Website Design

9th Circuit sets trend on valid consent for website visit records – Privacy Shield

To print this article, all you need to do is be registered or log in to

In May 2022, the Ninth Circuit Court of Appeals ruled that prior express consent must be obtained in order to legally record a user’s visit to a website or risk violating Section 631 (a ) California’s Invasion of Privacy Act (commonly known as the state’s “wiretapping”). ” right).

In Javier v Assurance IQ, LLC,
The plaintiff visited the Insurance website for the purpose of requesting an insurance quote. The Court noted that “unbeknownst to Javier, Trusted Form [the company hired by
Assurance to record user’s interactions with the website]
captured every second of his interaction with in real time and created a “video recording of his visit to the website. In light of the lack of a California Supreme Court ruling on what constitutes consent valid under Section 631, the Ninth Circuit reversed the lower court’s decision and held that Section 631(a) requires the prior consent of all parties to a recorded communication, not retroactive consent.

JAVER: The match that lit the fuse

While the Ninth Circuit ruled on the narrow question of retroactive consent, the Ninth Circuit left open other questions, such as whether Javier had impliedly consented to the collection of his data. After leaving this door open, it is not surprising that the Plaintiffs’ Bar has filed counterfeit lawsuits in hopes of building on the success of the Javier decision.

In addition to the potential expansion of Javierit now appears that other circuits will follow the Ninth Circuit’s decision, as evidenced by a recent Third Circuit case.

In Popa vs. Harriet Carter Gifts, Inc., the plaintiff used her iPhone to visit the Harriet Carter Gifts website. Upon entering the site, she voluntarily provided her email address in response to a pop-up request. While the plaintiff was informed that her information was being collected by Harriet Carter Gifts, she was unaware that her browser was also communicating with NaviStone, a third-party marketing company working with Harriet Carter Gifts. It appears that while accessing the website, the applicant’s browser sent a “GET request” to the Harriet Carter Gifts server, as well as the NaviStone server. The Java script code was then sent back to the plaintiff’s browser, allowing both parties to essentially record the plaintiff’s website visit and capture their information. When the plaintiff later learned of this, she sued Harriet Carter and NaviStone for, among other things, violating the Pennsylvania Wiretapping and Electronic Surveillance Act (“WESCA”).

The underlying district court ruled in favor of defendants on WESCA’s claims. On appeal, the Third Circuit quashed and remanded the case.

Perhaps most importantly with respect to the internet marketing industry, on remand, the district court will be responsible for deciding whether Popa gave prior consent to the recording in question. Defendants’ primary argument on this issue is that: (1) Popa impliedly consented to the registration because the website’s privacy policy specifically permitted Harriet Carter Gifts to share customer information with third parties; and (2) even if Popa has seen the Privacy Policy, that is irrelevant because prior consent under Pennsylvania law does not require actual knowledge. Given that Pennsylvania (like California) is a bipartisan consent state; however, it seems likely that the district court will follow the Ninth Circuit’s ruling in

How to avoid getting burned when it comes to recordings of website visits

While the plaintiffs in Popa and Javier may have won their respective first battles, the war continues. In the meantime, copycat lawsuits are likely to be filed. Both rulings make it clear that companies are free to continue to use third-party service providers to help record website visits, provided consumers’ consent is first obtained to do so.

What if a marketing company doesn’t get consent before registering a site visit? Unlike a violation of telephone consumer protection law, violation of wiretapping laws is technically a criminal offense. For example, a violation of California Section 631 is punishable by a fine of up to $2,500 (or $10,000 for repeat offenders), imprisonment, or both a fine and imprisonment.

Currently, there is no single means required under the various laws for companies to ensure compliance. However, there are things companies can do to avoid finding themselves on the receiving end of a Javier type of trial.

Regardless of jurisdiction, the best way for a business to protect itself is to secure prior consent before engaging in any type of session replay recording. While it’s not yet clear how each circuit will decide on the matter, best practice dictates including consent language above the “submit” button, as well as in the privacy policy of the website itself. . This consent language should also make it clear to consumers the names of the actual third-party vendors and service providers who assist with site registration.

Related blog posts:

Wiretap affair in form of trust causes confusion TCPA

New FTC Data Privacy Laws?

Florida website wiretap lawsuit dismissed

The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.


The Rise of Privacy Centers

Ankura Consulting Group LLC

As data privacy regulatory obligations continue to expand, more organizations are integrating privacy centers into their public websites.

CFPB: Protecting consumer data or civil liability

Sheppard Mullin Richter & Hampton

The CFPB recently issued a circular clarifying liability under the Consumer Financial Protection Act for financial companies that fail to protect consumer data.

GDPR Compliance: What is Privacy Shield 2.0?

PLL Keating, Meuthing & Klekamp

Four years ago, the European Union (“EU”) began applying the General Data Protection Regulation (“GDPR”). GDPR is a comprehensive data privacy law enacted to create a…

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button