As we previously covered in February, there has been an increase in lawsuits, including class actions, filed against website operators in various states (including California, Florida, Indiana, Illinois, and Pennsylvania) for violations of state wiretapping laws or the Video Privacy Protection Act of 1988 (VPPA). Since then, there have been some updates to such pending litigation. For purposes of this post, the pending litigation can be broken out into three categories: (1) Chat window wiretapping claims; (2) Session replay technology claims; and (3) claims under the VPPA.
1. Chat Window Wiretapping Claims.
These lawsuits specifically claim that the use of chat windows, without the proper disclosures and notices, violates laws in states that have two-party consent or all-party consent requirements. This is because the website uses a third-party vendor to provide the chat window, which involves the recording of the chats between the user and the company allegedly without the user’s knowledge or consent.
The most movement in these lawsuits has been in California. A few of the claims have been dismissed as the courts have found that the complaints failed to sufficiently plead that the chat communications were intercepted by a third party that used the communications for its own purposes. Instead, as part of their services to the website operator and often pursuant to a contract, these third parties are using the recordings solely for the website operator’s benefit. We will likely see more movement on the remaining lawsuits in the next few months.
2. Session Replay Technology Claims.
Similar to the chat window wiretapping claims, there are broader claims that the use of specific technology and tools on a website that records the user’s behavior on the website violates wiretapping laws in two-party consent or all-party consent states. This technology involves the website’s ability to capture or track a user’s behavior, including but not limited to, which screen is being viewed, the user’s inputs (keyboard and mouse clicks) on a page, and other user movements around the website. While there has not been much movement regarding the session replay technology claims, the Southern District of California and the Ninth Circuit Court of Appeals held that a browse-wrap agreement was insufficient to compel arbitration.
Here, the Court held that the e-commerce defendant did not provide adequate notice of a change to the terms of its TOS. So, in effect, the 2019 TOS never replaced the original 2016 TOS. The Court of Appeals determined that the burden was on the e-commerce defendant to show that the users consented to the new 2019 TOS. Finally, the Court of Appeals found no evidence that an email that was allegedly sent to the users adequately notified them of the updated TOS, which also contained an updated arbitration clause.
3. VPPA Claims.
Generally, the VPPA (1988) prohibits a video tape service provider (extended to apply to any online video provider) from knowingly disclosing the personal information of a consumer unless certain enumerated exceptions apply. 18 U.S.C. § 2710(b)(1). Thus, the theory is that when a website uses specific cookies to target ads to visitors (the most common example being the Meta Pixel or Facebook Pixel) where video content is provided, the website is effectively sharing third-party information about the user, including what the user is watching and for how long.
In a lawsuit involving Home and Garden TV’s website (hgtv.com), the website provided options to its users to sign up for a newsletter by providing an email address and asking them to choose from various themes for the website. The plaintiffs reported that they had accounts on popular social media networks and alleged to which that the HGTV website transmitted to such social media companies their personal information and viewing habits on the HGTV website.
However, the Court disagreed and dismissed the complaint. Generally, the Court agreed with the defendant in that “there is no suggestion that plaintiffs purchased or rented a covered good or service from HGTV. Plaintiffs’ claim turns on whether their subscriptions to HGTV newsletters make them “subscribers” of a good or service covered by the VPPA. HGTV argues that the newsletters were distinct from plaintiffs’ video-streaming activities, and that, for the purposes of the VPPA, plaintiffs do not plausibly allege that they were subscribers.” The Court concluded that the term “consumer” under the VPPA is narrow and must be paired or connected to a “video tape service provider,” not to a broader category of consumers. Specifically, “a reasonable reader would understand the definition of ‘consumer’ to apply to a renter, purchaser or subscriber of audio-visual goods or services, and not goods or services writ large.” Therefore, the Court dismissed the complaint for failure to state a claim.
Takeaways. As we previously covered in February, even with the updates to the pending litigation, a lot remains to be seen as to how to implement controls that will potentially safeguard companies against such claims. That said, at a minimum, businesses should do the following:
- Review website technologies. Review all publicly-facing websites and evaluate the data collected, processed, and shared by the website. Inventory all tracking technologies, including but not limited to cookies, pixels, replay technologies, biometrics, and embedded links.
Taft will continue to monitor developments in this area and provide updates here and on all our Taft platforms. As always, seek qualified legal counsel whenever making determinations about your company’s legal or compliance obligations. Taft’s Privacy and Data Security Practice (PDS) stands ready to assist you with a risk-based, common-sense approach to your data governance needs. Stay tuned to Privacy and Data Security Insights and don’t forget to download our free mobile app, to give you quick, real-time access to Taft PDS content and updates like this one.