facing websites and evaluate the data collected, processed, and shared by the website. Inventory all tracking technologies, including but not limited to cookies, pixels, replay technologies, biometrics, and embedded links.

• Review website privacy policies. Review existing website privacy policies to ensure each properly discloses the use of such technologies and that the privacy policy is properly linked on each webpage and chat window. To the extent applicable, the operator should secure the consent of the website visitor to the use of such technologies and any data sharing.

• Consider website banners. While not necessarily required in the U.S., we are seeing increasing value in implementing a banner that launches upon a visitor's first landing on a website. The banner discloses the tracking technologies in use, but also the website's cookie practices and the website owner's privacy policy (or links to each). Such a banner may serve to mitigate risks of such lawsuits, as well as meet the increasingly demanding requirements from certain state privacy laws, such as California's CCPA.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.