Litigation Minute: Pennsylvania and Florida Emerge as Fertile Ground for Session Replay Litigation

19 April 2023

What You Need to Know in a Minute or Less

While session replay class-actions are not new, a recent change in law has triggered a surge of lawsuits in Pennsylvania. The claims raise significant questions about the scope of wiretapping statutes, consent, and jurisdiction. 

In a minute or less, here is what you need to know about the development of these claims in Pennsylvania and Florida, and what defenses may be available.

Paving the Way for Influx of Pennsylvania Lawsuits

For years, plaintiffs bringing session replay cases in Pennsylvania struggled to overcome the long-held direct party exception to the state’s wiretapping statute. The exception provides that a party who directly receives a communication cannot “intercept” the communication under the wiretapping statute. Courts construed vendors of analytics software, such as session replay, to be direct recipients of website user data as agents of the website owner.

That long-standing view changed—at least among Pennsylvania’s federal courts—when the U.S. Court of Appeals for the Third Circuit reinterpreted the definition of “intercept” in light of 2012 revisions to the wiretapping statute. The Third Circuit held in Popa v. Harriet Carter Gifts, Inc.1 that the revisions limited the exception to only the law enforcement context. In other words, the Popa decision eliminated a standard defense in session replay lawsuits, and plaintiffs responded by filing dozens of lawsuits.

Defendants Argue Wiretapping Statutes Do Not Apply

The direct party exception may still be viable in jurisdictions other than Pennsylvania, such as Florida, which has a wiretapping statute similar to Pennsylvania’s statute. Even without the exception, however, defendants have successfully argued that wiretapping statutes do not apply to session replay. 

In Florida, for example, some defendants have argued that the wiretapping statute only applies to the “contents” of intercepted communications, and that the data obtained through session replay software (such as where a website user clicks) does not fit the statutory definition of “contents.” Similarly, the statutes cover the use of a “device” to intercept communications, and some defendants have argued successfully that session replay software is not a device.

Consent Defense Likely to Take Center Stage

Prior consent is a complete defense to a wiretapping claim, and the argument that a plaintiff consented to being recorded will likely be a key defense addressed by courts. The Third Circuit previewed the argument in Popa, suggesting that a sufficiently detailed privacy policy that outlines the manner and purpose of data collection—which is clearly visible and accessible on a website—may provide defendants with an argument that a plaintiff at least implicitly consented to the data collection. Although a number of defendants in Pennsylvania actions have asserted a consent defense, the confines of the defense have not yet been addressed by courts. 

In a recent order, though, the U.S. District Court for the Eastern District of Pennsylvania denied a motion to dismiss, while also inviting a summary judgment motion expressly addressing whether the plaintiff implicitly consented to the data collection (among other defenses). This suggests that some courts are primed to carefully consider the merit of consent defenses.

Jurisdictional Defenses

Defendants may also have jurisdictional arguments available. For instance, plaintiffs asserting session replay claims may be claiming a statutory violation without alleging a concrete injury. As a result, these plaintiffs arguably lack standing to bring the action. Similarly, some defendants have argued that states do not have personal jurisdiction over them. This argument depends on the courts’ determination of where an alleged intercept occurred. 

In Popa, the Third Circuit determined that an intercept occurs where the website user accesses the website. The Third Circuit’s view, however, creates difficulties in circumstances where users access websites on their phones while traveling, potentially crossing state lines while accessing the website. Defendants may argue that an intercept occurs where the server running the session replay software is located, and that Pennsylvania or Florida may not have personal jurisdiction if the server is located elsewhere. Although Pennsylvania’s federal courts have not resolved these arguments yet, the arguments are rooted in constitutional law and may be persuasive to courts.

Damages Liability Under Wiretapping Statutes

Developing broad defenses that could foreclose future lawsuits is particularly important here, where plaintiffs are bringing session replay class-actions to take advantage of statutory damages of up to US$1,000 per violation—in both Pennsylvania and Florida. Further, in both states, the statute of limitations period for these acts is two years.

Accordingly, given the potential class size in these cases, the potential liability faced by a company may be significant.