For the past two years session replay software litigation claims have been brought in federal courts and state courts across the country, with particular focus on Florida and more recently California.

By way of reference, session replay software captures certain aspects of a user’s interactions on web applications (mouse movements, clicks, typing, etc.) along with underlying contextual user data to help website operators enhance users’ experiences.  Accordingly, session replay software allows a website operator to recreate (or “replay”) a visitor’s journey on a web site or within a mobile application or web application.  Rather than focusing on user activity after leaving a particular website, session replay software concerns how a user interacts with a specific website.  California and Florida, along with eleven other states, have all-party consent laws that require all parties to a conversation or interaction to consent to be recorded. Relying on these statuses, creative plaintiff’s attorneys have filed class action lawsuits generally alleging that sessions replay software intercepts communication without the consent of website users, violating these statutes (which in most instances predated the technology at issue).

Since last year, the majority of Florida courts have generally dismissed lawsuits alleging that session replay software violated the Florida Security of Communications Act (“FSCA”). The court’s ruling in Goldstein v. Costco Wholesale Corp., 2021 U.S. Dist. LEXIS 170815 (S.D. Fla. Sep. 9, 2021) is one such example.  In Goldstein, the court determined that content captured by the defendant’s website failed to “convey the substance of communication” as defined by the FSCA. This and other similar rulings out convinced many privacy attorneys that session replay software claims would be a short-lived sensation.

Unexpectedly, earlier this year the Ninth Circuit Court of Appeals reversed a district court’s dismissal of a session replay claim under the California Information Privacy Act (“CIPA”), in a decision previously covered on CPW.  Javier v. Assur. IQ, LLC, 2022 U.S. App. LEXIS 14951 (9th Cir. May 31, 2021). Notably, the court interpreted Section 631(a) of CIPA, which imposes liability on anyone who “reads or attempts to read, or to learn the contents” of a communication “without the consent of all parties to the communication,” as requiring the prior consent of all parties. As such, in that case the Ninth Circuit held that Plaintiff “has sufficiently alleged that he did not provide express prior consent to [Defendant’s] wiretapping of his communications . . . [Plaintiff] has therefore alleged sufficient facts to plausibly state a claim that, under Section 631(a), his communications . . . were recorded . . .  without his valid express prior consent.”  However, the Court declined to rule on other arguments raised on appeal, including “whether [Plaintiff]  impliedly consented to the data collection.”

Like California, the majority of jurisdictions with similar lars are all-party-consent laws have statutes that mirror the general language of the CIPA.  As such, this decision resulted in another wave of session replay software claims being filed with the question of consent being a particular push point.  CPW’s Kristin Bryan spoke this week with the Seattle Times about this litigation trend after several cases were filed under Washington’s wiretap statute and what litigation mitigation measures companies can take to shield themselves against such claims.  Her comments are available here.

 

 

Thanks to our Summer Associate, Maya Thomas, for her work on this timely blog.

2021 saw creative plaintiff attorneys initiating a string of class action lawsuits alleging that sessions replay software violated state wiretap acts— notably in California and Florida.

While decisions out of Florida led many to believe these types of cases were dying out, a recent ruling by the Ninth Circuit Court of Appeals has ignited fresh concerns that more sessions replay litigation may be on the horizon, potentially impacting other “all-party consent” jurisdictions. However, there are tangible steps that companies operating websites or mobile applications that capture consumer data can take to reduce the threat of litigation.

To recap briefly, session replay software captures various facets of a user’s interaction with a website or application. The software tracts content viewed by users, including keystrokes, mouse clicks, and search terms, to help website operators enhance users’ experiences. California and Florida, along with 11 other states, have all-party consent laws that require all parties to a conversation or interaction to consent to be recorded. Relying on these statuses, creative plaintiff’s attorneys have filed class action lawsuits generally alleging that sessions replay software intercepts communication without the consent of website users, violating these statutes.

Recent Sessions Replay Developments

Florida courts have generally dismissed lawsuits alleging that session replay software violated the Florida Security of Communications Act (“FSCA”). Goldstein v. Costco Wholesale Corp., 2021 U.S. Dist. LEXIS 170815 (S.D. Fla. Sep. 9, 2021). In Goldstein, the court ruled the content captured by the defendant’s website failed to “convey the substance of communication” as defined by the FSCA. This and other similar rulings out of Florida led many to believe that we would see an end to these types of claims.

However, in May 2022, the Ninth Circuit Court of Appeals reversed a district court’s dismissal of a session replay claim under the California Information Privacy Act (“CIPA”). Javier v. Assur. IQ, LLC, 2022 U.S. App. LEXIS 14951 (9th Cir. May 31, 2021). Notably, the court interpreted Section 631(a) of the Act, which imposes liability on anyone who “reads or attempts to read, or to learn the contents” of a communication “without the consent of all parties to the communication,” as requiring the prior consent of all parties. In Javier, the website operator began recording the user’s interactions before a pop-up asked the user to consent to the website’s privacy policy which included notice of the recording software.

The ruling in Javier is notable because most states with all-party-consent laws have statutes that mirror the general language of the CIPA (except for Pennsylvania, which expressly requires prior consent)—opening the door for future litigation against website operators who employ after-the-fact user consent.

Addressing Sessions Replay Litigation

Website operators subjected to all-party-consent statutes are not without options. As the Javier opinion noted, operators should expressly and affirmatively gain user consent prior to recording any user interactions. One way to do this is through pop-up cookie banners before users begin to interact with their websites. Additionally, website operators should ensure their privacy policies are updated and conspicuously hyperlinked on each web page to provide users with sufficient notice of the organization’s privacy policies. These policies should clearly indicate that users may be monitored while on their website.

Defending Against Sessions Replay Litigation

The Javier decision only narrowly addressed the issue of prior consent in sessions replay litigation. At present, California courts have yet to issue any definitive rulings on several other areas that remain open under California law and states with similar laws:

  •  Implicit Consent: Even if prior consent is required in all-party-consent states, the issue of whether visitors to a website implicitly consent to the website’s privacy policies, often hyperlinked on each webpage, is not a settled area of law. In Javier, the court narrowly interpreted the issue of whether Section 631(a) required prior consent and expressly declined to address the defendant’s other argument that the plaintiff implicitly consented to the website privacy policy. Therefore it remains to be seen whether courts will find the language in these privacy policies sufficient to convey notice of session replay tracking as they generally mention monitoring user activity on websites.
  •  Third-party eavesdropping: The question of whether session replay website operators are parties to communications on their websites and, therefore, are not third-party eavesdroppers, as prohibited under Section 631(a) is also an area that we are likely to see continued litigation. Currently, California district courts have reached differing outcomes on this issue. Graham v. Noom, Inc., 533 F. Supp. 3d 823, 833 (N.D. Cal. 2021); but Cf. Revitch v. New Moosejaw, LLC, No. 18-cv-06827-VC, 2019 U.S. Dist. LEXIS 186955, at *3 (N.D. Cal. Oct. 23, 2019).

We will continue to monitor the sessions replay litigation landscape post-Javier for further developments. Stay tuned; CPW will be there to keep you in the loop.

Since this summer CPW has declared session replay software litigation predicated on violation of state wiretap statutes as dead in the water.  Judges apparently agree.  Earlier this month yet another court kicked to the curb a session replay software dispute that asserted violations of Florida’s wiretap law, the Florida Security of Communications Act (“FSCA”).  Goldstein v. Costco Wholesale Corp., 2021 U.S. Dist. LEXIS 170815 (S.D. Fla. Sep. 9, 2021).  Read on to learn more.

In Goldstein, as succinctly summarized by the Court:

This action joins a flurry of virtually identical cases wherein creative class action litigants have seized on a novel reading of Florida’s decades-old wiretapping statute, the [FSCA], to attack the use of so-called session replay software on commercial websites.  The FSCA provides a cause of action against parties that intercept or use private communications without the speaker’s consent. Fla. Stat. §§ 934.10(1)(a), (d).  Plaintiff alleges that Defendant violated the FSCA by using session replay software to record Plaintiff’s mouse clicks and other commands on Defendant’s website.

Defendant moved to dismiss the case for failure to plead a cognizable claim.  The Court agreed, dismissing the Complaint in its totality.

As an initial matter, the Court noted that “Courts may not rewrite statutes to change with the times . . . Rather, the Court must take the law as it is and apply it faithfully to new facts as they arise.  Here, Plaintiff asks the Court to rewrite Florida’s wiretapping law in the face of changing technology.”  The Court rejected Plaintiff’s invitation.  This was because “[t]he relevant terms of the FSCA must be construed in a manner consistent with their plain meaning and context.”

The Court’s analysis started with the FSCA’s plain language.  The FSCA includes the following provisions as relevant to Plaintiff’s claims:

  • Section 934.03(1)(a) of the FSCA prohibits “[i]ntentionally intercept[ing], endeavor[ing] to intercept, or procur[ing] any other person to intercept or endeavor to intercept any wire, oral, or electronic communication”.
  • Similarly, Section 934.03(1)(d) of the FSCA prohibits “[i]ntentionally us[ing], or endeavor[ing] to use, the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of [the FSCA].”
  • Insofar as definitions of terms used in the FSCA are concerned, “intercept” means “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” Fla. Stat. § 934.02(3).
  • And finally, “contents” as used in the FSCA encompasses “any information concerning the substance, purport, or meaning of that communication.” Fla. Stat. § 934.02(7).

In the Complaint, Plaintiff asserted that Defendant intercepted the substance of his communications with Defendant’s website which included: (1) his movements on the website (mouse clicks, scroll movements, and page/content viewed) and (2) information voluntarily input (keystrokes, search terms, cut and paste actions, etc.).

The Court flatly rejected these allegations as falling within the purview of the FSCA.  This was because, the Court found, “these actions did not convey the substance of any communication.”  Instead, at best, this “mere tracking of Plaintiff’s movements on Defendant’s website is the cyber analog to record information Defendant could have obtained through a security camera at a brick-and-mortar store.”

Indeed, the text of the FSCA supported the Court’s ruling.  The FSCA explicitly excludes “[a]ny communication from an electronic or mechanical device which permits the tracking of the movement of a person or an object.” Fla. Stat. § 934.02(12)(c).  While the Court recognized that “the tracking in this case is virtual rather than physical, . . . . the plain language of the statute exempts the sort of tracking that triggered this action.”

To put it simply: “Defendant’s recordings of Plaintiff’s purported communications contained no substance.  No substance means no contents, no contents means no interception, and no interception means no FSCA violation.”

A defining attribute of many data privacy and cybersecurity litigation is that plaintiff’s statutory and common law theories of liability (CCPA and BIPA, among other notable exceptions aside) predated the development of the technologies and business practices that are now routinely challenged in court.  In this case, the Court got it right.  The legislative history of the FSCA made clear it was geared towards addressing concerns not implicated by the use of session replay software litigation.  A business monitoring mouse clicks on its own website is hardly the same, for instance, as a third-party intercepting a private telephone conversation.  However, that’s not to say data privacy plaintiffs won’t come up with another novel legal theory next week challenging the same practices at issue in this case.  Not to worry-CPW will be there to keep you in the loop.  Stay tuned.