While session replay software litigation was the hottest development in data privacy litigation earlier this year, yet another court has rejected such a theory of liability—making it even more likely that this trend has already peaked.  In this instance, the U.S. District Court for the Northern District of California ruled (for the second time) that a user who accepted the website’s Privacy Policy had consented to have his information collected.  Javier v. Assurance IQ, No. 20-cv-02860, 2021 U.S. Dist. LEXIS 158236 (N.D. Cal. Aug. 6, 2021).

Recall that session replay software captures certain aspects of a user’s interactions on web applications (mouse movements, clicks, typing, etc.) along with underlying contextual user data to help website operators enhance users’ experiences.  Accordingly, session replay software allows a website operator to recreate (or “replay”) a visitor’s journey on a web site or within a mobile application or web application.  Rather than focusing on user activity after leaving a particular website, session replay software concerns how a user interacts with a specific website.  Creative plaintiffs lawyers have filed dozens of putative class action litigations this year alleging that a website operator’s use of session replay software violates certain state wiretap acts—including those of California and Florida.  This is because a minority of states have all-party consent wiretap laws (requiring all parties to a conversation or interaction to consent to a recording).  Plaintiffs in these cases have alleged that because they did not affirmatively consent to the defendant’s use of the session replay software, the website operator has violated the applicable state’s wiretap law.

Here, in Javier, the plaintiff alleged violations of the California Invasion of Privacy Act and the California Constitution based on the defendants’ alleged recording of user actions and collection of information from one of its websites.  The defendant, a platform that uses data analytics to connect individual consumers with personalized insurance plans based on their particular needs and budgets, allowed potential consumers to seek a quote through the website. Once a person had entered the preliminary basic information, he or she was prompted to click a button saying “View My Quote.” On the bottom of that web page was a notice, including a hyperlink, stating, “By clicking ‘View My Quote’ I indicate my intent to agree to th[e] website’s Privacy Policy.” The Privacy Policy, in turn, stated that Assurance IQ would collect the content and personal information of individuals who sought quotes, which could include personal and family health information, and information about how the user viewed content or engaged with the website.

In March, the Court granted Defendants’ motion to dismiss the first amended complaint, with leave to amend, concluding Plaintiff consented to the conduct about which he complained.  Unfortunately for Plaintiff, his complaint fared no better upon repleading.  The Northern District, in granting Assurance IQ’s motion to dismiss, reiterated what has become an oft-cited mantra: where the plaintiff has “sufficient notice” of the privacy policy, and sufficient notice that clicking “View My Quote” would indicate his acceptance of the Privacy Policy, he had given his consent to the collection of the information.  It is, however, not an all-or-nothing situation.  The Court held that the consent only applies to the actions disclosed in the Policy (in this instance, the Court found that the alleged collection of information fell within the activities described in the Policy, although one might imagine circumstances in which this was not the case).

Based on the principle that “consent is generally limited to the specific conduct authorized,” this ruling may encourage website hosts and online entities to write their policies as broadly as possible to give themselves legroom to argue that their visitors had consented.  For more on this, stay tuned—CPW will be there to keep you in the loop.