Recent court cases in the U.S. have sparked a renewed legal debate on the use of session replay software and chatbots, particularly within the context of privacy. These technologies, while offering valuable insights into user engagement and behavior, have raised concerns regarding the collection and storage of personal data without explicit consent. The use of session replay software has also landed website operators in court for violations of wiretapping laws.
What is Session Replay Software?
Session replay software is a tool employed by websites and applications to enhance user experience. Think of it as a digital playback feature that records and recreates user sessions, capturing every click, scroll, and keystroke. It helps businesses understand user behavior and make improvements to their apps and websites.
Legal Landscape:
Lawsuits about session replay software, like the case involving Nike and FullStory, initially seemed to be fading away. However, decisions such as Popa v. Harriet Carter Gifts have breathed new life into these cases, making it more challenging for defendants to dismiss them at early stages.
All of these lawsuits were based on the theory that the provider of the session replay software is intercepting the individual’s communications to the website (i.e., website operator) and have been pursued under state wiretapping laws where two-party (or all-party) consent is required. The majority have been filed in California, Pennsylvania, and Florida, but there have been lawsuits in other states as well.
The biggest challenge to website operators and service providers of session replay software is that if these cases survive a motion to dismiss, they can carry quite significant costs in terms of legal representation and exposure.
Key Takeaways:
- “Content” of Communications: Wiretapping statutes typically prohibit eavesdropping only on the “content” of communications. Some courts have dismissed claims on the basis that the software did not involve content.
- “Party” to the Communications: Plaintiffs must establish that the entity intercepting communication was a third party, not a participant to the communication. Courts are generally inclined to exempt providers supplying tools for website operators but may have a different view when providers use collected data for their own purposes.
- Implied Consent: Sometimes, it can be quite difficult to prove implied consent. It is often a point of contention whether the website or application user provided express or implied consent for the interception of the communication.
- Standing: Plausible allegations of personal information interception are required to demonstrate concrete injury. Courts, as seen in cases like Lightoller v. Jetblue, emphasize the importance of tangible harm for standing.
- Jurisdiction: As shown in a recent case involving FullStory, plaintiffs may battle to prove that the relevant state laws apply to session replay software companies.
Recommendations:
- Privacy Notices: Clearly communicate the use of session replay software in your privacy notices to establish a defense of implied consent.
- Prior Consent: If feasible, obtain explicit consent from website visitors and app users, as it can be a strong defense against these lawsuits.
- Service Provider Restrictions: Beware of the potential implications of service providers using data for their own purposes. The provider might not be able to avail itself of the “party” exemption under wiretapping laws.
It’s important that your organization understands the implications of using session replay software, including any legal obligations that may arise from its use. VeraSafe can help ensure that your website or app complies with evolving privacy regulations. Contact us today for a free consultation.
You may also like:
Misdirected Emails: Prevention Legally Required
Dark Patterns: How To Detect and Avoid Them
Data Privacy Automation: Pros, Cons, and Pitfalls of Streamlining Compliance
Related topics: Compliance Tools and Advice, Privacy News