Does your company use tracking or session replay software to understand how users interact with your website? If so, you may be the next target of a new wave of class actions sweeping across Florida and California. The lawsuits allege that companies using session replay and other tracking software on their websites are violating state wiretap laws, entitling the plaintiffs to liquidated damages and attorney’s fees. This alert discusses the technology, the lawsuits and steps companies can take to proactively minimize these litigation risks.
Many companies use third-party analytical applications to understand how customers interact with their websites. One example is session replay software, which collects small pieces of log data, page scrolling and cursor behavior on the website. The business can then assess this information to improve the effectiveness of its online presence. The use of this software is increasing as digital marketing becomes more sophisticated.
Recently, dozens of lawsuits were filed in Florida and California alleging that companies using session replay software are in violation of state wiretap laws, such as the Florida Security in Communications Act (FSCA) and the California Invasion of Privacy Act (CIPA). These laws prohibit the intentional interception of communications and create private rights of action. The penalties for violation of these laws can be stiff. The FSCA, for example, allows for injunctive relief, actual damages, liquidated damages of at least $100 a day for each day of a violation or $1,000 (whichever is higher), punitive damages and attorney’s fees. CIPA permits, among other things, $5,000 in statutory damages per violation or three times the amount of actual damages, whichever is greater.
The state wiretap laws were never intended to apply to this scenario and there are strong defenses to these lawsuits. Such defenses include:
- implied/express consent based on notice of the technology and continued use of the site;
- exceptions in the FSCA for business communications;
- a lack of interception of communication content; and
- for California cases, the inability of a party to eavesdrop on its own conversation.
Proactively Minimizing the Risks
Fortunately, companies can take steps to proactively strengthen their defenses and mitigate or transfer the litigation risks. First, your company must perform due diligence to understand how your session replay and other website tracking solutions operate. What information do they collect (and not collect)? How is the information used/shared/stored? What rights do you have against your vendors if your company is targeted with one of these lawsuits?
It is also good practice to explore risk transfer options, like revisiting your agreement with session replay and tracking solution vendors to strengthen your indemnification rights (where possible) or obtaining insurance that would cover claims relating to your website technology.
Companies should engage experienced counsel knowledgeable in session replay/tracking technology and state privacy laws to help proactively minimize risks of a wiretap lawsuit. At a minimum, in-house counsel should ask questions to understand how their company’s website uses session replay and other tracking solutions. Effective notice and consent mechanisms should then be implemented to accurately disclose and obtain consent for the use of session replay and tracking technology. Lastly, companies should evaluate risk transfer opportunities like third-party indemnification or acquiring insurance that would provide coverage for third-party losses associated with this new wave of lawsuits.