Over the past year, there have been a growing number of lawsuits, including class actions, filed against website operators in various states — including California, Florida, Illinois, and Pennsylvania — for violations of state wiretapping laws or the Video Privacy Protection Act of 1988 (VPPA).

Background. At a high level, these wiretapping lawsuits claim that the website intercepts website user and visitor information via session replay technology and other tracking technology in violation of certain state wiretapping laws. The states in which these lawsuits are occurring are states that require two-party consent to record conversations. Generally, session replay technology is the website’s ability to capture or track a user’s behavior, including what screen is being viewed, the user’s inputs — keyboard and mouse clicks — and other movements around the website. This also includes information provided in chat windows and other free text boxes. Other suits cite violations of VPPA’s prohibition of sharing information about one’s video viewing habits without consent.

State Law Wiretapping Claims. Claims under state law wiretapping statutes can drastically vary. In two-party consent states, both parties must consent to the recording of the communications.

• In Florida, courts have dismissed plaintiff’s cases for the “mere tracking of plaintiff’s movements on defendant’s website” due to such tracking being akin to a security camera at a retail store. Goldstein v. Costco Wholesale Corp., 559 F. Supp. 3d 1318, 1321 (S.D. Fl. 2021). However, if the session replay technology is recording or monitoring communications or other inputs other than movement, such as live chat windows, Florida courts have allowed the plaintiff’s cases to continue.
• California has been the most plaintiff-friendly. Unlike Florida, California has allowed plaintiff cases to continue even when it is only the user’s movements and behavior being monitored. Alhadeff v. Experian Info. Sols., Inc., 541 F. Supp. 3d 1041 (C.D. Cal. 2021). Additionally, a California Ninth Circuit decision held that even though the plaintiff consented to certain recordings, this consent only happened after the plaintiff had been using the website for a period of time. Therefore, this consent was not enough under California’s Invasion of Privacy Act.

VPPA Claims. The VPPA is a federal law that prohibits a video tape service provider from knowingly disclosing a consumer’s personally identifiable information (PII) derived from their rental or purchase of, or subscription to, prerecorded audiovisual materials or services without the consumer’s informed, written consent. A videotape service provider refers to “any person, engaged in business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio-visual materials.” 18 U.S.C. § 2710(a)(4). The overall intent of Congress was to prevent the disclosure of information that could allow others to identify an individual and then determine their video-watching behavior and habits.

Since 1988, there have not been many VPPA lawsuits. However, there have been an increase in VPPA lawsuits as it relates to certain tracking technology, like the Facebook Tracking Pixel, which tracks users and actions and then sends the data from the website to Facebook (now Meta). Recently, companies like Patreon, WebMD, and Chick-Fil-A have been subject to these VPPA lawsuits. Specifically, these websites use the Facebook Pixel to transmit information to Meta about what videos the user is watching on their website. This can include the URL, video title, time watching the video, and other information about the video being watched. Plaintiffs then allege that this information is tied to their Facebook ID, which may be seen as personally identifiable information under the VPPA.

The VPPA includes a private right of action, which allows any allegedly harmed individual to bring suit. Any successful claims under the VPPA can include actual damages —though not less than $2,500 per injured person — punitive damages, reasonable attorneys’ fees, and other litigation costs. 18 U.S.C. § 2710(c)(2)(A)-(C).

Takeaways. As with any rash of litigation, a lot remains to be seen as to how to implement controls that will potentially safeguard companies against such claims. That said, at a minimum, businesses should do the following:

• Review website technologies. Review all public facing websites and evaluate the data collected, processed, and shared by the website. Inventory all tracking technologies, including but not limited to cookies, pixels, replay technologies, biometrics, and embedded links.

• Review website privacy policies. Review existing website privacy policies to ensure each properly discloses the use of such technologies. To the extent applicable, the operator should secure the consent of the website visitor to use such technologies and any data sharing. 

• Consider website banners. While not necessarily required in the U.S., there is increasing value in implementing a banner that launches upon a visitor’s first landing on a website. The banner discloses the tracking technologies in use, but also the website’s cookie practices and the website owner’s privacy policy — or links to each. Such a banner may serve to mitigate the risks of such lawsuits, as well as meet the increasingly demanding requirements from certain state privacy laws, such as California’s CCPA.  

Taft will continue to monitor developments in this area and provide updates here and on all the Taft platforms. As always, seek qualified legal counsel whenever making determinations about a company’s legal or compliance obligations. Taft’s Privacy and Data Security practice (PDS) stands ready to assist with a risk-based, common-sense approach to data governance needs. Stay tuned to the blog Privacy and Data Security Insights and don’t forget to download Taft’s free mobile app, to receive quick, real-time access to Taft PDS content and updates.