A spate of lawsuits across the country has targeted companies that use website tracking and analytics tools, claiming they are violating prohibitions against illegal wiretaps. In a recent precedential decision, the Third Circuit weighed in on this issue, suggesting that companies can indeed be liable under Pennsylvania law if they fail to obtain adequate consent from website users. Companies that use these common tools should review the decision closely and take steps to guard against similar lawsuits.
What You Need to Know:
- Companies that use common website tools (like cookies) to track and analyze the behavior of users of their website can be exposed to liability under state wiretap acts.
- The Third Circuit recently reversed a grant of summary judgment that had been issued in favor of a defendant company, concluding that a cookie provider had intercepted the plaintiff’s communications with the company’s website.
- It remains unresolved whether the company had obtained consent from the plaintiff for the interception of her communications.
The case arose after the plaintiff, Ashley Popa, was browsing the Harriet Carter Gifts’ website on her iPhone, entered her e-mail address into a pop-up window, added an item to her online “cart,” and then left the website without purchasing the item. According to Ms. Popa, she later discovered that a third-party marketing service, NaviStone, was tracking her activities on the Harriet Carter’s website without her knowledge. In simple terms, NaviStone allegedly was alerted how Popa was interacting with the Harriet Carter’s website, including which pages she visited, when she filled in an email address, and when she added an item to her cart. As a result, Popa filed suit against Harriet Carter and NaviStone (collectively “Defendants”) alleging that they violated Pennsylvania’s Wiretapping and Electronic Surveillance Control Act (“WESCA”), 18 Pa. C.S. § 5701 et seq.
Defendants Intercepted Popa’s Communications
Defendants took the position that, because NaviStone was a direct party to Popa’s communication, they were free from liability because Pennsylvania courts have held that no interception occurs when a direct recipient is the one acquiring the communications. However, after discussion of a 2012 amendment to the WESCA that expanded the definition of “intercept,” the Third Circuit rejected Defendants’ argument. Specifically, it held that the 2012 amendment included a narrow exemption for law enforcement officers when they acquire communications and are the “intended recipient” – but stopped short of exempting all “direct-party” communications. It follows, according to the Third Circuit, that under Pennsylvania law, there is no direct-party exception to liability under the WESCA (with a narrow exception for law enforcement under specific conditions).
Interception Occurs Where Signals Are Routed to Servers
The point of interception was important in resolving this case because, in the context of recording telephone conversations, Pennsylvania courts have declined to extend the WESCA to conduct occurring wholly outside of the state. Here, there were two possible points of interception: (1) the place where Popa’s electronic communications were initially routed from her web browser to NaviStone’s servers; or (2) the location where Popa’s communications ultimately reached their final destination at NaviStone’s servers in Virginia. Applying the common and approved usage of “acquisition,” the Third Circuit held that NaviStone intercepted Popa’s communications at the point where the communications were initially routed to NaviStone’s servers.
That finding did not resolve the issue in this case, however, because the record was unclear as to exactly where Popa’s browser accessed Harriet Carter’s website and where NaviStone began telling her browser to communicate with its servers. Given this, the Third Circuit remanded to the district court to reconsider the issue in light of the Court’s directive that interception occurred at the point at which the signals were routed to NaviStone’s servers – wherever that was.
Defendants’ Petition for Rehearing
On August 30, 2022, Defendants filed a petition for rehearing, arguing that the Third Circuit’s holding conflicts with Pennsylvania precedent and the Court’s “unprecedented interpretation transforms the WESCA into a superregulatory authority over the entire internet.” Defendants contend that the Third Circuit ignored Commonwealth v. Diego, 119 A.3d 370, 380 (Pa. Super. 2015), appeal denied 129 A.3d 1240 (Pa. 2015), a case that Defendants claim addressed the same issues but went the other way. The petition also argues that the impact of the Third Circuit’s ruling will be felt beyond the borders of Pennsylvania given the Court’s conclusion that interception occurs whenever an individual browsing a website in Pennsylvania and that electronic communications is routed to a third-party server. The petition seeks panel review, and if panel review is denied, then it asks for en banc review. As of the date of this alert, the Third Circuit has not ruled on the Defendants’ petition.