Privacy Litigation 2022 Year in Review: Wiretapping Litigation

2022 brought a new wave of data privacy lawsuits seeking to impose wiretapping liability on website operators and their service providers—just as the dust settled on the first wave. To date, plaintiffs have filed over 120 such lawsuits across nine jurisdictions (California, Florida, Illinois, Pennsylvania, Maryland, Massachusetts, Missouri, New York, and Washington) seeking to capitalize on statutory damages. California and Pennsylvania are at the focal point of these filings, with recent circuit court decisions reopening the floodgates.   

In addition to moving beyond California and Florida, a chief fixture of this second wave has been a focus on live chat recording. While about one-third of these cases are still premised on session replay—the technology at issue in the first wave of these cases—the remaining two‑thirds are premised on the alleged wiretapping of online customer service chat communications. 

This novel theory, which is exclusive to one California-based Plaintiffs’ firm, seeks statutory damages under two different provisions of the California Invasion of Privacy Act (“CIPA”), Cal. Penal Code §§ 631, 632. Under CIPA § 631(a), plaintiffs contend over 70 website operators wiretapped, eavesdropped, or otherwise aided and abetted their service providers in wiretapping and eavesdropping on their online chat communications. Based on the allegation that plaintiffs accessed these online chat boxes via their smartphones, these complaints alternatively argue that defendants are liable under CIPA § 632.7, which makes unlawful the unauthorized recording of communications transmitted between two telephones.

Wiretapping Litigation Developments

New filings continue to trickle in, and while an increasing number of these lawsuits are in motion practice, a handful of motions to dismiss have already been heard or are otherwise primed for a ruling. Last month, one judge in the Northern District of California dismissed a session replay-based CIPA claim without prejudice, marking the first decision of note in this second wave.[1] Just recently, another session replay-based case pending in that district was dismissed on statute of limitations grounds, but the judge reached markedly different conclusions as to the defendant’s remaining CIPA defenses.[2] Because of the diverse wiretapping theories at play, and the broad geographic scope, it remains an open question whether this marks the beginning of the end for plaintiffs’ lawyers both inside and outside the state.

California is home to the vast majority of these filings.  Despite the 90-plus cases currently pending on state and federal court dockets, California law has not shifted significantly since the first wave of session replay filings. There are three rulings to flag: 

• First and second are the Ninth Circuit’s ruling in Javier v. Assurance IQ, LLC,[3] which appears to have propelled this second wave of litigation, and Judge Charles Breyer’s decision on remand and reassignment.[4] 
  
  
  The Ninth Circuit narrowly held that CIPA requires prior consent to avoid liability, rather than consent obtained after the alleged interception or recording.[5] The court did not reach other arguments defendants successfully assert to oppose these claims: (i) the participant exception, (ii) the meaning of “contents,” and (iii) the meaning of interception “in transit.”[6]
  
  
  On remand, Judge Breyer considered three separate arguments for dismissal of Plaintiff’s CIPA claim: (i) implied consent, (ii) the participant exception, and (iii) statute of limitations.[7] While Judge Breyer dismissed the claim on statute of limitations grounds, he rejected the defendant’s other two arguments.[8] Judge Breyer found no implied consent because the plaintiff’s movements through the website manifested assent only to collection by the website operator, Assurance IQ.[9] And he found that ActiveProspect was not a party to the communication because it had the “capability to use its record of the interaction” beyond just its role as a service provider, making it unlike a “tape recorder.”[10] Judge Breyer further reasoned that third-party session replay tools like ActiveProspect’s are not “ubiquit[ous]” enough to make their vendors firsthand parties to all web communications, absent consent.[11]
• Third is Judge William Alsup’s decision in Williams v. What If Holdings, LLC et al.[12] Relying explicitly on the reasoning of two cases from the first wave of session replay filings,[13] Judge Alsup concluded that both the website operator and its service provider, ActiveProspect, were parties to plaintiffs’ communications and therefore exempt from wiretapping liability.[14] Dismissing the CIPA claim on that issue alone, Judge Alsup did not consider whether (i) plaintiff consented, (ii) the recorded data constituted actionable “content,” or (iii) the interception occurred “in transit.”[15]

Pennsylvania, which did not see a lot of case activity in the first wave of session replay filings, has seen a surge in activity since the Third Circuit issued its opinion in Popa v. Harriet Carter Gifts, Inc.[16] In Popa, the Third Circuit considered a website operator’s liability under Pennsylvania’s Wiretapping and Electronic Surveillance Control Act (18 Pa. C.S. § 5701 et seq.) for deploying NaviStone’s JavaScript code on its website, which then placed tracking cookies on plaintiff’s browser.[17] The technology allegedly tracked plaintiff’s clicked links, use of the search function, tabs through form fields on the website, and add-to-cart actions.[18] The Popa court reached three key conclusions:

• First, Pennsylvania’s wiretapping statute does not have a participant exception like the one recognized under CIPA or the federal Wiretap Act. Without a participant exception, even the website operator can be found liable as a wiretapper.[19] 
• Second, electronic communications are “intercepted” when they are rerouted by software. In the case of cookies or code running on a website, that rerouting occurs at the location of the user’s browser. Therefore, the place of injury is the location of the user’s browser.[20] 
• Third, while the court did not consider the consent issue in detail, it recognized that Pennsylvania state courts have found constructive rather than actual consent enough to avoid liability, forecasting a potential avenue for dismissal for website operators.[21]

Lawsuits in the remaining six states appear to be motivated by the activity in California and Pennsylvania, rather than any developments under their respective laws.  

Issues to Watch

As courts gear up to rule on these wiretapping cases, there are three issues to watch in 2023:

First, will analytics companies qualify for CIPA’s “party to the communication” exception in both the session replay and chat box context?  As discussed in our last article, California federal courts are split over whether a session replay provider is a third-party eavesdropper or a party to the communication.[22] No guidance has come from the Ninth Circuit, as the one session replay case appealed to that court was voluntarily dismissed.[23] While the underlying rationale—that an analytics company is a mere extension of the website operator it serves—should apply across both the session replay and chat box contexts, it remains to be seen what conclusions California courts will reach. 

Second, what defenses will prevail in Pennsylvania? Pennsylvania defendants lack the party to the communication exception available under California law and are subject to a more permissive definition of “interception.”[24] Those limitations aside, both the “consent” and “content” defenses previewed before remain viable, with the Third Circuit explicitly leaving the door open for “consent” and omitting any discussion of “content.”[25]

Third, how might courts in the remaining jurisdictions rule? While “consent” is a universal defense to the remaining wiretapping statutes,[26] each state presents a tapestry of unique issues. For example, Washington lacks a clear “party to the communication” exception under its wiretapping statute, but at least one court has held that communications intended for the receiving party cannot be “private” so as to support liability.[27] Meanwhile, New York’s and Missouri’s wiretapping statutes are one-party consent laws, meaning just the website operator’s consent is sufficient to eliminate liability.[28] Florida’s Security of Communications Act (FSCA), on the other hand, was amended in 1988 to exclude devices that permit “the tracking of the movement of a person or an object,” leading to a seminal state court decision categorically exempting session replay from the statute’s scope.[29] A similar emphasis on legislative history may gain traction in other states, as courts wrestle with the applicability of decades-old wiretapping laws to “commonplace analytics software” like session replay and live chat recording.[30] 

Because of the various possible state-by-state permutations, it remains to be seen whether a unified and coherent case law can or will develop across these jurisdictions, or if the strategy to defeat and avoid litigation will need to be tailored for each state.

[1] Williams v. What If Holdings, LLC et al, No. C 22-03780 WHA, 2022 WL 17869275 (N.D. Cal. Dec. 22, 2022).

[2] Javier v. Assurance, IQ, LLC, No. 20-CV-02860-CRB, 2023 WL 114225 (N.D. Cal. Jan. 5, 2023).

[3] No. 21-16351, 2022 WL 1744107 (9th Cir. May 31, 2022).

[4] Javier v. Assurance, IQ, LLC, No. 20-CV-02860-CRB, 2023 WL 114225 (N.D. Cal. Jan. 5, 2023).

[5] Id., at *2.

[6] Id.

[7] Id., at *3.

[8] Id., at *7-9.

[9] Id.

[10] Id., at *6 (emphasis in original).

[11] Id.

[12] 2022 WL 17869275.

[13] Graham v. Noom, Inc., 533 F. Supp. 3d 823, 832 (N.D. Cal. 2021); Yale v. Clicktale, Inc., No. 20-cv-07575-LB, 2021 WL 4025797, at *1 (N.D. Cal. Aug. 24, 2021).

[14] Williams, 2022 WL 17869275, at *3.

[15] Id., at *4.

[16] 52 F.4th 121 (3d Cir. 2022).

[17] Id. at 124-25.

[18] Id.

[19] Id. at 129.

[20] Id. at 130-31.

[21] Id. at 132.

[22] Compare Graham, 533 F. Supp. 3d at 832 (applying the participant to the communication exception to an analytics company), with Saleh v. Nike, Inc., No. 2:20-CV-09581-FLA (RAOx), 2021 WL 4437734, at *15 (C.D. Cal. Sept. 27, 2021) (refusing to apply the participant to the communication exception to an analytics company).

[23] Order, Johnson v. Blue Nile, Inc. et al, No. 21-16378 (9th Cir.Feb. 11, 2022), ECF No. 24.

[24] Popa, 52 F.4th at 129.

[25] Id.

[26] See Mo. Ann. Stat. § 542.402.2; Wash. Rev. Code § 9.73.030(1); 720 Ill. Comp. Stat. 5/14-1, -2; Mass. Gen. Laws ch. 272, § 99; Fla. Stat. 934.03; Md. Code Ann., Cts. & Jud. Proc. § 10-402(c)(3); N.Y. Penal Law §§ 250.00, 250.05.

[27] Hoang v. Amazon.com, Inc., No. C11-1709MJP, 2012 WL 1088165, at *5 (W.D. Wash. Mar. 30, 2012)

[28] Mo. Ann. Stat. § 542.402.2 (requiring only one party’s consent so long as the interception was not for the purpose of committing any “criminal or tortious act”); see also N.Y. Penal Law §§ 250.00, 250.05 (omitting any crime-tort exception).

[29] Fla. Stat. § 934.02(12)(c); Jacome v. Spirit Airlines Inc., No. 2021-000947-CA-01, 2021 WL 3087860, at *3 (Fla. Cir. Ct. June 17, 2021).

[30] Jacome, 2021 WL 3087860, at *3.