August 24, 2022
In a landmark decision with potential implications for disclosures of online privacy and consent practices, the Court of Appeals for the Third Circuit recently ruled that a retailer and its outside digital marketer did not exempt from liability under the Wiretapping and Electronic Surveillance Control Act of Pennsylvania are simply because the marketer’s server received the relevant communications directly from the plaintiff.
in the Popa Vs Harriet Carter Gifts Inc. the Third Circuit determined that the only exception for direct parties under Pennsylvania’s Wiretapping and Electronic Surveillance Control Act (WESCA) is intended for specific law enforcement activities specified in a 2012 amendment to the law. The court also ruled that the marketer’s alleged interception of the plaintiff’s online communications with the retailer occurred at the point where the marketer forwarded those alleged communications to its own servers, and not just where the marketer’s servers sent them received outside of Pennsylvania.
Given the court’s sweeping assessment of WESCA’s reach, there may be renewed interest in session replays and other website tracking claims under the law. To reduce the risk of liability and penalties under Pennsylvania law, businesses and their digital marketers should review their disclosures and online practices to assess the strength of other defenses or exemptions from WECSA liability, including prior consent to Disclosure of Data by Third Parties .
In the putative class action lawsuit, plaintiff Ashley Popa alleged that she used her iPhone to search the Harriet Carter Gifts website for pet steps, but ultimately did not complete the purchase. When she did so, Harriet Carter Gifts sent HTML code to the plaintiff’s browser that caused her browser to send a GET request to NaviStone, a digital marketer. Upon receiving this GET request, NaviStone sent code to the plaintiff’s browser that installed cookies, collected certain information about the plaintiff’s activities on Harriet Carter’s website, shared that information with NaviStone, and enabled NaviStone to provide targeted advertising to Harriet Carter to support. The plaintiff alleged that redirecting communications to NaviStone constituted unlawful interception under WESCA.
After the defendants won summary judgment at the Circuit Court level, the Third Circuit Circuit Court of Appeals reversed the order and suspended the pretrial detention. The Third Circuit ruled that (1) the defendants could not avoid WESCA liability merely by proving that NaviStone received the impugned communications directly from the plaintiff, since the only direct party exception under WESCA applies to certain law enforcement activities; (2) NaviStone’s alleged “interception” of Plaintiff’s online communications occurred at the point where it routed Plaintiff’s communications to NaviStone’s servers, even if NaviStone ultimately received those communications outside of Pennsylvania; and (3) whether Popa had previously consented to the contested wiretapping of her communications required further consideration by the investigating court.
EXCEPTION DIRECT PARTY
Under the Federal Wiretapping Act and other state wiretapping statutes, the Defendants are exempt from liability for communications received directly from the Plaintiff. The reason for this exception is generally that a wiretapping action requires wiretapping of a communication and a defendant will not intercept a communication received directly from the plaintiff. Previous Pennsylvania jurisprudence established an exception for direct parties to WESCA liability and applied it specifically to scenarios where a law enforcement officer secretly posing as another person received a notice directly as part of a criminal investigation.
In considering WESCA’s direct party exemption narrowly, the court relied on the 2012 amendment. In 2012, the state legislature amended WESCA to clarify that WESCA is not liable for certain law enforcement activities, including where an officer engaged in covert or of a covert function, with the approval of the supervisor, is notified directly. The amendment did not specifically introduce a broader exception for other types of direct communication between parties. The court interpreted this as a legislative decision to deny a direct party exception beyond the law enforcement context enumerated in the amended law. As a result, NaviStone was not exempt from liability under WESCA, even though its servers received the relevant notices directly from the plaintiff.
EXTRATERRITORIALITY AND THE INTERCEPT PLACE
While the Court narrowly considered the immediate party’s exemption from WESCA liability, it took a broader approach in analyzing where the wiretapping occurs for the purposes of WESCA applicability. NaviStone argued that to the extent that Plaintiff’s communications were intercepted, it was only in Virginia, where NaviStone’s servers received the information in question. In other words, the potential “acquisition of the content” of each covered communication occurred outside of Pennsylvania. Accordingly, NaviStone contended that WESCA should not request such out-of-state trade as such a request would violate the Commerce Clause.
Many consumer-facing businesses have websites that rely on third-party coding, like NaviStone’s, to enable digital advertising and provide a tailored experience for their customers. Under the new father Decision, these third-party marketing services cannot invoke a direct recipient exemption from WESCA liability, and they may be within the reach of the law based on the location of the plaintiff’s website browser, even if they allegedly intercepted communications outside of received Pennsylvania.
Given the prevalence of data disclosure to third parties and the availability of penalties under WESCA, the pending district court decision on whether plaintiff’s prior consent to interception should be implied by disclosure of privacy policies may affect future wiretapping cases under Pennsylvania law.
As the father Proceeds of investigation, the case is a good reminder for website owners, digital marketers, and their partners to review their online marketing practices, privacy statements, contract terms, buy-flow processes, and consent mechanisms and re-evaluate how easily they compare their consent Third parties could prove -Data sharing between parties at an early stage of litigation when faced with an alleged class action lawsuit under WESCA or other similar wiretapping laws.
If you have any questions or would like more information on any matter discussed in this LawFlash, please contact one of the following Morgan Lewis attorneys:
Gregory T Fouts
Elizabeth B Herrington
Kathryn E Deal
Gregory T. Parks
Ezra D. Church
Kristin M Hadgis
W. Reece Hirsch
Mark L. Krotoski
Ronald W. Del Sesto, Jr.
dr Axel Spies