Privacy Litigation 2021 Year in Review: Web Analytics “Session Replay” Wiretap Litigation

In 2021, California and Florida became battleground states for a new set of data privacy lawsuits initially filed in 2020. Plaintiffs filed around 80 cases seeking damages from third-party analytics companies and website operators, alleging that the use of ubiquitous third-party analytics software constituted an illegal wiretap. Despite this early groundswell of litigation, only 10 of these cases remain pending.

At the center of the conflict is session replay—technology that captures website visitors’ keystrokes, mouse clicks, and cursor movements and later reconstructs the various data captured into viewable “sessions” in de-identified form. Companies use session replay technology to understand how customers use their websites and improve how their websites function.

These session replay lawsuits primarily assert claims under California’s Invasion of Privacy Act (CIPA) and Florida’s Security of Communications Act (FSCA). Generally speaking, both wiretap statutes prohibit the interception of communications sent over a wire unless all parties to the communication have consented.[1] Under both laws, a party that assists another in carrying out the interception may also be liable.[2] CIPA additionally penalizes the manufacture, sale, or possession of a device “primarily or exclusively designed or intended for eavesdropping upon the communication of another.”[3]

Several plaintiffs also asserted constitutional and common law invasion of privacy claims under California law. Courts that reached the issue dismissed these claims, finding that the data collected is too limited in scope to state a claim.[4] Courts focused on the fact that session replay captures only routine information like keystrokes, cursor movements, IP addresses, and static geographical location for a single visit to the website at issue.

Session Replay Litigation Developments

The vast majority of session replay lawsuits have either been dismissed by courts, voluntarily dismissed by plaintiffs, or settled on an individual basis.

California cases began to fizzle out when a magistrate judge in the Northern District of California dismissed three session replay cases in August 2021 with prejudice.[5] The court reasoned that a session replay provider is a party to the communication, excepting it from liability “because it is not an outsider and instead is a software vendor that provides a service that allows [the website owner] to analyze its own data,” much like a tape recorder.[6] In reaching that conclusion, the court emphasized that the analytics companies neither used nor sold data for individual gain.[7] Though one plaintiff appealed this issue to the Ninth Circuit,[8] other California plaintiffs voluntarily dismissed their claims (possibly following a confidential individual settlement).

In June 2021, a Florida state court decision categorically exempting session replay from FSCA claims spurred a number of dismissals in Florida.[9] The court concluded that session replay software is “definitionally excluded” from the statute because it is a “software which tracks a website browser’s movements.”[10] That decision was followed by another in September 2021, in which a Florida federal court dismissed a case on the ground that session replay does not capture the “contents” of any communication in violation of the FSCA.[11] The court reasoned that “[t]his mere tracking of . . . movements on Defendant’s website is the cyber analog to record information Defendant could have obtained through a security camera at a brick-and-mortar store.” [12] After that ruling, plaintiffs voluntarily dismissed a number of similar cases and settled several on an individual basis (though it is possible that some of the voluntary dismissals were the result of confidential settlements).

Issues to Watch  

Despite the trend toward dismissal, two session replay cases are currently before the Ninth Circuit and a few others are being litigated in the lower courts. There are three issues to watch closely in 2022:

First, what is and what isn’t “content”? Wiretap statutes prohibit eavesdropping only on the contents of communications. Record information like users’ IP addresses, computer operating systems, and browser types lack communicative substance. While courts in California and Florida court have concluded that session replay data is non-content because it lacks the same substantive communicative value as words in a text message or email,[13] at least one California federal court concluded that captures of keystrokes and other movements on a website are sufficient to establish content at the motion to dismiss stage.[14] As a result, the “content” versus “record” information question remains open.

Second, do analytics companies qualify for CIPA’s “party to the communication” exception? This question is one of two before the Ninth Circuit.[15] At the moment, the district courts are split over whether a session replay provider is a third-party eavesdropper or a party to the communication. As discussed above, a magistrate judge in the Northern District of California has dismissed cases on the ground that session replay providers are mere extensions of the website operators they serve and therefore are parties to the communication.[16] But another judge in the Northern District and one in the Central District of California have concluded the exact opposite.[17] And a second judge in the Central District has decided the question is for a jury to resolve after discovery.[18] One thing, however, is certain: parties on both sides of the “v.” are waiting to see what the Ninth Circuit will do.

Third, is retroactive consent an effective shield for website operators and analytics providers against wiretap liability? In the second Ninth Circuit appeal, the parties dispute whether web users affirmatively consented to the website operator’s privacy policy and collection practices, thereby immunizing the defendants from CIPA liability.[19] While most courts have resolved session replay disputes on defenses other than consent, some courts have wrestled explicitly with consent[20] and consent could become a more focal issue following the Ninth Circuit’s decision. In the meantime, website operators should review their privacy policies and cookie managers with notice and consent for session replay in mind.

Despite these open issues, new filings have significantly slowed following the dismissal orders in California and Florida, all but drying up after July 2021. The issues remain top of mind, however, as we wait for the Ninth Circuit to weigh in and as other cases progress in lower courts in California and Florida.

[1] Cal. Penal Code § 631(a); Fla. Stat. §§ 934.03(1)(a), (d); Fla. Stat. § 934.03(2)(d).

[2] Cal. Penal Code § 631(a); Fla. Stat. § 934.03(1)(b).

[3] Cal. Penal Code § 635(a).

[4] See Yoon v. Lululemon USA, Inc., No. 5:20-CV-02439-JWH-SHKx, 2021 WL 3615907, at *9 (C.D. Cal. July 15, 2021); see also Saleh v. Nike, Inc., No. 2:20-CV-09581-FLA (RAOx), 2021 WL 4437734, at *15 (C.D. Cal. Sept. 27, 2021).

[5] Graham v. Noom, Inc., No. 20-CV-06903-LB, 2021 WL 3602215, at *2 (N.D. Cal. Aug. 13, 2021); Johnson v. Blue Nile, Inc., No. 20-CV-08183-LB, 2021 WL 3602214, at *1 (N.D. Cal. Aug. 13, 2021), appeal docketed, No. 21-16378 (9th Cir. Aug. 23, 2021); Yale v. Clicktale, Inc., No. 20-CV-07575-LB, 2021 WL 4025797, at *1 (N.D. Cal. Aug. 24, 2021).

[6] Graham v. Noom, Inc., 533 F. Supp. 3d 823, 832 (N.D. Cal. 2021).

[7] Id.

[8] Blue Nile, Inc., 2021 WL 3602214.

[9] Jacome v. Spirit Airlines Inc., No. 2021-000947-CA-01, 2021 WL 3087860, at *3 (Fla. Cir. Ct. June 17, 2021); see also Goldstein v. Costco Wholesale Corp., No. 21-CV-80601-RAR, 2021 WL 4134774, at *5 (S.D. Fla. Sept. 9, 2021); Goldstein v. Luxottica of Am., Inc., No. 21-80546-CIV-CANNON/REINHART, 2021 WL 4093295, at *3 (S.D. Fla. Aug. 23, 2021); Swiggum v. EAN Servs., LLC, No. 8:21-CV-493 TPB-CPT, 2021 WL 3022735, at *2 (M.D. Fla. July 16, 2021).

[10] Jacome, 2021 WL 3087860, at *3.

[11] Costco Wholesale Corp., 2021 WL 4134774, at *2.

[12] Id.

[13] Yoon, 2021 WL 3615907, at *6; see also Costco Wholesale Corp., 2021 WL 4134774, at *3 (comparing user data collected by session replay to non-content dialing, routing, addressing, and signaling information).

[14] Saleh, 2021 WL 4437734, at *9.

[15] Blue Nile, Inc., 2021 WL 3602214.

[16] Id., at *1; Yale, 2021 WL 1428400, at *3.

[17] Revitch v. New Moosejaw, LLC, No. 18-CV-06827-VC, 2019 WL 5485330, at *2 (N.D. Cal. Oct. 23, 2019); see also Saleh, 2021 WL 4437734, at *11.

[18] Yoon, 2021 WL 3615907, at *6.

[19] Javier v. Assurance IQ, LLC, No. 4:20-CV-02860, 2021 WL 3669343 (N.D. Cal. Aug. 6, 2021), appeal docketed, No. 21-16351 (9th Cir. Aug. 17, 2021).

[20] See Jacome, 2021 WL 3087860, at *7 (finding disclosure via cookie banner and privacy policy sufficient for consent); see also Yoon, WL 3615907, at *4 (finding a standalone hyperlink to privacy policy, without an affirmative consent button or more conspicuous disclosure, insufficient for consent).