So we’re launching a new feature on TCPAWorld—CIPA Sunday!
CIPA—the California Invasion of Privacy Act—has become shorthand for the MASSIVE wave of wiretapping lawsuits crashing all across the country looking at recording of website interactions. And while CIPA is the most famous of these statutes—authorizing a $2,500.00 per violation statutory penalty—California is hardly alone.
Most famously, of course, California’s CIPA has been held to apply to web session recording technology and (as the Czar reported last week) increasingly to chat box and chat bots powered by third parties. But, as we’re about to see, other courts have likewise applied other anti-wiretap statutes in similar contexts. Meaning companies that use vendor software to monitor interactions on their websites—even for better customer experience—may be at risk of being held to be wiretappers.
This is especially true if keystrokes or PII are being recorded, or if third-party vendors are allowed to make separate use of the data they are recording for website owners.
So as we build up to the launch of CIPAWorld.com—the Czar has to finish the standards and bylaws for REACH first—we’ll be providing weekly segments on CIPA every Sunday. (A super FUN way to start the week.)
So here’s our first big report:
Last week, the U.S. Court of Appeals for the Third Circuit reaffirmed its August 2022 decision reversing a summary judgment ruling in favor of Defendant Harrier Carter Gifts and NaviStone for alleged violations of Pennsylvania’s Wiretapping and Electronic Surveillance Control Act – “PWESCA.” The case is Ashley Popa v. Harriet Carter Gifts, Inc.
Pause (as the Czar would say.)
Yes, Pennsylvania has its own version of CIPA—the not so pronounceable PWESCA. And yes there is a private right of action authorizing actual damages, but not less than liquidated damages at $100 a day for each violation, or $1,000, whichever is higher, and can recover punitive damages and attorney’s fees.
Under PWESCA it is illegal to “intercept” any “wire, electronic or oral communications, which means it is unlawful to acquire those communications, which means it is unlawful to acquire those communications using a device.” Keep that handy.
In the new ruling the Court held that is no “direct-party” exception to civil liability under WESCA. The court also ruled that the WESCA covers conduct occurring where the “interception” occurs – here the place of the third party marketer’s interception of the Plaintiff’s online communications occurred at the point where the third party routed those alleged communications to its own servers, not merely where the third party’s servers received them outside of PA.
And that’s a big deal because the Popa decision represents a huge shift in PWESCA cases — the “direct party” exception no longer applies to PWESCA.
Here’s a bit of background: Ashley Popa claims she used her cell phone to shop for pet stairson the website, Harriet Carter Gifts. Popa added the pet stairs to her cart but left the website without purchasing it. According the Complaint, NaviStone, was tracking her activities, including collecting her PII even though she did not purchase anything.
Popa filed a class action suit against both Harriet and NaviStone under Pennsylvania’s WESCA (originally filed in state court and removed to federal court). Popa argued that NaviStone violated WESCA by intercepting her communications with Harriet Carter and Harriet Carter violated WESCA by “procuring any other person to intercept.”
The Defendants argued that under PA law, an interception cannot occur when communications are received by a direct recipient. Additionally, Defendants had Popa’s implied consent and the interception did not take place in PA – so WESCA does not apply.
The PA District Court granted summary judgment for both defendants – holding that NaviStone could not have “intercepted” Popa’s communications because NaviStone was a “party” to the electronic conversation. PA state courts had routinely determined – in criminal suppression cases — that no interception can occur under PWESCA when the alleged “interceptor” was the direct recipient of the communication. Thus, there was a carve out for the both direct recipients – NaviStone and Harriet Carter.
Alternatively, the district court held that even if an interception did occur, it happened outside of Pennsylvania’s borders and thus not subject to WESCA. In reaching this conclusion, the district court relied on state cases involving undercover law enforcement who were not found liable for wiretapping violations if they were the direct recipient of the communications.
The Third Circuit disagreed and overturned the district court’s grant of summary judgment. Reasoning that “WESCA is to be strictly construed to protect individual privacy rights” it held the direct-party exception to WESCA only applies to certain law enforcement activity.
Another important thing to keep in mind is where the intercept took place. Again, to trigger the PWESCA the interception has to have taken place within Pennsylvania. But in the context of an internet recording—what does that even mean? Well in Popa v. Harriet Carter Gifts, the Court held that “the place of interception is the point at which the signals were routed to NaviStone’s servers.” It left it to the district court to consider whether the recording at issue took place in PA or not, but that standard is really helpful for folks struggling with similar laws across the country. (I.e. where your servers are matters!)
So there you have it, the direct-recipient exception—if it ever existed—is no longer viable in civil cases in the Third Circuit (which includes the entire state of Pennsylvania.) And more importantly, wiretap claims based on web session recording are absolutely viable in PA—perhaps even more so than California.
Let me say this plainly: IF YOU ARE USING VENDORS TO RECORD, ANALYZE, OR MONITOR INTERACTIONS ON YOUR WEBSITE YOU MUST FOLLOW THIS GROWING AREA OF LAW. And, of course, we’re here to help you to stay ahead of it.