A growing challenge for privacy compliance in the United States is the rising number of private actions brought under state-level “wiretapping” laws. These laws are uniquely different from U.S. State comprehensive privacy laws in that they include a private right of action. This means that individuals (independently or as a class) can bring legal action against a company alleged of improper conduct. As a result, industrious law firms have begun widely threatening actions against organizations using various tracking technologies on their websites. To make matters worse, a recent review of generative AI points to the possibility of these actions exploding in volume over the next several years.
What Is “Wiretapping” Risk?
In the United States, 14 states have “all party” wiretapping laws. All of these limit the conditions under which a third party can record a user. Most are older laws passed during the days when communications could only be recorded in person or over a phone line. More modern methods of communication made possible by online methods such as tags and pixels on websites have spawned novel legal theories for the application of these laws to the collection of data through these methods. Many of the initial legal actions have focused on the collection of user behavior information via heat mapping and session replay technologies. Actions have since expanded to also focus on the usage of chatbot tools and advertising platforms collecting user behavior.
One of the most common “wiretapping” laws spurring legal challenges is the California Invasion of Privacy Act (CIPA). Under CIPA, it is illegal to record a user via a “pen register” or “trap and trace” device without their explicit consent. Plaintiffs are alleging that tracking technologies do just this when a website deploys tracking technologies without obtaining consent beforehand.
To date, courts have sent mixed signals about the viability of these arguments. Some cases have been dismissed, while others are continuing to make their way through the legal system. The general uncertainty about legal interpretation leaves organizations in a very difficult position. In the midst of this uncertainty, some organizations are settling complaints without going to court while others are defending against them with the legal costs that defense entails. The growing volume of wiretapping allegations can lead to “death by a thousand cuts” for organizations using online tracking technologies.
What Compliance Considerations Should Your Org Have in Mind?
In the absence of clear case law to determine what is compliant and what is not, organizations should begin taking a number of compliance considerations into account when considering their use of online tracking technologies that could introduce wiretapping risk. Namely, organizations should consider if platforms are operating as a service provider or as a third party, if collection and data processing activities are sufficiently disclosed, and what kind of user choice is available for the collection and use of users’ personal information.
Service Providers vs Third Parties
We discussed the designation for a “service provider” or a “processor” vs a “third party” in the compliance risk review for advertising platforms. To paraphrase, a “service provider” or “processor” is a platform processing a user’s personal information only on behalf of the contracting organization to deliver a defined product or service. Meanwhile, a “third party” is a platform that is also using the user’s personal information for the third-party platform’s own purposes. This designation is particularly important when dealing with platforms that provide session replay, heat mapping, and chat bot functionality. A platform operating as a “third party” carries significantly more risk in the context of wiretapping.
Notice and Disclosure
Notice and disclosure requirements are already a universal requirement in global privacy laws and regulations. U.S. State laws require notice for users about the categories of information collected from them, the purposes for that collection/processing, as well as the categories of platforms that their information is disclosed to. GDPR also carries requirements for notice of all personal data collected and processed, purposes of processing, and platforms personal data is disclosed to, among other obligations. Notice in the case of potential ‘wiretapping’ platforms should be no different.
Central to the arguments raised in CIPA and similar violation allegations for ‘wiretapping’ is that users are not provided adequate notice of the use of platforms which collect information about their activities on a website. It is critical that consumers have a means of understanding that their interactions with the website are being recorded and disclosed to partner platforms.
User Choice
Another argument raised in CIPA violation allegations has been around consent, and if users have provided adequate consent to the recording of their communications and behaviors. In some cases to date, courts have found that even if the recording of the user’s information would fall within definitions of ‘wiretapping’, the user has implicitly consented by simply accessing the website. In other cases, however, this has not been found to be the case—instead implying that explicit consent for the recording of behavior would be necessary.
All of these findings to date have been preliminary rulings, so no final requirement has been established in case law. At the very least, it is important to fully disclose the use of platforms and collection of user behavior information. In doing so, the argument that implied consent has been given would have a logical basis.
What You Can Do Today
In the absence of established case law for firm requirements for the usage of tracking technologies in the context of ‘wiretapping’ laws, organizations are left with uncertainty for how to proceed. However, this does not mean that nothing can be done to begin mitigating these risks. Privacy laws are on the books and can provide directional guidance for risk mitigation actions. A few actions that we see organizations taking:
1. Inventory platforms in use on websites
It is impossible to evaluate risks and ensure all data collection and usage by tracking technologies is disclosed to your website users if you do not know all of the platforms collecting data on your websites. It is critical to start with a comprehensive inventory of all the tags and pixels loading and collecting consumer data.
2. Conduct risk assessments for all platforms in use
Once you have a comprehensive inventory of all platforms loading on your site and collecting consumer data, a process of risk assessment can be conducted. Critical for wiretapping risk is understanding, through contract review and review of purposes of processing, if the platform in question is operating as a service provider/processor or as a third party. From there, document what data is being collected and the purposes for processing to consider additional compliance obligations.
3. Take considerations for notice and choice
Following a full review of all platforms in use and documented risk assessments, you can then take the necessary considerations for user notice and choice. At a minimum, it is a good idea to provide notice to users of the use of tracking technologies. Notice should consider all relevant laws and regulations as well as unique callouts for potential wiretapping implications. In addition, in the United States, it is a good idea to provide an opt-out ability for any platforms deemed to present a ‘wiretapping’ risk. Some organizations are taking this one step further and relying upon explicit consent prior to data collection by these platforms.
States with “all party” wiretapping laws on the books present a unique privacy compliance risk for organizations. The current ambiguity for requirements, coupled with private rights of action included in these laws make them a target for private litigators. It is critical to stay on top of changes in requirements stemming from case law and to begin taking steps for risk mitigation to protect the compliance posture of your organization’s websites.
