Website Design

Third Circuit Considers Whether Website Tracking Violates Pennsylvania Wiretapping Law | Saul Ewing Arnstein & Lehr LLP

What do you want to know:

  • Companies that use common website tools (like cookies) to track and analyze user behavior on their website may be subject to liability under state wiretapping laws.
  • The Third Circuit recently reversed a summary judgment grant that had been granted in favor of a corporate defendant, finding that a cookie provider intercepted the plaintiff’s communications with the company’s website.
  • It remains to be determined whether the company had obtained the plaintiff’s consent for the interception of its communications.

The case arose after the complainant, Ashley Popa, browsed the Harriet Carter Gifts website on her iPhone, entered her email address in a pop-up window, added an item to her online “shopping cart”, then left the website. without purchasing the item. According to Ms Popa, she later discovered that a third-party marketing service, NaviStone, was tracking her activities on Harriet Carter’s website without her knowledge. Simply put, NaviStone would have been alerted to how Popa interacted with Harriet Carter’s website, including which pages she visited, when she filled in an email address, and when she added an item to her basket. As a result, Popa filed an action against Harriet Carter and NaviStone (collectively the “Defendants”) alleging that they violated the Pennsylvania Wiretapping and Electronic Surveillance Control Act (“WESCA”), 18 Pa. CS § 5701 et seq.

WESCA sets out a private civil action for “[a]any person whose wired, electronic or oral communications are intercepted, disclosed or used in violation of the [that statute]against “any person who intercepts, discloses or uses or engages any other person to intercept, disclose or use such communication”. 18 Pa. CS § 5725(a). The defendants sought summary judgment arguing, among other things, that under Pennsylvania law, a recipient of direct communication could not intercept this. The district court agreed with the defendants and entered summary judgment in their favor, and alternatively held that if an interception occurred, it occurred outside the borders of Pennsylvania and, therefore, was not prohibited by WESCA. However, on appeal, the Third Circuit reversed and returned the district court’s decision. As discussed below, the Court’s opinion analyzed three main issues: (1) what does “intercept” mean in the context of WESCA; (2) where the “interception” occurs; and (3) did Harriet Carter’s privacy policy sufficiently notify Popa that her communications were being sent to a third party?

The defendants intercepted Popa’s communications

Defendants took the position that because NaviStone was a direct party to Popa’s communication, they were exempt from liability because Pennsylvania courts have held that no interception occurs when a direct recipient is one who acquires communications. However, after discussing a 2012 amendment to WESCA that expanded the definition of “intercept,” the Third Circuit rejected the defendants’ argument. Specifically, he found that the 2012 amendment included a narrow exemption for law enforcement officers when they acquire communications and are the “intended recipient” – but stopped short of exempting all “direct” communications. It follows, according to the Third Circuit, that under Pennsylvania law there is no direct exception to liability under WESCA (with a narrow exception for law enforcement under specific conditions).

Interception occurs where signals are routed to servers

The intercept point was important in resolving this case because, in the context of the recording of telephone conversations, Pennsylvania courts declined to extend WESCA to acts occurring entirely outside the state. Here, there were two possible points of interception: (1) where Popa’s electronic communications were initially routed from his web browser to NaviStone’s servers; or (2) where Popa’s communications ultimately reached their final destination on NaviStone’s servers in Virginia. Applying common and approved usage of “acquisition,” the Third Circuit found that NaviStone intercepted Popa’s communications at the point where the communications were initially routed to NaviStone’s servers.

This finding, however, did not resolve the issue in this case, as the record was unclear as to exactly where Popa’s browser accessed Harriet Carter’s website and where NaviStone began telling her browser to communicate with its servers. In view of this, the Third Circuit remanded the District Court to reconsider the matter in light of the court’s direction that the interception occurred at the point where the signals were routed to NaviStone’s servers. – wherever they are.

Questions remain about whether Harriet Carter’s privacy policy was sufficient

Defendants presented numerous policy arguments as to why Popa’s interpretation was flawed, including that his theory of liability “leads to the untenable conclusion that whenever a content or service provider receives data on behalf of a website operator, this third party and the website operator may violate WESCA. » Def. Br. at 46. In rejecting this argument, the Third Circuit explained that WESCA is not unreasonable because of the many exceptions to liability that exist. Specifically, the Court referred to the all-party consent exception, where the interception can occur if all parties to the communication give prior consent. See 18 Pa. CS § 5704(4). Although the defendants sought the application of this exception here, asserting that Popa had given his prior consent to the interception of his communications by NaviStone by accepting Harriet Carter’s privacy policy, the Court declined to rule on the question at first instance.

Popa claimed she had never seen Harriet Carter’s privacy policy, but the Third Circuit suggested that it didn’t matter that she had actually seen the policy, because under Pennsylvania law, “consent prerequisite” does not require “actual knowledge” – all that matters is whether Popa knew or should have known that the communication was recorded. Accordingly, the Third Circuit remanded, explaining that this issue should be resolved by the district court. This leaves open the question of what companies must do to show a user’s “prior consent” under WESCA.

Defendants petition for rehearing

On August 30, 2022, the defendants filed a motion for rehearing, arguing that the Third Circuit’s decision conflicts with the Pennsylvania precedent and that the Court’s “unprecedented interpretation transforms WESCA into a super-regulatory authority on the ‘entire internet’. Defendants argue that the Third Circuit ignored Commonwealth vs. Diego119 A.3d 370, 380 (Pa. Super. 2015), appeal rejected 129 A.3d 1240 (Pa. 2015), a case which the defendants say dealt with the same issues but went the other way. The petition also argues that the impact of the Third Circuit’s ruling will be felt beyond Pennsylvania’s borders given the Court’s finding that an interception occurs every time an individual browses a website. in Pennsylvania and that electronic communications are routed to a third-party server. The petition requests panel review, and if panel review is denied, then panel requests bench exam. As of the date of this alert, the Third Circuit has not ruled on the Defendants’ motion.

Take away food

Although the Third Circuit’s decision that the interception took place could be seen as a change in Pennsylvania law, the issues the Court left unresolved – including the location of the interception, but more importantly yet, the website’s privacy policy gave Popa sufficient warning that his activities were being tracked. – still play a major role in the impact of this case on website tracking in Pennsylvania. To better guard against lawsuits under wiretapping law in Pennsylvania and elsewhere, companies should: (1) ensure that their website’s privacy policies indicate whether they use analytics and tracking, especially those provided by third parties; (2) disclose whether their websites collect and share personal information with third parties, and for what purposes; and (3) consider adding a cookie banner or notification that asks users to acknowledge and/or affirmatively consent to the use of cookies and similar technologies on the website in order to continue browsing the website. website.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button