Thanks to our Summer Associate, Maya Thomas, for her work on this timely blog.
2021 saw creative plaintiff attorneys initiating a string of class action lawsuits alleging that sessions replay software violated state wiretap acts— notably in California and Florida.
While decisions out of Florida led many to believe these types of cases were dying out, a recent ruling by the Ninth Circuit Court of Appeals has ignited fresh concerns that more sessions replay litigation may be on the horizon, potentially impacting other “all-party consent” jurisdictions. However, there are tangible steps that companies operating websites or mobile applications that capture consumer data can take to reduce the threat of litigation.
To recap briefly, session replay software captures various facets of a user’s interaction with a website or application. The software tracts content viewed by users, including keystrokes, mouse clicks, and search terms, to help website operators enhance users’ experiences. California and Florida, along with 11 other states, have all-party consent laws that require all parties to a conversation or interaction to consent to be recorded. Relying on these statuses, creative plaintiff’s attorneys have filed class action lawsuits generally alleging that sessions replay software intercepts communication without the consent of website users, violating these statutes.
Recent Sessions Replay Developments
Florida courts have generally dismissed lawsuits alleging that session replay software violated the Florida Security of Communications Act (“FSCA”). Goldstein v. Costco Wholesale Corp., 2021 U.S. Dist. LEXIS 170815 (S.D. Fla. Sep. 9, 2021). In Goldstein, the court ruled the content captured by the defendant’s website failed to “convey the substance of communication” as defined by the FSCA. This and other similar rulings out of Florida led many to believe that we would see an end to these types of claims.
However, in May 2022, the Ninth Circuit Court of Appeals reversed a district court’s dismissal of a session replay claim under the California Information Privacy Act (“CIPA”). Javier v. Assur. IQ, LLC, 2022 U.S. App. LEXIS 14951 (9th Cir. May 31, 2021). Notably, the court interpreted Section 631(a) of the Act, which imposes liability on anyone who “reads or attempts to read, or to learn the contents” of a communication “without the consent of all parties to the communication,” as requiring the prior consent of all parties. In Javier, the website operator began recording the user’s interactions before a pop-up asked the user to consent to the website’s privacy policy which included notice of the recording software.
The ruling in Javier is notable because most states with all-party-consent laws have statutes that mirror the general language of the CIPA (except for Pennsylvania, which expressly requires prior consent)—opening the door for future litigation against website operators who employ after-the-fact user consent.
Addressing Sessions Replay Litigation
Website operators subjected to all-party-consent statutes are not without options. As the Javier opinion noted, operators should expressly and affirmatively gain user consent prior to recording any user interactions. One way to do this is through pop-up cookie banners before users begin to interact with their websites. Additionally, website operators should ensure their privacy policies are updated and conspicuously hyperlinked on each web page to provide users with sufficient notice of the organization’s privacy policies. These policies should clearly indicate that users may be monitored while on their website.
Defending Against Sessions Replay Litigation
The Javier decision only narrowly addressed the issue of prior consent in sessions replay litigation. At present, California courts have yet to issue any definitive rulings on several other areas that remain open under California law and states with similar laws:
- Implicit Consent: Even if prior consent is required in all-party-consent states, the issue of whether visitors to a website implicitly consent to the website’s privacy policies, often hyperlinked on each webpage, is not a settled area of law. In Javier, the court narrowly interpreted the issue of whether Section 631(a) required prior consent and expressly declined to address the defendant’s other argument that the plaintiff implicitly consented to the website privacy policy. Therefore it remains to be seen whether courts will find the language in these privacy policies sufficient to convey notice of session replay tracking as they generally mention monitoring user activity on websites.
- Third-party eavesdropping: The question of whether session replay website operators are parties to communications on their websites and, therefore, are not third-party eavesdroppers, as prohibited under Section 631(a) is also an area that we are likely to see continued litigation. Currently, California district courts have reached differing outcomes on this issue. Graham v. Noom, Inc., 533 F. Supp. 3d 823, 833 (N.D. Cal. 2021); but Cf. Revitch v. New Moosejaw, LLC, No. 18-cv-06827-VC, 2019 U.S. Dist. LEXIS 186955, at *3 (N.D. Cal. Oct. 23, 2019).
We will continue to monitor the sessions replay litigation landscape post-Javier for further developments. Stay tuned; CPW will be there to keep you in the loop.