Third Circuit Denies Direct Party Exception for Digital Marketers Under Pennsylvania Wiretapping Act – Disclosures | Panda Anku


August 24, 2022

In a landmark decision with potential implications for disclosures of online privacy and consent practices, the Court of Appeals for the Third Circuit recently ruled that a retailer and its outside digital marketer did not exempt from liability under the Wiretapping and Electronic Surveillance Control Act of Pennsylvania are simply because the marketer’s server received the relevant communications directly from the plaintiff.

in the Popa Vs Harriet Carter Gifts Inc. the Third Circuit determined that the only exception for direct parties under Pennsylvania’s Wiretapping and Electronic Surveillance Control Act (WESCA) is intended for specific law enforcement activities specified in a 2012 amendment to the law. The court also ruled that the marketer’s alleged interception of the plaintiff’s online communications with the retailer occurred at the point where the marketer forwarded those alleged communications to its own servers, and not just where the marketer’s servers sent them received outside of Pennsylvania.

Given the court’s sweeping assessment of WESCA’s reach, there may be renewed interest in session replays and other website tracking claims under the law. To reduce the risk of liability and penalties under Pennsylvania law, businesses and their digital marketers should review their disclosures and online practices to assess the strength of other defenses or exemptions from WECSA liability, including prior consent to Disclosure of Data by Third Parties .


In the putative class action lawsuit, plaintiff Ashley Popa alleged that she used her iPhone to search the Harriet Carter Gifts website for pet steps, but ultimately did not complete the purchase. When she did so, Harriet Carter Gifts sent HTML code to the plaintiff’s browser that caused her browser to send a GET request to NaviStone, a digital marketer. Upon receiving this GET request, NaviStone sent code to the plaintiff’s browser that installed cookies, collected certain information about the plaintiff’s activities on Harriet Carter’s website, shared that information with NaviStone, and enabled NaviStone to provide targeted advertising to Harriet Carter to support. The plaintiff alleged that redirecting communications to NaviStone constituted unlawful interception under WESCA.

After the defendants won summary judgment at the Circuit Court level, the Third Circuit Circuit Court of Appeals reversed the order and suspended the pretrial detention. The Third Circuit ruled that (1) the defendants could not avoid WESCA liability merely by proving that NaviStone received the impugned communications directly from the plaintiff, since the only direct party exception under WESCA applies to certain law enforcement activities; (2) NaviStone’s alleged “interception” of Plaintiff’s online communications occurred at the point where it routed Plaintiff’s communications to NaviStone’s servers, even if NaviStone ultimately received those communications outside of Pennsylvania; and (3) whether Popa had previously consented to the contested wiretapping of her communications required further consideration by the investigating court.


Under the Federal Wiretapping Act and other state wiretapping statutes, the Defendants are exempt from liability for communications received directly from the Plaintiff. The reason for this exception is generally that a wiretapping action requires wiretapping of a communication and a defendant will not intercept a communication received directly from the plaintiff. Previous Pennsylvania jurisprudence established an exception for direct parties to WESCA liability and applied it specifically to scenarios where a law enforcement officer secretly posing as another person received a notice directly as part of a criminal investigation.

In considering WESCA’s direct party exemption narrowly, the court relied on the 2012 amendment. In 2012, the state legislature amended WESCA to clarify that WESCA is not liable for certain law enforcement activities, including where an officer engaged in covert or of a covert function, with the approval of the supervisor, is notified directly. The amendment did not specifically introduce a broader exception for other types of direct communication between parties. The court interpreted this as a legislative decision to deny a direct party exception beyond the law enforcement context enumerated in the amended law. As a result, NaviStone was not exempt from liability under WESCA, even though its servers received the relevant notices directly from the plaintiff.


While the Court narrowly considered the immediate party’s exemption from WESCA liability, it took a broader approach in analyzing where the wiretapping occurs for the purposes of WESCA applicability. NaviStone argued that to the extent that Plaintiff’s communications were intercepted, it was only in Virginia, where NaviStone’s servers received the information in question. In other words, the potential “acquisition of the content” of each covered communication occurred outside of Pennsylvania. Accordingly, NaviStone contended that WESCA should not request such out-of-state trade as such a request would violate the Commerce Clause.

The court rejected this argument, noting that wiretapping occurs “when an act is taken to obtain communications with a device”. Therefore, the court found that the interception occurred where NaviStone’s JavaScript code redirected the plaintiff’s communications with Harriet Carter to NaviStone’s servers. According to the court, such a redirection took place at the location of the plaintiff’s browser, which was presumably the location of her iPhone at the time of the redirection; However, the court left it to the investigating court to determine whether the plaintiff’s browser was located in Pennsylvania at the time of the contested redirect.


Finally, in response to NaviStone’s arguments about the undesirable consequences of such a broad interpretation and application of WESCA, the court found that its ruling does not necessarily preclude the use of third-party tracking cookies or digital marketing services, as WESCA does not impose liability when all at parties involved in a communication have previously consented to the interception. Under Pennsylvania law, prior consent to wiretapping exists if the plaintiff “knew or should have known the conversation would be recorded,” but “actual knowledge” is not required. NaviStone argued that the plaintiff implicitly consented to wiretapping because Harriet Carter’s privacy policy disclosed disclosure of personal information to third parties. The plaintiff argued that she had neither read the privacy policy nor agreed to its terms, and she questioned whether the privacy policy was actually in force at the material time.

Because the district court entered summary judgment on other grounds without reaching the issue of consent, the court remanded that question for further proceedings as to whether Harriet Carter had a privacy policy that gave a reasonable person reasonable notice of the disclosure of data to NaviStone .


Many consumer-facing businesses have websites that rely on third-party coding, like NaviStone’s, to enable digital advertising and provide a tailored experience for their customers. Under the new father Decision, these third-party marketing services cannot invoke a direct recipient exemption from WESCA liability, and they may be within the reach of the law based on the location of the plaintiff’s website browser, even if they allegedly intercepted communications outside of received Pennsylvania.

The Third Circuit’s narrow interpretation of a general exception to wiretapping liability and its broad interpretation of where wiretapping occurs under WESCA underscores the importance of the consent of all parties under WESCA and other potential exceptions or defenses to alleged liability. For example, the Third Circuit’s decision assumed, but did not address, whether the JavaScript code used on Harriet Carter’s website constituted a “device” within the meaning of WESCA because the matter was not heard in court. Similarly, in a marketplace where a variety of online data sharing technologies exist, defendants may have strong arguments under WESCA that certain code or software applications do not capture the “contents” of electronic communications as required for the application of the law.

Given the prevalence of data disclosure to third parties and the availability of penalties under WESCA, the pending district court decision on whether plaintiff’s prior consent to interception should be implied by disclosure of privacy policies may affect future wiretapping cases under Pennsylvania law.

As the father Proceeds of investigation, the case is a good reminder for website owners, digital marketers, and their partners to review their online marketing practices, privacy statements, contract terms, buy-flow processes, and consent mechanisms and re-evaluate how easily they compare their consent Third parties could prove -Data sharing between parties at an early stage of litigation when faced with an alleged class action lawsuit under WESCA or other similar wiretapping laws.


If you have any questions or would like more information on any matter discussed in this LawFlash, please contact one of the following Morgan Lewis attorneys:

Gregory T Fouts
Elizabeth B Herrington

Kathryn E Deal
Gregory T. Parks
Ezra D. Church
Kristin M Hadgis

Pulina Whitaker

los Angeles
Joseph Duffy

Brian M.Ercole

san francisco
W. Reece Hirsch

Silicon Valley
Mark L. Krotoski

Washington, D.C
Ronald W. Del Sesto, Jr.
dr Axel Spies

Leave a Comment