Does your company use tracking or session replay software to understand how users interact with your website? If so, you may be the next target of a new wave of class actions sweeping across Florida and California. The lawsuits allege that companies using session replay and other tracking software on their websites are violating state wiretap laws, entitling the plaintiffs to liquidated damages and attorney’s fees. This alert discusses the technology, the lawsuits and steps companies can take to proactively minimize these litigation risks.

The Technology

Many companies use third-party analytical applications to understand how customers interact with their websites. One example is session replay software, which collects small pieces of log data, page scrolling and cursor behavior on the website. The business can then assess this information to improve the effectiveness of its online presence. The use of this software is increasing as digital marketing becomes more sophisticated.

The Lawsuits

Recently, dozens of lawsuits were filed in Florida and California alleging that companies using session replay software are in violation of state wiretap laws, such as the Florida Security in Communications Act (FSCA) and the California Invasion of Privacy Act (CIPA). These laws prohibit the intentional interception of communications and create private rights of action. The penalties for violation of these laws can be stiff. The FSCA, for example, allows for injunctive relief, actual damages, liquidated damages of at least $100 a day for each day of a violation or $1,000 (whichever is higher), punitive damages and attorney’s fees. CIPA permits, among other things, $5,000 in statutory damages per violation or three times the amount of actual damages, whichever is greater.

Available Defenses

The state wiretap laws were never intended to apply to this scenario and there are strong defenses to these lawsuits. Such defenses include:

• implied/express consent based on notice of the technology and continued use of the site;
• exceptions in the FSCA for business communications;
• a lack of interception of communication content; and
• for California cases, the inability of a party to eavesdrop on its own conversation.

Proactively Minimizing the Risks

Fortunately, companies can take steps to proactively strengthen their defenses and mitigate or transfer the litigation risks. First, your company must perform due diligence to understand how your session replay and other website tracking solutions operate. What information do they collect (and not collect)? How is the information used/shared/stored? What rights do you have against your vendors if your company is targeted with one of these lawsuits?

Next, your company’s online privacy notice and, depending on the circumstances, any terms of use should accurately and clearly disclose the use of tracking software. The notices should inform visitors/customers that their continued use of the company’s website shall be considered consent to the notices’ terms. Additionally, your company may consider using a website pop-up that requires reading and/or consent before the visitor is allowed to proceed to the site.

It is also good practice to explore risk transfer options, like revisiting your agreement with session replay and tracking solution vendors to strengthen your indemnification rights (where possible) or obtaining insurance that would cover claims relating to your website technology.

Takeaways

Companies should engage experienced counsel knowledgeable in session replay/tracking technology and state privacy laws to help proactively minimize risks of a wiretap lawsuit. At a minimum, in-house counsel should ask questions to understand how their company’s website uses session replay and other tracking solutions. Effective notice and consent mechanisms should then be implemented to accurately disclose and obtain consent for the use of session replay and tracking technology. Lastly, companies should evaluate risk transfer opportunities like third-party indemnification or acquiring insurance that would provide coverage for third-party losses associated with this new wave of lawsuits.

Read more Privacy & Data Security Client Alerts >>