As companies take advantage of new technologies in their interactions with customers and employees, they need to be mindful of the risks associated with implementation of those types of systems.
This is especially true in the realm of federal and state privacy statutes, which in some instances have been created recently to address privacy concerns. There are also existing laws that are now being applied in a different context.
This article focuses on two such instances, including wiretapping statutes and the Illinois Biometric Information Privacy Act, or BIPA.
Wiretap Statutes as a Class Action Tool
A new wave of class actions filed in California, Pennsylvania and Florida assert that the use of tracking technologies on websites violates state wiretap and privacy laws.
These suits potentially expose businesses to substantial penalties, with fines ranging from $1,000 to $50,000 per violation, depending on the state.
Since a violation arguably occurs every time a user accesses a website in one of these states, the amount of penalties to which a business may be subject can rise rather quickly.
The Tracking Technologies at Issue
The two technologies at issue include session replay software and coding tools embedded in chat features. Session replay software tracks a user's interactions with the website — their clicking, scrolling, swiping, hovering and typing — and creates a stylized recording of those interactions and inputs. Coding tools create and store transcripts of the conversations users have in a website's chat feature.
State Wiretapping Statutes
Plaintiffs ground their claims in the electronic interception provisions of state laws — for example, the California Invasion of Privacy Act, or CIPA, and the Pennsylvania Wiretapping and Electronic Surveillance Act, or WESA.
Generally, these wiretap statutes prohibit the unauthorized interception or disclosure of communications transmitted electronically. Plaintiffs behind this new litigation trend allege that businesses have violated the law when they record or store the user's interactions with their website and send those recordings to a third party.
Who Is a "Party" to a Communication
Under the federal and some state wiretapping statues, participants of a communication are expressly exempt from liability, i.e., a party cannot eavesdrop on a communication in which it is already participating as one of the parties.
While this exception is clear on the face of the statutes, its application in the context of website tracking technologies is more nuanced.
For example, in In re: Facebook Internet Tracking Litigation, the U.S. Court of Appeals for the Ninth Circuit held in 2020 that Facebook's use of plug-ins on third-party websites, which duplicated the message a user sends to a webpage's server — called a GET request — and transmitted that information directly to Facebook's server, did not make Facebook a party to the communication between the user and the website under the Wiretap Act or CIPA.[1]
This holding stands in contrast to a 2015 U.S. Court of Appeals for the Third Circuit holding in In re: Google Cookie Placement, where the court held that third-party advertisers' use of cookies to duplicate a user's GET request for purposes of displaying targeted third-party advertisements on the webpage did not violate the Wiretap Act because the communication occurred directly between the user and the third-party advertisers.[2]
Despite the apparent incongruity between the rulings, these cases make two important concepts clear:
- First, the Wiretap Act and CIPA are not implicated when the party recording the communication is a direct participant of the underlying communication; and
- Second, the recording must occur simultaneously with the communication to implicate these wiretap statutes.
Aiding and Abetting, and Third-Party Vendors
After the Ninth Circuit's opinion in the case of Facebook, plaintiffs began filing class actions alleging companies that employ third-party session reply technology on their websites were aiding and abetting violations of the wiretap statutes. Here too, there is a split among the courts that have considered the issue.
In two cases last year, Graham v. Noom Inc. and Johnson v. Blue Nile Inc., the U.S. District Court for the Northern District of California classified session replay software as a service provided to website operators by a vendor.[3]
In doing so, the court opined that the software company was essentially an extension of the website operator and, thus the website operator was a participant of the communication.[4]
However, in Saleh v. Nike Inc., also in 2021, the U.S. District Court for the Central District of California rejected this reasoning and found that a website operator could be liable for the use of session replay software and did not see the services as an extension of the website operator.[5]
The takeaway here is that companies should pay close attention when engaging a third-party software company to provide recording technologies. Companies would be well served to structure these relationships so that the services provided resemble an extension of the company.
A Matter of Prior Consent
In May of this year, the Ninth Circuit held in Javier v. Assurance IQ LLC that CIPA requires prior consent, and explicitly rejected the argument that a business can obtain consent to the use of session replay software after the recording has begun. However, the Ninth Circuit did not comment on what would amount to effective consent.[6]
And, just last week, the Third Circuit in Popa v. Harriet Carter Gifts acknowledged that the defendants could avoid liability if they could demonstrate that the plaintiff had consented to the recording.[7]
The Third Circuit declined to weigh in on the adequacy of the defendant's privacy policy and whether it sufficiently alerted the plaintiff to the fact that her communications were being recorded; instead, it sent that issue back to the district court.
Critically, the Third Circuit further concluded that the location of the interception was the plaintiff's browser, and not where the information was sent.
Thus, if other federal circuits follow the Third Circuit's approach, companies could be subject to liability under a state wiretap statute each time a user accesses their website from that state.
What Safeguards Businesses Can Employ
Businesses can employ several proactive measures to protect against exposure to a class action or potentially incurring fines under state wiretap statutes.
First, because user consent is a defense under state wiretap statutes, companies should review their websites' terms of use and privacy policies and consider whether they provide substantive disclosures of how a user's interactions with the website are recorded and shared with service providers.
Companies should ensure that the disclosure of those terms is conspicuous. Given that there is not yet a clear standard as to what constitutes enforceable consent to the use of these technologies, obtaining affirmative consent from website users before starting any recordings or chat transcriptions is likely the strongest safeguard or defense.
Second, companies should consider what defenses exist under the relevant statutes.
The case law in this area is developing, and each state wiretapping statute provides a set of defenses, from showing that the user expressly or impliedly consented to the use of the technology, to establishing that the party accused of intercepting or disclosing an electronic communication was a direct party to the communication, to showing that the recording was not transmitted in real time.
A Case Study on BIPA
BIPA has created significant legal headaches for corporations over the past five years.
With the potential for actual damages or statutory liquidated damages of $1,000 for each negligent violation and $5,000 for each reckless or intentional violation, plus attorney fees, costs and injunctive relief, companies need to ensure their compliance with BIPA's requirements in order to mitigate the potentially devastating impact of the statute to any businesses that collect, use or store biometric information.
This year, so far there have been several BIPA settlements in the eight figures and the first-ever landmark $228 million jury verdict in Rogers v. BNSF Railway Co in the U.S. District Court for the Northern District of Illinois.[8] In addition, new privacy laws have expanded to other states, including California, Arkansas, Kentucky, Maryland, New York, Texas and Washington.
These new laws make it imperative that companies using biometric data are compliant with the patchwork quilt of privacy obligations. In short, businesses must ensure they know exactly how and why they collect biometric data and how they obtain consent for the collection and storage of the data.
Compliance is not getting any easier. The Illinois Supreme Court earlier this year further narrowed possible defenses to litigating BIPA claims in issuing its long-anticipated decision in McDonald v. Symphony Bronzeville Park LLC.[9]
McDonald held that claims for statutory damages against an employer under BIPA are not preempted by the exclusivity provisions of the Illinois Workers' Compensation Act, or IWCA. This ruling resolved the issue of whether an employer could assert IWCA preemption as a defense to BIPA claims.
The court held that an injury resulting from a BIPA violation is not compensable under the IWCA. It reasoned that the plain language of BIPA, which references a "release executed by an employee as a condition of employment,"[10] supports the conclusion that state lawmakers did not intend BIPA claims brought by employees to be preempted by the IWCA's exclusivity provisions.
Upcoming BIPA Rulings
Other looming questions to be decided in the near future will have significant impact on BIPA's application.
The U.S. Court of Appeals for the Seventh Circuit issued a decision in Cothron v. White Castle Systems last year,[11] certifying to the Illinois Supreme Court the question of whether claims asserted under Sections 15(b) and 15(d) of BIPA accrue only once upon the initial collection or disclosure of biometric information, or each time a private entity collects or discloses biometric information.
The practical real-world implications of the issue are enormous. Think of a line of workers clocking in and clocking out at the start of the day, at lunchtime, and at the end of their shifts. Damages could be crushing.
The Illinois Supreme Court recently heard oral argument in the case, with White Castle urging the court to find that a BIPA violation accrues only at the first alleged violation, and that to hold otherwise — i.e., each time an employee scanned his or her fingerprint to track work time or access secure company information systems — would expose businesses to astronomical damages claims.
The court's decision is still pending and will have enormous ramifications on the future of BIPA litigation.
Also at question is the appropriate limitations period applicable to BIPA claims. The Illinois Appellate Court in Tims v. Black Horse Carriers Inc.[12] held last year that a one-year limitations period governs actions brought under Sections 15(c) and (d) of BIPA, and Sections 15(a), (b) and (e) are subject to the catch-all five-year limitations period.
Black Horse Carriers filed a petition for leave to appeal to the Illinois Supreme Court, which was granted. Therefore, another clarification on BIPA law will be issued soon, which will further shape the future of class action privacy litigation.
What Should Companies Expect When Defending BIPA Actions?
BIPA lawsuits have expanded from the workplace employment litigation arena to include litigation against all types of corporate defendants utilizing biometric identifiers. The plaintiffs class action bar has expanded litigation to include allegations in connection with a company's disclosure, obtaining consent, collection, storage or profiting from biometric information.
In particular, a company should note that the consent provision in Section 15(b) of BIPA[13] consists of three requirements, including that the company must:
- Inform the individual in writing that their biometric data is being collected;
- Inform the individual in writing of the purpose of the biometric collection and the length for which the biometric data will be collected, stored and used; and
- Receive a written release for the biometric collection that is executed by the individual whose biometric data is being collected.
Venue is also an important consideration in privacy actions. Lawsuits filed in state court are subject to typically less stringent, more plaintiff-friendly procedural rules.
Particularly with the ability to begin discovery almost immediately in state court cases, companies can be subject to quickly mounting legal fees, coupled with a decreased ability to prevail at the motion to dismiss stage. The plaintiffs bar has successfully crafted complaints to avoid removal to federal court in order to keep them in state court.
How Can Companies Mitigate the Risk of BIPA Litigation?
To mitigate the risk of litigation, first and foremost, companies should do everything possible to ensure that their policies and procedures are compliant with privacy laws and regulations. There are several proactive measures that companies can take, including ensuring the utilization of robust policies following BIPA's notice and consent rules for consumers and employees.
In addition to having effective policies and consistently followed policies and procedures, companies can also have iron-clad arbitration agreements in place that mandate individual arbitration in the event of any dispute, including agreements with class action waivers. Moving these types of claims to arbitration can be an effective strategy to avoid potentially jaw-dropping damages claims.
Conclusion
With the ever-changing economy and patchwork quilt of laws and regulations, corporations face new, unique and challenging litigation risks and legal compliance problems.
Recent expansion of privacy statutes and the large jury verdicts will embolden the plaintiffs class action bar and equally serve as an eye-opener for businesses.
In the short term, companies can expect an uptick in the number of wiretap and BIPA class actions filed by the plaintiffs bar and an increase in settlement demands in already filed wiretap and BIPA class actions.
Gerald L. Maatman, Jr., Michael S. Zullo and J. Colin Knisely, are partners at Duane Morris LLP.
[1] See In Re Facebook Inc. Internet Tracking Litigation , 956 F.3d 589 (9th Cir. 2020).
[2] In Re Google Inc. Cookie Placement Consumer Priv. Litig., 806 F.3d 125, 140-41 (3d Cir. 2015).
[3] See Graham v. Noom, Inc., 533 F. Supp.3d 823 (N.D. CA 2021); Johnson v. Blue Nile, Inc. , No. 20-CV-08183, 2021 WL 1312771 (N.D. Cal. April 8, 2021).
[4] Noom, 533 F. Supp. 3d at 833.
[5] Saleh v. Nike, Inc. , 562 F. Supp. 3d 503 (C.D. Cal. 2021).
[6] Javier v. Assurance IQ, LLC , No. 21-16351, 2022 WL 1744107 (9th Cir. May 31, 2022).
[7] Popa v. Harriet Carter Gifts, Inc. , No. 21-2203, 2022 WL 10224949 (3d Cir. Oct. 18, 2022).
[8] Rogers v. BNSF Railway Co. , Case No. 19-CV-03083 (N.D. Ill).
[9] McDonald v. Symphony Bronzeville Park, LLC , 2022 IL 126511 (Feb. 3, 2022).
[10] 740 ILCS 14/10 (2016).
[11] Cothron v. White Castle Systems , 20 F.4th 1156 (7th Cir. 2021).
[12] Tims v. Black Horse Carriers, Inc. , 2021 IL App (1st) 200563 (1st Dist. Sept. 17, 2021).
[13] 740 ILCS 15(b).
Reprinted with permission of Law360.