Thanks to our Summer Associate, Maya Thomas, for her work on this timely blog.
2021 saw creative plaintiff attorneys initiating a string of class action lawsuits alleging that sessions replay software violated state wiretap acts— notably in California and Florida.
While decisions out of Florida led many to believe these types of cases were dying out, a recent ruling by the Ninth Circuit Court of Appeals has ignited fresh concerns that more sessions replay litigation may be on the horizon, potentially impacting other “all-party consent” jurisdictions. However, there are tangible steps that companies operating websites or mobile applications that capture consumer data can take to reduce the threat of litigation.
To recap briefly, session replay software captures various facets of a user’s interaction with a website or application. The software tracts content viewed by users, including keystrokes, mouse clicks, and search terms, to help website operators enhance users’ experiences. California and Florida, along with 11 other states, have all-party consent laws that require all parties to a conversation or interaction to consent to be recorded. Relying on these statuses, creative plaintiff’s attorneys have filed class action lawsuits generally alleging that sessions replay software intercepts communication without the consent of website users, violating these statutes.
Recent Sessions Replay Developments
Florida courts have generally dismissed lawsuits alleging that session replay software violated the Florida Security of Communications Act (“FSCA”). Goldstein v. Costco Wholesale Corp., 2021 U.S. Dist. LEXIS 170815 (S.D. Fla. Sep. 9, 2021). In Goldstein, the court ruled the content captured by the defendant’s website failed to “convey the substance of communication” as defined by the FSCA. This and other similar rulings out of Florida led many to believe that we would see an end to these types of claims.
The ruling in Javier is notable because most states with all-party-consent laws have statutes that mirror the general language of the CIPA (except for Pennsylvania, which expressly requires prior consent)—opening the door for future litigation against website operators who employ after-the-fact user consent.
Addressing Sessions Replay Litigation
Website operators subjected to all-party-consent statutes are not without options. As the Javier opinion noted, operators should expressly and affirmatively gain user consent prior to recording any user interactions. One way to do this is through pop-up cookie banners before users begin to interact with their websites. Additionally, website operators should ensure their privacy policies are updated and conspicuously hyperlinked on each web page to provide users with sufficient notice of the organization’s privacy policies. These policies should clearly indicate that users may be monitored while on their website.
Defending Against Sessions Replay Litigation
The Javier decision only narrowly addressed the issue of prior consent in sessions replay litigation. At present, California courts have yet to issue any definitive rulings on several other areas that remain open under California law and states with similar laws:
- Third-party eavesdropping: The question of whether session replay website operators are parties to communications on their websites and, therefore, are not third-party eavesdroppers, as prohibited under Section 631(a) is also an area that we are likely to see continued litigation. Currently, California district courts have reached differing outcomes on this issue. Graham v. Noom, Inc., 533 F. Supp. 3d 823, 833 (N.D. Cal. 2021); but Cf. Revitch v. New Moosejaw, LLC, No. 18-cv-06827-VC, 2019 U.S. Dist. LEXIS 186955, at *3 (N.D. Cal. Oct. 23, 2019).
We will continue to monitor the sessions replay litigation landscape post-Javier for further developments. Stay tuned; CPW will be there to keep you in the loop.