November 2, 2020

A New Wave of Class Action Lawsuits is Targeting Online Customer Tracking

Holland & Knight Cybersecurity and Privacy Blog
William F. Farley | Ashley L. Shively

Plaintiffs' firms routinely attempt to assert old laws in new ways. One of the latest trends is the use of federal and state anti-wiretap laws as a vehicle to sue software developers and businesses for the use of ubiquitous cookies, pixels and other website software to track customer activity during website visits.

Businesses that maintain a significant online presence or process a large number of online transactions are increasingly implementing third-party analytics software to evaluate the efficiency and performance of their sites. The software enables them to better understand visitors' use of their websites and troubleshoot issues preventing successful transactions. In other cases, it serves a compliance function; for instance, to reduce risk and establish consent under the Telephone Consumer Protection Act (TCPA). Plaintiffs have turned this software against developers and businesses in a slew of recent lawsuits.

Early wiretap cases dealt primarily with businesses' undisclosed recording of customer service telephone calls. These new cases, by contrast, are brought under electronic interception provisions of state laws, including section 631(a) of the California Invasion of Privacy Act (CIPA), California Penal Code §§ 630 et seq. The section imposes liability on "[a]ny person who … willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within [California]…" Section 631 provides for civil fines not exceeding $2,500 and/or imprisonment in the county jail not exceeding one year.

One plaintiffs' firm in particular has filed a half dozen class action suits in California based on retailers' alleged use of software that captures customers' keystrokes, scrolling, mouse movements and clicks on websites in real time, thus allegedly creating a recording of users' browsing history and personal and financial information entered (but perhaps not submitted) on website forms. Plaintiffs claim that businesses' use of such software constitutes an impermissible disclosure to a third party (i.e., the software developer) and an invasion of privacy under CIPA and the California Constitution. Other digital wiretap cases pending around the country involve (at least arguably) less intrusive and more commonplace website activity tools, such as the use of third-party cookies that track the pages visited or search terms entered on a business's site. These cases pose a risk to a vast number of companies currently using such tools on their websites.

This case trend deserves close monitoring. At least 14 states – in addition to California – require consent from all parties when a communication is recorded or intercepted: Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Oregon, Pennsylvania, Vermont and Washington. Penalties in those states range from $1,000 – $50,000 per violation.1 In these states, according to plaintiffs, businesses are required to obtain consent from each website visitor before recording their website interactions.

There are several ways businesses can proactively protect against electronic wiretap claims and defend themselves in the event that a lawsuit is filed. For example, before implementing any digital recording software, businesses may look to negotiate strong contractual indemnification rights with the provider. Companies may need to augment website privacy policies to provide substantive disclosures of how user information is shared with service providers. In addition, businesses may likewise consider whether any update is needed to website terms, including arbitration, class waiver, choice of law and venue provisions.

Legal disclosures are only useful if they are enforceable, so businesses should assess whether disclosures of their websites' terms of use and privacy policies are sufficiently conspicuous to create the best case for enforceability. While there is no federal or state requirement for express consent, where practicable, it is often beneficial to obtain express consent to both the terms and privacy policy; for instance, as part of the email sign-up or checkout process.

If facing a lawsuit under state wiretap statutes, businesses typically first look to any available indemnification rights and to enforce arbitration and/or choice of law provisions. Other available defenses may include:

  • showing that the plaintiff implicitly consented to the collection and disclosure by providing the information as part of the transaction and/or expressly consented under the applicable website terms and privacy policy
  • establishing that the business cannot be liable under two-party consent laws like California, because it was a party to the communication and thus not the alleged "eavesdropper"

We Can Help

Holland & Knight's Data Strategy, Security & Privacy Team has decades of experience defending lawsuits involving the loss, theft or misuse of personal information. If you have any questions regarding best practices for handling customer information or defending data privacy litigation, contact the authors or Partner Mark Melodia, chair of Holland & Knight's Data Strategy, Security & Privacy Team.


1 What constitutes a violation varies by state.

Related Insights