The Plaintiffs’ Bar is well-known for pushing the boundaries of existing (and sometimes very old) laws with new and novel privacy claims. The most recent targets of this trend are (1) the Video Privacy Protection Act (VPPA), 18 U.S.C. § 2710 (and similar state video privacy acts); and (2) state wiretap laws, particularly the California Invasion of Privacy Act (CIPA), Cal. Penal Code § 630 et seq. Plaintiffs’ claims seek to extend dated statutory requirements to modern technologies, such as online video players, chatbots and session replay tools. Many of these actions have advanced past motions to dismiss, which means that companies employing certain types of common website technologies should take notice.
THE VIDEO PRIVACY PROTECTION ACT
The VPPA was enacted in 1998 to prevent video rental services from sharing private information about their customers’ rental history. The law prohibits a “video tape service provider” (i.e., a person who provides rental, sale or delivery of prerecorded video cassette tapes or similar audio-visual materials) from knowingly disclosing information that identifies a customer as having requested specific video materials.
Plaintiffs have so far been met with mixed success in their efforts to further extend the VPPA. For example, in a recent ruling against the National Football League (NFL), the US District Court for the District of Rhode Island denied the NFL’s motion to dismiss as to tracking technologies embedded in prerecorded videos but granted the NFL’s motion with respect to live broadcasts, concluding that those were not “recorded” materials. Louth v. NFL Enterprises LLC, No. 1:21-cv-00405 (D.R.I. Sept. 12, 2022). The NFL ruling mirrors other recent rulings. (See, e.g., Ambrose v. Boston Globe Media Partners, LLC, N. 1:22-cv-10195 (D. Mass. Sept. 19, 2022).)
STATE WIRETAP LAWS
State wiretap laws, such as the CIPA, have similarly been extended to modern technologies through litigation. Among other provisions that have been litigated in privacy-related lawsuits, CIPA prohibits the interception of a communication, or the attempt to read or learn the contents of a communication, while in transit without the consent of all parties to the communication. CIPA also prohibits the “eavesdrop[ping]” or “record[ing]” of a confidential communication without the consent of the parties to the communication. Recent class actions have sought to apply this law to modern Internet technologies, focusing on two technologies in particular: session replay tools and chatbots.
Session replay tools collect information about a user’s interactions with a webpage, such as mouse movements, clicks and pageviews, to recreate a user’s experience on the website in a session. Session replay tools can also monitor a user’s movement on a particular webpage, including, for example, recording the details a user has entered into a webform. Plaintiffs now allege that the recording of these actions, often by a third party who provides the session replay tool, violate CIPA because users are unaware of and have not consented to the recording. Some of these claims have had success though. In Javier v. Assurance IQ, LLC, the US Court of Appeals for the Ninth Circuit reversed the trial court’s dismissal, holding that use of session replay tools without prior consent can be a violation of CIPA. No. 1:21-cv-16351 (9th Cir. May 9, 2022). The success of Javier has opened the door to a barrage of session replay and other similar claims.
As an extension of the session replay claims, CIPA actions have also begun to focus on chatbots. The gist of these claims is similar to those involving session replay tools: chatbots violate CIPA by recording or learning the contents of a user’s communications without the user’s consent.
And the drumbeat is not stopping in California. Plaintiffs are bringing similar claims under wiretap laws in other states, such as Florida and Pennsylvania.
HOW TO PREPARE
Companies should evaluate whether they use any of these tools that are being targeted by Plaintiffs, such as chatbots, session replay or tracking technologies embedded in videos (including, for example, training videos or commercial advertisements), and assess the risk posed by this recent wave of class actions. Companies can also take steps to mitigate their risk, such as clearly disclosing the use of these technologies in privacy notices and just-in-time notices where feasible. Reach out to your regular McDermott contact or one of the authors of this article for help preparing.