Privacy

Third Circuit Decision Sparks Wiretapping Lawsuits for Session Replay

Published: Nov. 18, 2022

On October 18, 2022, the Third Circuit on a petition for rehearing upheld its decision in Popa v. Harriet Carter Gifts, Inc. holding that liability under Pennsylvania’s wiretapping statute can extend to a website operator and its use of session replay technology. Session replay is a service that analyzes and/or captures a person’s website visit. Since the Popa decision, at least about a dozen businesses have been sued under this same theory for their use of session replay.

Plaintiff Popa brought this suit against Harriet Carter Gifts and its session replay provider NaviStone pursuant to Pennsylvania’s Wiretapping and Electronic Surveillance Act (WESCA). She alleged that NaviStone intercepted clicks, page views, search queries, and form fills as she browsed Harriet Carter’s website and that Harriet Carter unlawfully procured another person to conduct an interception. The district court granted summary judgment to Harriet Carter and NaviStone on the ground that NaviStone could have intercepted Popa’s communications because it was a party to the electronic communication. Popa appealed the district court’s decision. 

The Third Circuit reversed, pronouncing for the first time that the direct party exception to WESCA is limited to the law enforcement context, such that a participant’s own recording of a communication without consent can be a wiretap. The court thus held neither the vendor nor the website operator were exempt from liability under WESCA and vacated the district court’s grant of summary judgment. Following the decision, at least about a dozen similar lawsuits have been brought in Pennsylvania district courts against businesses that allegedly use session replay on their websites.

Businesses subject to jurisdiction in Pennsylvania will want to thoughtfully review their use of session replay services and their disclosures surrounding such use. They may want to take mitigating measures like limiting the type of data collected through session replay or geoblocking the service from certain locations.

In addition, obtaining consent to session replay remains a potential path to protecting against a wiretapping claim, with the Popa court suggesting the privacy policy as a possible way to secure implied consent sufficient under WESCA. We will continue monitoring developments as these cases proceed.