Protecting Your Business From Recent Trend of Wiretap Lawsuits Targeting Companies With Consumer-Facing Websites

person typing
Alexander (Sandy) R. Bilus, Joseph D. Lipchitz, Allison L. Burdette

Class Action Lawsuits Stemming From Use of Session Replay Software Are on the Rise

In an effort to enhance customer experience, many businesses and institutions have their public-facing websites collect information with the use of cookies, web beacons, chat bots, and/or “session replay” software regarding how third parties interact with those websites, what products and services they are interested in, or how long they spend visiting a particular webpage. However, a recent nationwide surge of class action plaintiffs using state wiretap statutes to sue businesses with consumer-facing websites is causing many companies to pay closer attention to the data collected by their websites. These lawsuits are particularly focused on the use of session replay software and invoke dual consent wiretap statutes, which impose criminal and civil liability unless all parties to the communication consent to the “interception” of that communication. Massachusetts, Pennsylvania, California, Florida, Maryland, and Illinois are among the states with dual consent wiretap statutes.

What You Need to Know:

  • There has been a recent nation-wide surge of class action lawsuits stemming from companies’ use of “session replay” software to track visitors to their websites.
  • These lawsuits claim that session replay software and other website analytical tools violate state wiretap laws, exposing companies to the danger of significant statutory damages.
  • This article explains the preventative measures that companies can take to help avoid having to defend against one of these lawsuits.

Session replay software tracks virtually every aspect of a user’s interactions with a company’s website, essentially allowing the company to “replay” the user’s “session” on the website, including mouse movements, mouse clicks, searches, and other information helpful to companies looking to improve a consumer’s experience on the website. 

Because the session replay provider collecting the data is often a third-party vendor, plaintiffs’ attorneys across the country are filing class action lawsuits alleging that companies are violating state wiretapping and privacy laws by using session replay software to collect and share website visitors’ data. Central to these lawsuits is the argument that a visitor’s interactions with a website, regardless of whether any text or words are captured, constitute “communications,” which are being illegally intercepted without that visitor’s consent. Given the damages framework built into many state wiretapping statutes, which can include statutory damages for each and every “violation,” punitive damages, and attorney’s fees, the potential exposure in a class action of this nature can be significant. In addition, because wiretap statutes are often criminal statutes, such class action lawsuits also create the risk of criminal exposure and potential reporting requirements, as well as public relations issues.

Preventative Measures for Avoiding Session Replay Lawsuits

Companies can help protect themselves from class action wiretap lawsuits related to session replay software and other website analytics tools by taking action to improve transparency with their consumers, including the following:

  • Create or Update Privacy Policies – By publicly posting a privacy policy on your website, you can provide consumers with notice that your company uses session replay software and other analytics tools, and further identifying what data is collected, what data is shared, with whom, and for what purposes.

  • Revise Terms of User Agreement – Your company may require its customers to accept a user agreement before engaging with your website, submitting information, and/or completing a purchase. The user agreement can set the standard for potential dispute resolution with the customer, potentially including a provision requiring that disputes be addressed on an individual basis through arbitration rather than class action litigation. It can also establish a particular forum for any disputes to decrease the chances of being sued in multiple jurisdictions across the country.

  • Obtain Consent – A pop-up banner that users must click to indicate that they agree with your company’s data collection practices can be an effective tool for establishing that the user consented to the collection and use of their information. 

The attorneys in Saul Ewing’s Cybersecurity and Privacy Group can assist with putting any and all of the above measures into place, as well as defending companies should they be subjected to a lawsuit alleging wiretapping violations.

Alexander Bilus Headshot
Joseph D. Lipchitz
Allison Burdette