This article was originally published in Westlaw Today on September 6, 2023 .
Within the last year, there has been a new wave of class action lawsuits targeting a wide array of companies that own and operate websites (also known as “website operators”), including, but not limited to, streaming services, entertainment companies, professional sports leagues and, in certain instances, their respective clubs (such as where the club owns all the data submitted via its website), that use technology to track consumers’ interfaces on their websites.
These lawsuits generally allege that the use of technologies, such as tracking pixels, chatbots, and session replay, results in violations of the Video Privacy Protection Act of 1998 (VPPA) and/or federal and state wiretapping laws.
To minimize potential liability, companies need to be aware of what technologies are used on their platforms, how they are used, and what consents need to be obtained from platform users. However, before engaging in that analysis entities in the sports and entertainment industry should determine whether they (or other third parties) “own” the data submitted via their websites and other online platforms.
Tracking pixels and VPPA claims
In the last year, there has been an uptick in class actions under the VPPA against organizations that use pixels on its website to track user behavior. The VPPA prohibits disclosing a user’s consumption of video content containing personally identifiable information (PII) without first obtaining a user’s informed, written consent. The VPPA includes a private right of action, where plaintiffs injured by prohibited disclosures may recover up to US$2,500 in statutory damages.
Although the VPPA originally applied to protecting PII in the context of video rentals (e.g., Blockbuster), the ever-creative class action plaintiffs’ bar has seized on this archaic statute to bring suits against companies using widely available and commonly used online tracking tools, such as pixels, to analyze consumer habits for purposes of targeted advertising.
The VPPA was amended a decade ago after an influx of class action litigation against streaming services for displaying users’ watch histories. Now, the VPPA permits disclosures of PII to third parties only with a user’s informed written consent before a disclosure is made.
As you might imagine, potential claims arise when a website operator uses pixels on their website to target advertisements to users where video content is provided, and data relating to such users’ video history on that site is then shared with third parties unbeknownst to the users, and without their prior consent.
The success of website operators in securing the dismissal of VPPA claims has been a mixed bag thus far, with some courts expressing reluctance to dismiss these cases early on without discovery.
In response to these VPPA cases, defendants have advanced several arguments, which have been met with varying levels of success to date:
- The plaintiff (a website visitor) is not a “consumer” because that user does not rent, purchase, or subscribe to goods or services from the defendant.
- The information disclosed by the tracking technology is not “personally identifiable information” because it alone does not allow a person to be identified.
- The defendant is not a “video tape service provider” because the defendant is not “engaged in the business” of delivering video content.
While success on any one of these defenses would carry the day for a defendant, the issue for many defendants is that these defenses are easily made into questions of fact, meaning they are more appropriate for resolution on summary judgment than on a motion to dismiss.
Chatbots and wiretapping claims
Recent litigation has also surfaced in California state and federal courts asserting violations of the California Invasion of Privacy Act (CIPA), claiming that website operators are intentionally wiretapping or eavesdropping on users by recording and sharing information gathered during a user’s interaction with the site’s automated chat features (or “chatbots”) without user consent. Similar suits have been filed under other all-party consent state statutes, which require companies to inform all parties in a conversation that they are being recorded and further obtain their consent to the recording.
These chat features are often operated by third-party vendors that provide the underlying chat service and/or record the chat communications with a website’s users for analytics purposes. And the plaintiffs’ bar has claimed — with some success — that using these chatbots absent prior consent from users amounts to illegal wiretapping under CIPA, which requires prior consent from all parties to intercept a communication. Specifically, they have alleged that a customer’s interactions with a sports club’s website is a “communication” between the customer and the sports club, which is being “intercepted” by the third-party vendor.
Chatbots are cost-effective tools that allow a company, via its website, to engage with users, answer questions, and provide information about its products and services. However, businesses operating websites accessible in California that use chatbots to collect user information should be aware of these types of claims because, even without actual injury, statutory damages can impose significant monetary damages.
For instance, companies can face a minimum of US$5,000 per violation, in addition to plaintiffs’ attorney’s fees and costs. And litigation is expensive, even if the claims are without merit. As a result, businesses operating websites with chatbots that are accessible in California should reassess their chat features to ensure that (i) valid consent is obtained from users, and (ii) their privacy notices accurately reflect their collection and disclosure of user information obtained via interactions with the site’s chatbot.
Session replay technology and wiretapping claims
Similar to the risks associated with chatbots, companies that use session replay technology on their websites also face a risk of illegal wiretapping claims from plaintiffs. Session replay technology allows a website to capture or track users’ behavior, including, but not limited to, webpages viewed, keyboard activity, mouse clicks, and other user movements around the website. Companies with consumer-facing websites use this type of technology to better understand how consumers interact with a site and what improvements can be made.
Recently, plaintiffs’ lawyers have brought class actions against organizations that utilize session replay technology, arguing that using such technology without a consumer’s affirmative consent before tracking is an illegal wiretap. Two recent Third and Ninth Circuit decisions may open the floodgates to consumer class action suits against companies that use session replay technology.
Last year, the Ninth Circuit held that a life insurance company failed to obtain affirmative consumer consent before using a third-party replay tool to record personal information entered on an online questionnaire. In that case, the company attempted to argue that the consumer consented to the replay tool because the consumer retroactively consented after completing the questionnaire. The court held that retroactive consent to such technology does not constitute affirmative consent.
Similarly, last year the Third Circuit reversed a district court and held that a retailer’s use of session replay technology while the consumer browsed the website without first obtaining consent was unlawful surveillance. Again, obtaining prior consent from consumers is critical to minimize potential liability under federal and state wiretapping laws.
Minimizing the risk of litigation
Businesses that operate websites that use tracking pixels, chatbots, session replay, and similar tracking technologies can face significant exposure to liability unless appropriate proactive measures are taken.
To minimize potential liability, companies should examine all of the tracking technologies utilized on their respective websites, understand how these technologies are used and whether data collected by these technologies is shared with any third parties, and assess whether valid consent is obtained from users (and, if applicable, implement a banner or other mechanism to gather such consent).
Specifically, businesses of all sizes utilizing tracking technologies should consider whether a consent manager for their website(s) is an appropriate, cost-effective way to potentially avoid class action litigation in this setting while providing users with a choice about how their information is collected and used via these technologies.
The authors gratefully acknowledge the contributions of Lauren Hudon, a student at Marquette University Law School and 2023 summer associate at Foley & Lardner LLP.