Are You Wiretapping Your Website Visitors?

Are You Wiretapping Your Website Visitors?
Estimated Reading Time: 7 minutes

**Important – The information covered in this article is not intended to be legal advice or counsel. You should not act or refrain from acting on the basis of any content included in this article regarding legal compliance without obtaining appropriate legal guidance. The contents of this article contain general information related to various laws and regulations, but may not reflect your current situation. In addition, applicable laws and regulations regularly change. This is particularly true with respect to data privacy laws and regulations. Therefore, any laws and regulations described or otherwise referenced in this article may not be current when you read the article or even at the time of publication. We disclaim all liability for actions you take or fail to take based on anything in this article. Any action you take or any action you refrain from taking based on the information in this article is entirely at your own discretion and risk.**

A seemingly simple question … While most organizations would quickly answer “no”, a recent wave of litigation alleges otherwise.

Central to the allegations is the common use of heatmap and session replay technologies many websites use to better understand how consumers are behaving on their digital properties. A recent analysis conducted with Tag Inspector identified that 35 percent of the top 150 U.S. advertisers’ websites are using technologies within this category. With such a large proportion of sites using the technology, ‌compliance risk is widespread. So, what are the risks? And what can an organization do to‌ mitigate the risks while still collecting data that is imperative for optimizing the experience of consumers?

“All Party” Wiretapping Regulations

In the cases brought to date, plaintiffs have argued that using session replay technology violates state “all party” wiretapping regulations. “All party” wiretapping regulations limit the conditions under which a third party can record a user. Under these regulations, in addition to the party doing the recording, the consumer must also be aware the recording is occurring. States with “all party” wiretapping regulations are the following: 

  • California 
  • Connecticut
  • Delaware
  • Florida
  • Illinois
  • Maryland
  • Massachusetts
  • Michigan
  • Montana
  • Oregon
  • Nevada
  • New Hampshire
  • Pennsylvania
  • Washington

While to many, the equating of heatmapping and session replays to wiretapping might be a stretch, creative attorneys are asserting this to be the case. A recent example of this argument being successful was in a case, Ashley Popa v Harriet Carter Gifts Inc, brought under Pennsylvania’s Wiretapping and Electronic Surveillance Control Act (WESCA).

In summary, Ashley Popa alleged Harriet Carter Gifts violated WESCA by monitoring her using a session recording platform (Navistone) while adding an item to cart and entering Personally Identifiable Information. Initially, the court ruled in a summary judgment in favor of the defendants because ‌the “recording” did not occur in Pennsylvania. Defendants’ arguments also included that there was “implied consent” by the plaintiff’s use of the website. Locality was argued as important since PWESCA covers recordings occurring in Pennsylvania between parties. 

Later, the Third Circuit court reversed the ruling in favor of Ashley Popa, indicating that “WESCA is to be strictly construed to protect individual privacy rights.” The Third Circuit ruled that even though the recording was received out of state, the recording was “routed” in Pennsylvania. The court did mention that PWESCA is not so unreasonable, calling out that “All-Party” consent is an exception. 

In addition to the Pennsylvania WESCA example, a number of cases have been brought to court in California under the California Invasion of Privacy Act (CIPA), such as Javier vs. Assurance IQ and Byars v. Goodyear Tire & Rubber Co. The Javier case was similar to the PWESCA case, as Javier alleged wiretapping because of Assurance IQ using session replay. This case was later dismissed due to statutes of limitations, but the court ruled that consent was central and required for such technologies to monitor users. These lawsuits and others have started a trend of CIPA suits in California over session replay, and courts have generally been split in rulings. 

A common thread to all cases is that user consent is likely the best path to preventing being targeted by professional litigators.

What Can My Organization Do About It?

First, evaluate if your organization is using any session recording or heatmapping software across your digital assets. If so, you should evaluate potential actions by bringing up the potential risks and concerns with your legal counsel

Generally, some actions we have witnessed being taken by brands who use the technologies are as follows: 

  1. If session replay technology is deployed on your digital assets, but not actively in use, remove the tags.
  2. In instances where there is a consent management system in place, some organizations are adding session replay as a category which users can choose to either accept or deny. In cases of the consumer opting out, disable the platforms from recording for those users.
  3. In addition to allowing for opt-out, some websites have begun to get explicit about alerting consumers to the fact that session replay technology is in use. This is often done either with a banner unique to activity, by including the disclosure in the top-level disclosure text for the cookie/data processing privacy experience, and/or via disclosures in the privacy policy. 
  4. In some cases, organizations are simply doing nothing. Upon review with their legal counsel, they have determined that they are unlikely to be targeted by a professional litigator and/or are comfortable with the level of compliance risk represented by the use of session recording and heat mapping technologies.

For any of these approaches, if you currently do not have a Consent Management Platform (CMP) in place, consider implementing one ASAP. The United States will have 13 states in total by 2026 requiring organizations to allow users to opt out of targeted advertising. To support the privacy experience, a CMP can go a long way to operationalizing compliance requirements. A secondary benefit is that it can help support a transparent process for session recording use cases. 

How Can InfoTrust/Tag Inspector Help?

Before you can act, audit your tech stack! Tag Inspector is a leading tag governance solution that can help you determine what tags you have loading and where on your website. Taking inventory of what you have loading is a critical first step. Step two is testing and making sure that your website is always following user consent, which is another area of excellence for Tag Inspector—get compliant and stay compliant! 

The team here at InfoTrust is experienced in designing and implementing consent management systems, as well as the associated tag management work to make your website follow users consent selections.

Ready to audit your stack?

The Tag Inspector team is here to help you get started.
Originally Published On October 26, 2023
November 1, 2023