In recent years, plaintiff attorneys throughout the country have filed lawsuits alleging that modern website technologies that track user visits violate state privacy laws. Many of these lawsuits have focused on the use of session replay software on websites. Session replay software permits companies to track user interactions while browsing a website, including mouse clicks, keystrokes, and content viewed by the user. In 2020 and 2021, many companies using this type of software suddenly found themselves immersed in class action litigation analogizing this software to an illegal wiretap.
Much of this litigation has centered in California and Florida, where plaintiffs have filed dozens of putative class actions under California’s Invasion of Privacy Act (CIPA) and Florida’s Security of Communications Act (FSCA). Both statutes prohibit, in certain circumstances, the interception and disclosure of wire, oral, or electronic communications. Plaintiffs have argued that a company’s use of session replay software on its website constitutes an illegal wiretap of plaintiff’s communications with that website.
A number of companies have been able to fend off these lawsuits with one of three arguments.
First, defendants have argued that the session replay providers were parties to the communications and thus not eavesdroppers under wiretap statutes. In these cases, courts have found that the statutes prohibit only eavesdropping by a third party to a communication, not a participant. Thus, courts accordingly have dismissed claims under the “party to the communication” exception because “[o]nly a third party can listen to a conversation secretly.” Stated differently, in these cases session replay providers were considered an “extension” of the website operator and consequently could not be third-party eavesdroppers. Notably, not all courts have agreed with this interpretation of wiretapping laws. One California court found that a plaintiff plausibly could bring a CIPA claim against a retailer that embedded a third-party’s code on its website to collect visitor data and mine that data. Another court held that the question of whether a session replay provider is an eavesdropper under CIPA is a question for the jury, denying the defendant’s motion to dismiss the lawsuit.
Second, some courts have found that session replay software does not violate these statutes because it does not intercept content. These statutes often only protect the contents of communications are protected from eavesdropping (i.e. interception). Because the information collected by many session replay providers, such as mouse clicks, movements, and keystrokes, is not substantive, several courts have dismissed wiretapping class actions after finding that the information collected does not qualify as content under the relevant wiretap statutes. These findings turn on what information is actually collected and how that information is described in the lawsuit. For instance, where one plaintiff alleged that the tracking technology monitored what he searched for, what he looked at, and the information he inputted (including his “personal interests, browsing history, queries, and habits as he interacted with and browsed”), the court found that the information allegedly collected by the session replay provider was “very communicative” and accordingly found the plaintiff had plausibly stated a claim for relief.
The law in this area will continue to develop over the next few years. Companies that are considering the use of session replay or tracking technologies should consult with counsel and understand the different laws in the forums where they intend to use those technologies.
Ian M. Ross is a partner at Sidley Austin LLP and a Chambers ranked commercial litigator specializing in securities litigation and class action defense. Stephanie Peral is a managing associate at Sidley Austin LLP specializing in complex commercial litigation and consumer class actions.In recent years, plaintiff attorneys have filed lawsuits alleging that the use of session replay software on websites constitutes an illegal #wiretap of plaintiff's communications with that website and are in violation of state #privacy laws. #respectdataClick to Tweet
 See e.g., Yale v. Clicktale, Inc., No. 20-CV-07575-LB, 2021 WL 1428400 (N.D. Cal. Apr. 15, 2021).
 Graham v. Noom, Inc., 533 F. Supp. 3d 823, 831 (N.D. Cal. 2021) (citations omitted).
 Revitch v. New Moosejaw, LLC, No. 18-CV-06827-VC, 2019 WL 5485330 (N.D. Cal. Oct. 23, 2019).
 Id.; see also Yoon v. Lululemon USA, Inc., 549 F. Supp. 3d 1073, 1081 (C.D. Cal. 2021)
 See e.g., Jacome v. Spirit Airlines Inc., 2021 WL 3087860, at *4 (Fla. Cir. Ct. June 17, 2021).
 Alhadeff v. Experian Info. Sols., Inc., 541 F. Supp. 3d 1041, 1045 (C.D. Cal. 2021).
 Jacome, 2021 WL 3087860, at *4 .
 Javier v. Assurance IQ, LLC, 2022 WL 1744107, at *2 (9th Cir. May 31, 2022).
 See, e.g., Popa v. Harriet Carter Gifts, Inc. et al., Case No. 21-2203 (3d Cir. Aug. 16, 2022).