In a class action with potentially significant impact on data sharing disclosures that companies routinely provide in online privacy policies, the Third Circuit recently ruled that NaviStone, a third party marketing service, was not a “direct party” under the Pennsylvania Wiretapping and Electronic Surveillance Control Act (WESCA) and thus was potentially subject to liquidated damages under that statute for intercepting communications between the plaintiff and the website she had visited. The interplay between the Third Circuit’s ruling and the potential impact on privacy policy disclosures require some technical background, which we have done our best to summarize.
The plaintiff in Popa v. Harriet Carter Gifts had visited the Harriet Carter Gifts website and begun the process for completing an online purchase of cat stairs. As occurs during many website interactions, Harriet Carter Gifts sent HTML code to the plaintiff’s browser that caused the plaintiff’s browser to simultaneously send a GET request to NaviStone. When it received the GET Request, NaviStone sent code to plaintiff’s browser that enabled the installation of a cookie which both identified the browser and tracked plaintiff’s activity on the Harriet Carter website. This communication stream also enabled NaviStone to facilitate targeted advertising to plaintiff. The lawsuit alleged that the HTML code re-routing electronic communications to NaviStone constituted an illegal interception under Pennsylvania’s wiretap law. The district court granted summary judgment against plaintiff, but the Third Circuit reversed.
The Third Circuit’s analysis focused on whether NaviStone was a “direct party” to the communications between Harriet Carter and plaintiff, which is an exception recognized by the Federal Wiretap Law as well as the wiretap laws of other states. Pennsylvania had previously adopted a similar exemption, but did so in the context of law enforcement investigations where police officers had masqueraded as intended recipients of communications. The Third Circuit ruled that this was the only scenario under which WESCA recognized a direct party exception. Critical to the Court’s determination that Pennsylvania’s direct party exception was limited to law enforcement was a 2012 amendment to the law that expressly revised the law’s definition of “intercept” to exclude monitoring by law enforcement masquerading as third parties. Under rules of statutory construction, the Court held that this express limitation foreclosed broader exceptions, thus limiting the scope of the direct party exception. In other words, only law enforcement officers, under the expressly identified scenarios set forth in WESCA, can avail themselves of the direct party exception.
The Third Circuit’s analysis did not end there, however. The Court also considered – and rejected – NaviStone’s contention that the interception occurred in Virginia, where the defendant was located, finding instead that the interception occurred at the point where the communication was re-routed to NaviStone, which occurred on plaintiff’s browser. This ruling thus disposed of NaviStone’s argument that WESCA could not regulate commerce that occurred wholly outside the Commonwealth.
In response to NaviStone’s “parade of horribles” argument, the Third Circuit noted that its ruling does not necessarily foreclose websites’ usage of cookies or third party marketing companies. In particular, the Court noted that WESCA provides an all-party consent exception whereby a interception is permissible if all parties to the communication consent. Which leads to perhaps the key question: did plaintiff consent to NaviStone’s interception of her electronic communications?
NaviStone argued that the Harriet Carter privacy policy disclosed the sharing of personal information with third parties and thus plaintiff impliedly consented to the interception of her communications by NaviStone. Pennsylvania, like many states, recognizes that prior consent to wiretapping “can be demonstrated when the person being recorded knew or should have known[] that the conversation is being recorded.” Plaintiff argued that she had neither read the privacy policy nor agreed to its terms. The Third Circuit ultimately declined to rule on this, remanding the issue to the District Court for further consideration.
The District Court’s pending ruling on whether prior consent can be implied through privacy policy disclosures may have a significant impact on future wiretap cases. Thousands of U.S. websites are configured with third party code, such as NaviStone’s, to enable digital advertising. Thirty-eight (38) states, in addition to the District of Columbia, have a wiretap law, and many such laws contain liquidated damages provisions of $1,000 (or more) per violation. Eleven (11) states require all-party consent to the recording of conversations. Whether all-party consent can be inferred through the posting of a privacy policy that discloses third party sharing of electronic communications will therefore be a closely watched issue by plaintiff’s attorneys, digital marketers and other third parties that obtain personally identifiable information through cookies and third party data sharing. Any ruling that does not clearly embrace a broad reading of prior consent may lead to increased wiretap litigation in states with wiretap laws like Pennsylvania.