For the past two years session replay software litigation claims have been brought in federal courts and state courts across the country, with particular focus on Florida and more recently California.
By way of reference, session replay software captures certain aspects of a user’s interactions on web applications (mouse movements, clicks, typing, etc.) along with underlying contextual user data to help website operators enhance users’ experiences. Accordingly, session replay software allows a website operator to recreate (or “replay”) a visitor’s journey on a web site or within a mobile application or web application. Rather than focusing on user activity after leaving a particular website, session replay software concerns how a user interacts with a specific website. California and Florida, along with eleven other states, have all-party consent laws that require all parties to a conversation or interaction to consent to be recorded. Relying on these statuses, creative plaintiff’s attorneys have filed class action lawsuits generally alleging that sessions replay software intercepts communication without the consent of website users, violating these statutes (which in most instances predated the technology at issue).
Since last year, the majority of Florida courts have generally dismissed lawsuits alleging that session replay software violated the Florida Security of Communications Act (“FSCA”). The court’s ruling in Goldstein v. Costco Wholesale Corp., 2021 U.S. Dist. LEXIS 170815 (S.D. Fla. Sep. 9, 2021) is one such example. In Goldstein, the court determined that content captured by the defendant’s website failed to “convey the substance of communication” as defined by the FSCA. This and other similar rulings out convinced many privacy attorneys that session replay software claims would be a short-lived sensation.
Unexpectedly, earlier this year the Ninth Circuit Court of Appeals reversed a district court’s dismissal of a session replay claim under the California Information Privacy Act (“CIPA”), in a decision previously covered on CPW. Javier v. Assur. IQ, LLC, 2022 U.S. App. LEXIS 14951 (9th Cir. May 31, 2021). Notably, the court interpreted Section 631(a) of CIPA, which imposes liability on anyone who “reads or attempts to read, or to learn the contents” of a communication “without the consent of all parties to the communication,” as requiring the prior consent of all parties. As such, in that case the Ninth Circuit held that Plaintiff “has sufficiently alleged that he did not provide express prior consent to [Defendant’s] wiretapping of his communications . . . [Plaintiff] has therefore alleged sufficient facts to plausibly state a claim that, under Section 631(a), his communications . . . were recorded . . . without his valid express prior consent.” However, the Court declined to rule on other arguments raised on appeal, including “whether [Plaintiff] impliedly consented to the data collection.”
Like California, the majority of jurisdictions with similar lars are all-party-consent laws have statutes that mirror the general language of the CIPA. As such, this decision resulted in another wave of session replay software claims being filed with the question of consent being a particular push point. CPW’s Kristin Bryan spoke this week with the Seattle Times about this litigation trend after several cases were filed under Washington’s wiretap statute and what litigation mitigation measures companies can take to shield themselves against such claims. Her comments are available here.