By Scott Hall, Mari Clifford, and Amber Leong
Numerous new website technologies and tools allow companies to more effectively interact with their customers. These include chatbots, session recording software, tracking pixels (snippets of code that can be used to identify certain designated behavior on a website like seeing which products users are clicking on), and cookies (which remember products previously added to a shopping cart). All of these tools are immensely helpful in engaging with and identifying user experiences, and they help improve and promote a company’s business operations.
Plaintiffs’ attorneys have recently argued that the use of these website technologies – especially when provided or facilitated by a third-party vendor – constitutes violations of wiretapping and eavesdropping statutes. Under these statutes – both federal and state analogs – it is a violation if an individual uses a recording device to eavesdrop or intercept a confidential communication without the consent of the parties.
Historically, these statutes were used against individuals secretly listening in on private telephonic conversations. However, plaintiffs’ attorneys have revived these statutes to claim that companies are violating these laws through the use of website technologies. And some courts have allowed some of these claims to pass the motion to dismiss stage.[1]
This has created a flurry of pre-litigation demands against companies with consumer-facing websites. Many companies seek to settle these claims to avoid litigation costs, but several matters have gone to court. As more of these cases are making their way through the courts, we are able to see patterns in how courts are addressing these claims. There now appears to be a distinction emerging between claims that are allowed to proceed past the motion to dismiss stage and those that are not. Chatbots and session recording technologies used only to aid in servicing the website as a service provider have been found insufficient to state a claim under the wiretapping statutes.[2] By contrast, the use of these tools to collect user data that a third-party vendor is permitted to use for other purposes (including its own business purposes or with services to other companies) has been found to be sufficient to pass the motion to dismiss hurdle.[3]
The logic behind the reasoning is that there is no unlawful third-party “interception” by an entity that is acting as a service provider to provide a service for the company with whom the individual consumer is interacting. Put differently, a company cannot eavesdrop on itself or “intercept” its own communications.[4]
Given this guidance, companies should take the following steps if they use any chatbots, mouse click trackers, or session-recording technology to better understand their users:
- Service Provider Agreements: Companies should enter into service provider agreements with the chatbot, session recording, or mouse click providers. Contained within the agreements should be clear contractual language that companies providing such services cannot sell, share or use the personal information of users for their own purposes. This language thus captures that the service provider is there to provide a service and reaps no benefit in the form of personal information data.
- Update Privacy Policies: Companies should update their privacy policies and ensure that the policies adequately disclose the use of any chatbots, mouse clicks, or session recording. While updating the privacy policies alone will not be sufficient to be compliant with the various data privacy laws because courts have held that privacy policies at the bottom or footer of webpages may not give sufficient notice of recordings, the policies are nevertheless necessary for compliance as the bare minimum requirements.
- Disclose Immediately Prior to Recording: Companies should explicitly disclose that chat communications or other website interactions are being recorded by a vendor, and that if a user chooses to continue, they are consenting to such recording. Consent is an adequate defense to the wiretapping and eavesdropping claims. While the issues of adequate notice and consent continue to be litigated throughout the courts, generally, providing disclosure of such recordings immediately prior to the session with the opportunity to not proceed should work to provide sufficient notice and consent under the wiretapping laws.
Overall, the legal landscape of these claims is still in flux. However, a clear line that has developed is that a company’s use of “service providers” providing the recording services for companies is not in violation if that service provider cannot use the information collected for purposes other than to support the company, particularly if adequate notice has been provided to the users. This rule, however, does not include the use of analytics or pixels—which the courts have frequently found involve data exchanges with third parties for purposes beyond providing a service and which have been found sufficient to proceed past the motion to dismiss stage.[5]
If you have questions about whether your website collection procedures are compliant, or if you have received a threat or complaint about violation of the wiretapping statutes based on website technologies, please reach out to the Coblentz Data Privacy & Cybersecurity Team.
[1] See e.g., Hazel v. Prudential Financial, Inc., 22-cv-07465-CRB, 2023 WL 3933073 (N.D. Cal. June 9, 2023); Williams v. What If Holdings, LLC, No. C 22-03780 WHA, 2022 WL 17869275 (N.D. Cal. Dec. 22, 2022).
[2] See Licea v. Vitacost.com, Inc., —F.Supp.3d—, 2023 WL 5086893 (S.D. Cal. 2023).
[3] See e.g., Hazel, 2023 WL 3933073.
[4] See also Graham v. Noom, Inc., 533 F. Supp. 3d 823, 832-33 (N.D. Cal. 2021) (“[A]s a service provider, [third-party vendor] is an extension of [Defendant]. It provides a tool – like a tape recorder … that allows [Defendant] to record and analyze its own data in aid of [Defendant’s] business. It is not a third-party eavesdropper. As a result, [Defendant] is not liable for aiding and abetting [vendor’s] wrongdoing because there is no wrongdoing.”); Cody v. Boscov’s, Inc., ––– F.Supp.3d at ––––, 2023 WL 2338302, at *2 (C.D. Cal. 2023) (“Plaintiff must provide facts suggesting that [the vendors] are recording Defendant’s customers’ information for some use or potential future use beyond simply supplying this information back to Defendant.”).
[5] Katz-Lacabe v. Oracle Am., Inc., No. 22-CV-04792-RS, 2023 WL 2838118 (N.D. Cal. Apr. 6, 2023) (Data broker was not a party to internet users’ communications, for purposes of exemption from liability for wiretapping claims under the federal Wiretap Act and the California Invasion of Privacy Act, where broker allegedly tracked users’ browsing activities on websites other than its own to intercept their personal information and sell it to third parties.)