The Third Circuit Weighs in on Whether Website Tracking Violates Pennsylvania’s Wiretap Act

Alexander (Sandy) R. Bilus, Tricia Duffy

Published

A spate of lawsuits across the country has targeted companies that use website tracking and analytics tools, claiming they are violating prohibitions against illegal wiretaps. In a recent precedential decision, the Third Circuit weighed in on this issue, suggesting that companies can indeed be liable under Pennsylvania law if they fail to obtain adequate consent from website users. Companies that use these common tools should review the decision closely and take steps to guard against similar lawsuits.

What You Need to Know:

  • Companies that use common website tools (like cookies) to track and analyze the behavior of users of their website can be exposed to liability under state wiretap acts.
  • The Third Circuit recently reversed a grant of summary judgment that had been issued in favor of a defendant company, concluding that a cookie provider had intercepted the plaintiff’s communications with the company’s website.
  • It remains unresolved whether the company had obtained consent from the plaintiff for the interception of her communications.

 


 
The case arose after the plaintiff, Ashley Popa, was browsing the Harriet Carter Gifts’ website on her iPhone, entered her e-mail address into a pop-up window, added an item to her online “cart,” and then left the website without purchasing the item. According to Ms. Popa, she later discovered that a third-party marketing service, NaviStone, was tracking her activities on the Harriet Carter’s website without her knowledge. In simple terms, NaviStone allegedly was alerted how Popa was interacting with the Harriet Carter’s website, including which pages she visited, when she filled in an email address, and when she added an item to her cart. As a result, Popa filed suit against Harriet Carter and NaviStone (collectively “Defendants”) alleging that they violated Pennsylvania’s Wiretapping and Electronic Surveillance Control Act (“WESCA”), 18 Pa. C.S. § 5701 et seq.
 
The WESCA sets forth a private civil cause of action to “[a]ny person whose wire, electronic or oral communication is intercepted, disclosed or used in violation of [that statute]” against “any person who intercepts, discloses or uses or procures any other person to intercept, disclose or use, such communication.” 18 Pa. C.S. § 5725(a). Defendants moved for summary judgment arguing, among other things, that under Pennsylvania law, a recipient of a direct communication could not intercept it. The district court agreed with the Defendants and granted summary judgment in their favor, and alternatively ruled that if any interception did occur, it happened outside Pennsylvania’s borders and, as a result, was not prohibited by the WESCA. However, on appeal, the Third Circuit reversed and remanded the district court’s holding. As discussed further below, the Court’s opinion analyzed three main issues: (1) what does “intercept” mean under the WESCA; (2) where does “interception” occur; and (3) whether Harriet Carter’s privacy policy sufficiently warned Popa that her communications were being sent to a third-party?  
 
Defendants Intercepted Popa’s Communications
 
Defendants took the position that, because NaviStone was a direct party to Popa’s communication, they were free from liability because Pennsylvania courts have held that no interception occurs when a direct recipient is the one acquiring the communications. However, after discussion of a 2012 amendment to the WESCA that expanded the definition of “intercept,” the Third Circuit rejected Defendants’ argument. Specifically, it held that the 2012 amendment included a narrow exemption for law enforcement officers when they acquire communications and are the “intended recipient” – but stopped short of exempting all “direct-party” communications. It follows, according to the Third Circuit, that under Pennsylvania law, there is no direct-party exception to liability under the WESCA (with a narrow exception for law enforcement under specific conditions).  
 
Interception Occurs Where Signals Are Routed to Servers
 
The point of interception was important in resolving this case because, in the context of recording telephone conversations, Pennsylvania courts have declined to extend the WESCA to conduct occurring wholly outside of the state. Here, there were two possible points of interception: (1) the place where Popa’s electronic communications were initially routed from her web browser to NaviStone’s servers; or (2) the location where Popa’s communications ultimately reached their final destination at NaviStone’s servers in Virginia. Applying the common and approved usage of “acquisition,” the Third Circuit held that NaviStone intercepted Popa’s communications at the point where the communications were initially routed to NaviStone’s servers.
 
That finding did not resolve the issue in this case, however, because the record was unclear as to exactly where Popa’s browser accessed Harriet Carter’s website and where NaviStone began telling her browser to communicate with its servers. Given this, the Third Circuit remanded to the district court to reconsider the issue in light of the Court’s directive that interception occurred at the point at which the signals were routed to NaviStone’s servers – wherever that was.
 
Issues Remain as to Whether Harriet Carter’s Privacy Policy Was Sufficient
 
Defendants set forth numerous policy arguments as to why Popa’s interpretation was wrong, including that her theory of liability “leads to the untenable conclusion that every time a content or service provider receives data on behalf of a website operator, that third party and the website operator may be violating WESCA.” Defs. Br. at 46. In rejecting this argument, the Third Circuit explained that the WESCA is not unreasonable due to the many exceptions from liability that exist. Specifically, the Court referenced the all-party consent exception, where interception can occur if all parties to the communication give prior consent. See 18 Pa. C.S. § 5704(4). Although Defendants urged application of that exception here, claiming that Popa gave prior consent to NaviStone’s interception of her communications by agreeing to Harriet Carter’s privacy policy, the Court declined to rule on the issue in the first instance.
 
Popa claimed that she never saw Harriet Carter’s privacy policy, but the Third Circuit hinted that it may not matter whether she actually saw the policy because under Pennsylvania law, “prior consent” does not require “actual knowledge” – all that matters is whether Popa knew or should have known that the communication was being recorded. As a result, the Third Circuit remanded, explaining that this issue needs to be resolved by the district court. This leaves open the question about what companies need to do in order to show a user’s “prior consent” under the WESCA.
 
Defendants’ Petition for Rehearing
 
On August 30, 2022, Defendants filed a petition for rehearing, arguing that the Third Circuit’s holding conflicts with Pennsylvania precedent and the Court’s “unprecedented interpretation transforms the WESCA into a superregulatory authority over the entire internet.” Defendants contend that the Third Circuit ignored Commonwealth v. Diego, 119 A.3d 370, 380 (Pa. Super. 2015), appeal denied 129 A.3d 1240 (Pa. 2015), a case that Defendants claim addressed the same issues but went the other way. The petition also argues that the impact of the Third Circuit’s ruling will be felt beyond the borders of Pennsylvania given the Court’s conclusion that interception occurs whenever an individual browsing a website in Pennsylvania and that electronic communications is routed to a third-party server. The petition seeks panel review, and if panel review is denied, then it asks for en banc review. As of the date of this alert, the Third Circuit has not ruled on the Defendants’ petition.
 
Takeaways
 
Although the Third Circuit’s ruling that interception did occur may be viewed as a shift in Pennsylvania law, the issues that the Court did not resolve – including where interception occurred, but more importantly whether the website’s privacy policy sufficiently warned Popa that her activities were being tracked – still play a major role in how this case will impact website tracking in Pennsylvania. To better guard against wiretap act lawsuits in Pennsylvania and elsewhere, companies should: (1) ensure that their website privacy policies disclose whether they use analytics and tracking tools, particularly ones provided by third parties; (2) disclose whether their websites collect and share personal information with third parties, and for what purposes; and (3) consider adding a cookie banner or notification that asks users to affirmatively acknowledge and/or consent to the use of cookies and similar technologies on the website in order to continue browsing the website. The attorneys in Saul Ewing’s Cybersecurity and Privacy Group will continue to monitor developments in this evolving area of the law.

Authors
Alexander Bilus Headshot
Tricia Duffy Headshot