The TCPA has proven itself to be a reliable revenue-generating statute for consumer law attorneys and professional plaintiffs and has functioned as a virtual ATM for quite a few of them over the past ten years. Despite the ready availability of TCPA claims, the more enterprising among them are always seeking new opportunities to exploit the law to line their own pockets at the expense of well-meaning companies through wiretap lawsuits.
Hence, many consumer law attorneys have repurposed wiretap laws that have been on the books for decades to craft new individual and class action lawsuits against companies for using technologies that never existed at the time those laws were enacted; namely technology that that captures website browsing data for analysis, such as website session replay software, chatbots, and website traffic analysis and tracking tools.
Several states have wiretap laws on the books, including California, Florida, Illinois, and Pennsylvania. California courts in particular have experienced a significant increase in putative class action filings under Section 631 of California’s wiretap statute, better known as the California Invasion of Privacy Act (CIPA).
In CIPA lawsuits, plaintiffs typically claim that a website that employs software tools that utilize session replay, chat, or pixel tracking functionality allows the software provider to access “communications” between a website operator and a user without the user’s knowledge or consent.
The TCPA has been called a “hair trigger” statute because all it takes to violate the law is a single unsolicited call or text. However, it is arguably even easier to generate a wiretap violation claim, as all a putative plaintiff needs to do is visit a website that employs the requisite technology.
Session Replay Cases
One of the most common wiretap cases are those involving the use of session replay software, which allows website operators to record mouse movements, keystrokes, and search information inputted into websites, as well as pages and content viewed. Originally developed to gain insights into how users interact with a website, session replay tools such as ActiveProspect’s TrustedForm have become an indispensable element of marketing compliance, as they enable marketers to “replay” an online form submission event should it later be cast into doubt.
However, if a third-party provider of session replay software has access to a customer’s website session data (as is often the case), plaintiffs can then argue that such access amounts to a modern-day equivalent of an illegal wiretap. One way to combat this argument is to ensure that the agreement between session replay software provider and customer limits the vendor’s access to session replay data for the sole purpose of storing or analyzing it on the customer’s behalf, as opposed to the vendor’s internal purposes.
In the 2021 California case of Graham v. Noom, Inc., the defendant argued that because the provider of session replay software did not use the data for its own purposes but did so solely on the defendant’s behalf and was therefore acting as an extension of the defendant. The court agreed and dismissed the claim on that basis, reasoning that a party cannot “tap its own wire.”
Chat Software Cases
Many consumer-facing websites incorporate a “live chat” feature to better interact with existing and prospective customers online. Chat software can be operated by a live agent or can run independently as a “chatbot,” but again, if the software provider has access to the conversations between its customer and the users of the website, it opens the door to a wiretap lawsuit.
On May 6, 2024, a court in the Central District of California ruled to dismiss a CIPA lawsuit based on the use of chat software, finding that the allegations levied against the defendant did not constitute unlawful conduct under CIPA.
In essence, Section 631(a) of CIPA prohibits anyone from willfully reading, attempting to read, or learning the contents of any message, report, or communication while it is in transit or passing over any wire, line, or cable within the state of California without the consent of all parties to the communication.
In Cody v. Boscov's, Inc., No. 22-cv-01434 (C.D. Cal. May 6, 2024), the plaintiff alleged a violation of CIPA §631(a) against a department store after accessing its website via her phone and using site’s online chat feature. In essence, Section 631(a) of CIPA prohibits anyone from willfully reading, attempting to read, or learning the contents of any message, report, or communication while it is in transit or passing over any wire, line, or cable within the state of California without the consent of all parties to the communication.
In her complaint, the plaintiff alleged that the chat software code intercepted her website conversation and rerouted it to servers owned by the software provider, which allegedly stored and used the data for its own purposes without the plaintiff’s consent.
The Court dismissed the plaintiff’s §631(a) claim, holding that the use of a web browser on a cell phone does not constitute a “telephonic communication,” and that the chat software was not “intercepting” the communications while they were “in transit.” Instead, the software provider only stored the communications after they had already been received.
This decision falls in line with similar California cases in which the court held that third parties who record and store online communications do not violate CIPA, but are instead acting as the defendant’s recording system, and therefore an extension of defendants themselves, rather than acting as another party listening in.
The Complaint also included a claim under CIPA §632.7, which prohibits any party from intercepting and recording a communication transmitted between two cellular radio telephones, a cellular radio telephone and a landline telephone, two cordless telephones, a cordless telephone and a landline telephone, or a cordless telephone and a cellular radio telephone. The court dismissed this claim as well, because the plaintiff was naturally unable to identify the exact type of phone the defendant was allegedly using on its website or demonstrate that a telephone was even used.
Courts across the state continue to reject CIPA claims based on website live chat features, but class action attorneys are nothing but persistent, and are constantly testing new theories to see which one might stick. Therefore, any company that employs an online chat feature should take measures to notify site users that communications via their website’s live chat could be recorded and shared and should also obtain the user’s consent to do so before the chat begins.
Meta Pixel Wiretap Cases
Wiretap cases based on the use Meta’s pixel tracking tool have recently started to become more common. The Pixel is free code from Meta that tracks user activity on a website for targeted advertising. To carry out its function, the code transmits certain information about how a user interacts with a website to Meta including the site HTTP headers, pixel-specific data, and other information depending upon how a company configures the software.
In Meta Pixel cases, plaintiffs allege that the Pixel shares browsing data with Meta/Facebook, which is acting as a third party wiretapper in collecting this data for its own gain. This is an important distinction from the session replay and chat cases, where defendants are able to successfully argue that the software provider is acting on their behalf, rather than for its own internal purposes.
In a putative class action case titled In re Meta Pixel Healthcare Litigation, Meta is attempting to fend off a wiretap claim based on accessing the plaintiffs’ sensitive health data via the Pixel without consent. In September of 2023, the judge in that case denied Meta’s motion to dismiss many of its claims, including the wiretap allegations.
Potential Wiretap Defenses
Defendants have relied upon a variety of defenses when attempting to defeat wiretap claims. In addition to the defense of being exempt from liability as a party to the communication, defendants often argue that plaintiffs lack standing because they visited the website at the behest of the class action attorney representing them, or otherwise as a purported “tester,” rather than doing so to transact business with the defendant online.
In other cases, defendants argue that the plaintiff ignored a website notification informing them that the software at issue was being used, or otherwise directed them to the website privacy policy which also referenced it.
Regardless of the availability of defenses, companies should be aware of the potential for wiretap lawsuits and prepare for them by including a mandatory arbitration and class action waiver provision in their online terms of service, which can help protect against class action litigation.
