From California to Pennsylvania, There is a New Dawn on What Constitutes Wiretapping: Privacy Considerations for Pennsylvania-Based Companies

Following up on Leech Tishman’s recent article regarding class action lawsuits under California’s Invasion of Privacy Act (CIPA) statute, Pennsylvania is heating up as fertile ground for such claims against businesses that run a website that utilizes analytics or a chat bot/live chat function. Courts are beginning to expand the definition of “interception” under their respective wiretapping law to include the use of such software. If you run a business in Pennsylvania and you have a website that utilizes analytics or a chat type function, you might be a target for these class action suits.

These lawsuits arise when a company runs a website that utilizes analytics software that permits a company to track and replay how a visitor navigated the company’s website. This tracking usually provides enough detail to follow an individual through every click, mouse-movement, and words typed (even if deleted or not submitted) as well as the time spent in between pages. In other words, it would be similar to a retail store “tagging” a visitor and tracking all of their physical movements through the store, see what items they picked up, determine what items were placed into the shopping cart, and record how long the visitor spent in each aisle, and then ultimately save a replay of that activity. Simultaneously, a third party whom the retail store hired would also receive a copy. Is this behavior objectionable to a reasonable person’s expectations of privacy? Turning to the digital equivalent of a retail shopping website, courts are saying yes, this is objectionable, at least to the extent that this tracking fits within the definitional boundaries of the wiretapping statute at issue and to the extent that consent was not obtained. A recent case in the Third Circuit outlines the potential liability exposure in this technology space.

Like California’s Ninth Circuit decision (Javier vs. Assurance IQ), the Third Circuit in Popa v. Harriet Carter Gifts Inc. Nov. 2022 (“Popa”) has similarly opened the door for the Plaintiffs Bar’s use of Pennsylvania’s “Wiretapping and Electronic Surveillance Control Act” (WESCA) as a class action catalyst. Numerous class action suits have been filed against companies who utilize a chat bot or web session replay analytics.

In the Popa case, the Defendant, Harriet Carter Gifts, used a third-party analytics company named NaviStone to track visitors’ usage of the Harriet retail website. The Plaintiff, according to the complaint, discovered that her usage of the website was being tracked by both Harriet and NaviStone, and she sued under the Pennsylvania WESCA and common law Invasion of Privacy. Notably, she has also acted as the Plaintiff in several other lawsuits in Pennsylvania against companies under similar circumstances.

The Third Circuit in Popa is illustrative because in this case, the court analyzes defenses that companies may think they can rely upon – although in this case several of the defenses go unanswered because the Third Circuit has remanded the case to the District Court to flesh out the facts applicable to such defenses in further proceedings. In Popa, the Defendants argued:

1. No interception can occur when the communications are received by a direct party, i.e., the two Defendants.

2. Even if they did intercept Popa’s communications, the WESCA doesn’t apply because any interception occurred outside of the Commonwealth [of Pennsylvania], and

3. Harriet and NaviStone nevertheless had the Plaintiff’s implied consent to intercept.

For years, Pennsylvania routinely determined that there was no interception when the alleged “interceptor” was one of the intended recipients of the communication. However, in 2012, WESCA’s “intercept” definition was amended to include only one exception to the direct party interception, that being law enforcement officers acting in specific situations. This meant that any other direct party communication is now an “interception.” Therefore, neither Harriet nor NaviStone could avoid liability simply because they were direct parties with the Plaintiff and each other.

Turning next to the Defendants’ argument that the interception did not occur in the Commonwealth of Pennsylvania, the court analyzed the historical context of where “interceptions” occurred in a classic telephone phone tap situation. In reviewing the prior federal circuit precedent, the Popa Court opined that the interception occurs where the phone signal is “rerouted,” not necessarily where the listener is situated. Then, applying the analog to the digital world, the Court determined that the analytics software operated by Harriet’s website instructed the Plaintiff’s browser to send alternate signals to NaviStone as well as Harriet as she navigated through the site. Thus, the Popa Court found that the location of the rerouting of Popa’s browser is determinative of whether the interception occurred in the Commonwealth of Pennsylvania. However, the Court held that it was not apprised with enough technical facts to rule on that issue and sent it back for determination by the district court. Thus, this issue is still ongoing and undetermined.

The last defense raised and analyzed by the Popa Court was whether there was consent. Consent by all parties defeats any claim under Pennsylvania’s WESCA (as well as any other wiretap law). The Defendants argued that the Plaintiff impliedly consented because Harriet included a privacy policy on their website. The Plaintiff, however, claimed that she never saw the privacy policy. The court cited a prior Pennsylvania case that implied consent “can be demonstrated when the person recorded knew or should have known that the conversation was being recorded.” However, the trial court did not analyze this matter, and thus the Third Circuit remanded this issue to the District Court to flesh out this defense of implied consent via the website’s privacy policy.

After reviewing this case in point, what are some practical ways that companies can protect themselves from these class action lawsuits? First, your company must determine whether it utilizes the type of software implicated in this case as a threshold matter. Many companies of all sizes outsource marketing and website management to third party companies who are not always in direct communication with a company’s compliance personnel and legal stakeholders as functionality is added to their website. Thus, the key goal is to raise awareness across technology, marketing, compliance, and legal teams as to what software might fit within the zone of danger of these novel class action suits under the wiretapping statutes.

A company also needs to also acknowledge the Popa court’s ruling on “direct party” participant exceptions or lack thereof. In light of Popa‘s analysis, it seems unlikely that companies and their third party service providers can rely on the historical “direct party” exception to WESCA because as the Popa Court points out, WESCA was amended over 10 years and the “direct party” exception was narrowed to include only law enforcement officers acting under specific circumstances.

And lastly, but probably most importantly, companies must have a defensible method for showing actual consent or implied consent by website visitors. Although the issue was not fully developed in Popa , companies may not be able to rely on the simple presence of an inconspicuous “privacy policy” link at the very bottom of a company website to prove implied consent in these cases. It is likely that a court is going to require some conspicuous language or warning, possibly in the form of a pop-up (similar to a cookie consent) to show actual or implied consent. However, that is yet to be determined in follow up rulings on this issue. Stay tuned.

These class action suits present significant financial and reputational risk. Pennsylvania’s WESCA provides a private cause of action to individuals with statutory damages of up to $1,000 for each day of the violation, along with punitive damages, and most importantly attorney’s fees and other litigation costs reasonably incurred. This gives every incentive for plaintiffs to file these actions because even if the actual damages are minor or nonexistent because in the aggregate, across a class of individuals, the damages could be devastatingly high along with all of the potentially reimbursable costs that go into a class action suit from the plaintiff’s perspective that may be reimbursable.

Leech Tishman’s team would be happy to consult with your company to determine your level of exposure to such lawsuits and assist you in employing sound principles, policies, and procedures to reduce your company’s risk of being a target in this new realm.

For assistance in avoiding your exposure to these privacy/wiretap-related laws or if you need assistance because your company has been sued under these laws, contact James K. Paulick at jpaulick@leechtishman.com or 424.738.4400 for an initial consultation. Jim is Counsel with Leech Tishman and a member of the Corporate Group, where he leads the Data Privacy & Cybersecurity Group.

Leech Tishman’s Facebook Page: https://www.facebook.com/leechtishman

Leech Tishman’s Twitter: https://twitter.com/LeechTishman

Leech Tishman’s Company Page on LinkedIn: https://www.linkedin.com/company/leech-tishman

Leech Tishman Fuscaldo & Lampl is a national, full-service law firm dedicated to assisting individuals, businesses, and institutions. Leech Tishman offers legal services in business restructuring & insolvency, construction, corporate matters, employment & labor, estates & trusts, intellectual property, litigation & alternative dispute resolution, and real estate. In addition, the firm offers a wide range of legal services to clients in the aviation & aerospace, cannabis, emerging cyber technologies, energy & natural resources, entertainment, healthcare, hospitality, and life sciences industries. Leech Tishman has offices in Chicago, Los Angeles, New York, Philadelphia, Pittsburgh, Sarasota, Washington, D.C., and Wilmington, DE.