Session Replay Litigation and Privacy
A number of lawsuits have been initiated recently over the use of “session replay” software. Session replay software allows a website to capture a user’s interaction and use of a website. This software can capture a user’s keystrokes, mouse clicks, page scrolls, conversion rates, and more. There are many legitimate and useful reasons for such software, including allowing product development teams, marketing teams, and website developers to review a user’s behavior to determine how and/or why a user purchased or did not purchase a product or to enhance web design and usability.
The use of session replay software has been the basis of lawsuits over the past several years in states that require an all-party consent for recording or capturing communications under the state’s wiretapping law. All-party consent states include California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Oregon, Nevada, New Hampshire, Pennsylvania, and Washington. All-party consent wiretapping laws usually require explicit approval from all parties before initiating a recording for such a recording to be legal.
Plaintiff’s attorneys have argued that session replay software is the equivalent of a recording under the wiretapping statute and therefore illegal without explicit consent.
In their defense, website hosts and developers have argued that consent is provided when the user clicks on and agrees to the user agreement, in addition to the argument that a website user does not have an expectation of privacy in their “click” interactions with the website.
The court in Alhadeff v. Experian Info. Solutions, Inc., 541 F. Supp. 3d 1041 (C.D. Cal. 2021) ruled that the allegations of illegal wiretapping could survive a motion to dismiss. The defendant argued that the wiretapping statutes were not intended to cover the capture of keystrokes and users interactions on a website and such actions were not “contents” of communications. The court struck down this argument and opined that keystroke and webpage interaction are “contents” of communication as that term is defined under federal wiretapping statutes.
This case is an outlier, however, and a number of cases followed it, where the court found that there was no expectation of privacy while using another’s website.
Just recently, however, the session replay suits began to replay (pun intended) themselves in states which have a broader interpretation of the wiretapping statutes, most notably Pennsylvania. Under these new cases, the plaintiffs’ attorneys are succeeding in convincing courts that the state’s wiretapping laws are applicable to session replay software.
The new suits include:
- Farst v. Michaels Stores, Inc.1:22-cv-01433 (using the Pennsylvania wiretapping statute Wiretapping and Electronic Surveillance Control Act, 18 Pa. Cons. Stat. 5701, et seq. (“WESCA”);
- Farst v. Chewy, Inc., 1:22-cv-01434 (using the Pennsylvania wiretapping statute Wiretapping and Electronic Surveillance Control Act, 18 Pa. Cons. Stat. 5701, et seq. (“WESCA”);
- Farst v. Autozone, Inc.1:22-cv-01435 (using the Pennsylvania wiretapping statute Wiretapping and Electronic Surveillance Control Act, 18 Pa. Cons. Stat. 5701, et seq. (“WESCA”);
- Kaufmann v. American Airlines, 3:22-cv-01524 (using the federal wiretapping statutes, Wiretap Act, 18 U.S.C. §2510 et seq and the California wiretapping statute, California Invasion of Privacy Act (“CIPA”), Cal. Pen. Code § 631);
There are now a number of other pending cases against companies like Zillow, Lowes, and Expedia for using session replay software.
The filing of these cases continues to increase in Pennsylvania, prompted by a ruling in the Third Circuit in Popa v. Harriet Carter Gifts, No. 21-2203 (3d Cir. 2022). In this case the Third Circuit reversed a state court’s dismissal of a claim alleging a violation of the Pennsylvania wiretapping statute. The court opined on two significant issues offering hope to plaintiff’s attorneys.
First, the court found that there is no exception for communications intercepted by an intended recipient under the Pennsylvania law. There were a series of cases in which the opinion turned on the sender of the information sending the communication to an intended recipient. In those cases there was an implied consent to the recording of the communication. In Popa, however, the court refused to expand the idea of implicit consent and intended recipient to website companies noting that the exception was narrowly drawn. Thus the website, although the intended recipient of the user’s actions could not record the user’s website interactions without explicit approval.
Second, the court ruled that the interception of communications occurred at the location where the website scripts began to redirect the browser interaction, not the location where the server which ultimately received the communication was located. Thus, if the redirection of the communications occurred within the browser, the interception occurred at the user’s location.
The court remanded the case for additional factual determinations, but the decision will allow cases in Pennsylvania to move forward until such facts are determined. Future cases may result in different opinions, but website developers should be cognizant that the location of the user or the location of the website script redirection, not the server, may prevail.
The court in Florentino Javier v. Assurance IQ, LLC, et al, 21-16351 (9th Cir. 2022) also added fuel to the fire by ruling that recording of a session must not begin until consent has been given. Many session replay software developers begin recording immediately when a user visits a website.
These cases and rulings cause issues for website hosts and developers. Before recording any user interactions or deploying session replay services or software, website hosts and developers should ensure the following:
- All approvals included in the user terms and agreement are written as broadly as possible and as explicitly as possible to ensure that the user is aware that the website is recording all interactions.
- The approval to record the session information is approved prior to recording and is very explicit and obvious.
- Finally, consult with an attorney regarding possible liability for using session replay software before implementing its use.