chevron-down Created with Sketch Beta.

ARTICLE

Tips for Protecting Your Business from Wiretap Lawsuits Targeting Companies with Consumer-Facing Websites

Alexander (Sandy) Bilus, Joseph Lipchitz, and Allison Burdette

Summary

  • A recent nationwide surge of class action plaintiffs using state wiretap statutes to sue businesses with consumer-facing websites is causing many companies to pay closer attention to the data collected by their websites.
  • These lawsuits are particularly focused on the use of session replay software and invoke dual consent wiretap statutes, which impose criminal and civil liability unless all parties to the communication consent to the “interception” of that communication.
Tips for Protecting Your Business from Wiretap Lawsuits Targeting Companies with Consumer-Facing Websites
Delmaine Donson via Getty Images

In an effort to enhance customer experience, many businesses and institutions have their public-facing websites collect information with the use of cookies, web beacons, chatbots, and/or “session replay” software regarding how third-parties interact with those websites, what products and services they are interested in, or how long they spend visiting a particular webpage. However, a recent nationwide surge of class action plaintiffs using state wiretap statutes to sue businesses with consumer-facing websites is causing many companies to pay closer attention to the data collected by their websites. These lawsuits are particularly focused on the use of session replay software and invoke dual consent wiretap statutes, which impose criminal and civil liability unless all parties to the communication consent to the “interception” of that communication.  Massachusetts, Pennsylvania, California, Florida, Maryland, and Illinois are among the states with dual consent wiretap statutes.

Session replay software tracks virtually every aspect of a user’s interactions with a company’s website, essentially allowing the company to “replay” the user’s “session” on the website, including mouse movements, mouse clicks, searches, and other information helpful to companies looking to improve a consumer’s experience on the website.

Because the session replay provider collecting the data is often a third-party vendor, plaintiffs’ attorneys across the country are filing class action lawsuits alleging that companies are violating state wiretapping and privacy laws by using session replay software to collect and share website visitors’ data. Central to these lawsuits is the argument that a visitor’s interactions with a website, regardless of whether any text or words are captured, constitute “communications,” which are being illegally intercepted without that visitor’s consent. Given the damages framework built into many state wiretapping statutes—which can include statutory damages for each and every “violation,” punitive damages, and attorney fees—the potential exposure in a class action of this nature can be significant. In addition, because wiretap statutes are often criminal statutes, such class action lawsuits also create the risk of criminal exposure and potential reporting requirements, as well as public relations issues.

Preventative Measures for Avoiding Session Replay Lawsuits

Companies can help protect themselves from class action wiretap lawsuits related to session replay software and other website analytics tools by taking action to improve transparency with their consumers, including the following:

Create or Update Privacy Policies

By publicly posting a privacy policy on your website, you can provide consumers with notice that your company uses session replay software and other analytics tools, and further identifying what data is collected, what data is shared, with whom, and for what purposes.

Revise Terms of User Agreement

Your company may require its customers to accept a user agreement before engaging with your website, submitting information, and/or completing a purchase. The user agreement can set the standard for potential dispute resolution with the customer, potentially including a provision requiring that disputes be addressed on an individual basis through arbitration rather than class action litigation. It can also establish a particular forum for any disputes to decrease the chances of being sued in multiple jurisdictions across the country.

Obtain Consent

A pop-up banner that users must click to indicate that they agree with your company’s data collection practices can be an effective tool for establishing that the user consented to the collection and use of their information.