Man typing on keyboard showing wiretapping and session replay

Wave of Wiretapping Litigation Offers Lessons for Companies Using Session Replay Software

In recent years, plaintiff attorneys throughout the country have filed lawsuits alleging that modern website technologies that track user visits violate state privacy laws. Many of these lawsuits have focused on the use of session replay software on websites. Session replay software permits companies to track user interactions while browsing a website, including mouse clicks, keystrokes, and content viewed by the user. In 2020 and 2021, many companies using this type of software suddenly found themselves immersed in class action litigation analogizing this software to an illegal wiretap.

Much of this litigation has centered in California and Florida, where plaintiffs have filed dozens of putative class actions under California’s Invasion of Privacy Act (CIPA) and Florida’s Security of Communications Act (FSCA). Both statutes prohibit, in certain circumstances, the interception and disclosure of wire, oral, or electronic communications. Plaintiffs have argued that a company’s use of session replay software on its website constitutes an illegal wiretap of plaintiff’s communications with that website.

A number of companies have been able to fend off these lawsuits with one of three arguments.

First, defendants have argued that the session replay providers were parties to the communications and thus not eavesdroppers under wiretap statutes. In these cases, courts have found that the statutes prohibit only eavesdropping by a third party to a communication, not a participant. Thus, courts accordingly have dismissed claims[1] under the “party to the communication” exception because “[o]nly a third party can listen to a conversation secretly.”[2] Stated differently, in these cases session replay providers were considered an “extension” of the website operator and consequently could not be third-party eavesdroppers. Notably, not all courts have agreed with this interpretation of wiretapping laws. One California court found that a plaintiff plausibly could bring a CIPA claim against a retailer that embedded a third-party’s code on its website to collect visitor data and mine that data.[3] Another court held that the question of whether a session replay provider is an eavesdropper under CIPA is a question for the jury, denying the defendant’s motion to dismiss the lawsuit.[4]

Second, some courts have found that session replay software does not violate these statutes because it does not intercept content. These statutes often only protect the contents of communications are protected from eavesdropping (i.e. interception). Because the information collected by many session replay providers, such as mouse clicks, movements, and keystrokes, is not substantive, several courts have dismissed wiretapping class actions after finding that the information collected does not qualify as content under the relevant wiretap statutes.[5] These findings turn on what information is actually collected and how that information is described in the lawsuit. For instance, where one plaintiff alleged that the tracking technology monitored what he searched for, what he looked at, and the information he inputted (including his “personal interests, browsing history, queries, and habits as he interacted with and browsed”), the court found that the information allegedly collected by the session replay provider was “very communicative” and accordingly found the plaintiff had plausibly stated a claim for relief.[6]

Third, some courts have dismissed wiretapping class actions because they found that the plaintiff had consented to the use of session replay technology. One Florida court dismissed a wiretapping lawsuit after finding that the plaintiff had consented twice to the use of session replay software: first with a banner warning of the use of cookies and second through the privacy policy found via a hyperlink on the website informing any website user that his/her interactions may be monitored.[7]  Although consent has been considered one of the stronger grounds on which to seek dismissal in these cases, these decisions have not been uniform. An appellate court recently reversed a lower court’s finding that a plaintiff retroactively consented to the use of session replay software by agreeing to the website’s privacy policy.[8] The court found that CIPA requires “prior consent” of all parties to a communication and retroactive consent does not suffice.

In summary, the case law in this area continues to develop inconsistently, and plaintiffs continue to advance novel interpretations of wiretapping statutes to file new claims. Several rulings this year hay have reinvigorated the attorneys who filed these cases by the dozens in 2020.[9] For the reasons outlined in this article, at a minimum, companies should: (1) develop clear disclosures requiring website users to affirmatively agree to a privacy policy disclosing the use of session replay software prior to the use of that software; (2) consider the information that may be collected after a website user consents, understanding the difference between “non-record” information such as keystrokes instead of more “communicative” data such as queries and information input by the user; and, (3) consider placing limits on the use of any data by session replay software when negotiating agreements with session replay providers.

The law in this area will continue to develop over the next few years. Companies that are considering the use of session replay or tracking technologies should consult with counsel and understand the different laws in the forums where they intend to use those technologies.

Ian M. Ross is a partner at Sidley Austin LLP and a Chambers ranked commercial litigator specializing in securities litigation and class action defense.  Stephanie Peral is a managing associate at Sidley Austin LLP specializing in complex commercial litigation and consumer class actions.

[1] See e.g., Yale v. Clicktale, Inc., No. 20-CV-07575-LB, 2021 WL 1428400 (N.D. Cal. Apr. 15, 2021).
[2] Graham v. Noom, Inc., 533 F. Supp. 3d 823, 831 (N.D. Cal. 2021) (citations omitted).
[3] Revitch v. New Moosejaw, LLC, No. 18-CV-06827-VC, 2019 WL 5485330 (N.D. Cal. Oct. 23, 2019).
[4] Id.; see also Yoon v. Lululemon USA, Inc., 549 F. Supp. 3d 1073, 1081 (C.D. Cal. 2021)
[5] See e.g., Jacome v. Spirit Airlines Inc., 2021 WL 3087860, at *4 (Fla. Cir. Ct. June 17, 2021).
[6] Alhadeff v. Experian Info. Sols., Inc., 541 F. Supp. 3d 1041, 1045 (C.D. Cal. 2021).
[7] Jacome, 2021 WL 3087860, at *4 .
[8] Javier v. Assurance IQ, LLC, 2022 WL 1744107, at *2 (9th Cir. May 31, 2022).
[9] See, e.g., Popa v. Harriet Carter Gifts, Inc. et al., Case No. 21-2203 (3d Cir. Aug. 16, 2022).