PLAY IT AGAIN, SAM . . . BUT WAIT – WHAT IS HE PLAYING, AND WHO IS SAM?: Website Session Replay Software and Wiretapping

The trend of class action cases alleging wiretap statute violations against website operators for the use of session replay software to collect information of website users, as our privacy team previously discussed here, continues to be a concern for companies in 2024.  While many of these cases have turned on whether website operators disclosed and obtained consent from website users prior to deploying any session replay software, a recent decision in a pending class action brought under the Pennsylvania Wiretap Act indicates that consent alone may not be the end of the story in these cases.

Brittany Vonbergen brought an action on behalf of herself and other similarly situated Pennsylvania residents against Liberty Mutual Insurance Company for violating the Pennsylvania Wiretap Act through its use of session replay software on Liberty Mutual’s website.[i]  Liberty Mutual moved to dismiss Vonbergen’s complaint for lack of personal jurisdiction and failure to state a claim, a motion the Court denied on both grounds.[ii] 

Like many website operators, Liberty Mutual employs session replay software on its website that allegedly allows it to record and view a website user’s interaction with its website “in real-time,” enables “playback of individual browsing sessions,” and formats the data collected in that process for analytical use.[iii]  Without her consent, Vonbergen alleged, the providers of this third-party software unlawfully intercepted her electronic communications with Liberty Mutual’s website including how she “interacted with the website, her mouse movements and clicks, keystrokes, search terms, information, and personally identifiable information” in addition to “pages and content viewed while visiting the website,” and that Liberty Mutual “knowingly and intentionally facilitated” that interception.[iv]

Around March 2022, Vonbergen filled out an online auto insurance quote form, specifically designed for Pennsylvania residents,

“in which she was required to communicate the following personal information: zip code, name, birthdate, address, how long she had lived at that address, email address, license plate number or Vehicle Identification Number, whether she owned, financed, or leased her vehicle, frequency of commuting to New York or New Jersey, where she kept her vehicle, the year she bought her vehicle, whether she was married, gender identity, age when she got her license, phone number, current auto insurance information, prior insurance coverage, employment status, education, and whether she rented or owned her home.”[v] 

With each action she took, Vonbergen alleged, “the session replay software . . . contemporaneously and instantaneously created a duplicate request-and-response communication for her actions and routed these purported communications” to the third-party servers of the providers of Liberty Mutual’s chosen session replay software “without her knowledge or consent.”[vi]  She alleged no disclosure or request for her consent was presented to her prior to filling out the online form, and “she reasonably expected her visit to Liberty Mutual’s website would be private” and not tracked or recorded by any third-party.[vii]

Did They Know Sam Would Aim At Pennsylvania?

The Court first addressed Liberty Mutual’s argument it was not subject to specific personal jurisdiction in Pennsylvania.  The Court found that Vonbergen had sufficiently alleged “Liberty Mutual committed an intentional tort – intentionally invading her reasonable expectation of privacy by intercepting her electronic communications using session replay software” and that “she felt the brunt of the harm in Pennsylvania because she was located in Pennsylvania when Liberty Mutual allegedly invaded her privacy and intercepted her electronic communications.”[viii]  Denying Liberty Mutual’s motion to dismiss for lack of personal jurisdiction, the Court noted that as to whether Liberty Mutual expressly aimed such conduct at Pennsylvania, additional information was necessary to resolve the question.[ix]

Liberty Mutual argued the marketing and sales information included on its website, and whether the same was targeted toward Pennsylvania, was irrelevant to Vonbergen’s claim, “which is premised solely on website-monitoring activity.”[x]  In response, Vonbergen argued that Liberty Mutual “knew, or should have known, [the software it employed] would gather the electronic communications of Pennsylvania residents,” “knowingly aimed its tortious conduct at Pennsylvania,” and it was irrelevant whether “in addition to targeting Pennsylvania, Liberty Mutual [had] also aimed its tortious conduct elsewhere.”[xi]

The Court acknowledged that “Vonbergen has certainly pled that Liberty Mutual expressly aimed its website at Pennsylvania by furnishing Pennsylvania-specific forms that ask Pennsylvania-specific questions in order to obtain Pennsylvania-specific insurance from Liberty Mutual,” not that it merely operated an interactive website that is nationally accessible.[xii]  Eliciting Pennsylvania-specific information and intercepting those communications via session replay software suggest “with reasonable particularity the possibility that Liberty Mutual expressly aimed its tortious conduct at Pennsylvania.”[xiii]  Yet, the Court concluded it could not hold as a matter of law that because Liberty Mutual “knowingly aimed its website at Pennsylvanians and knowingly used allegedly tortious software on that website” it “knew that its use of session replay software would be directed at the same Pennsylvanians that it targeted by means of its website.”[xiv]  The Court denied the motion to dismiss and ordered jurisdictional discovery to determine whether Liberty Mutual “knew the brunt of the harm would be suffered in Pennsylvania” emphasizing that the underlying facts and evidence of what Liberty Mutual knew about its chosen session replay software, and when they knew it, would be determinative as to whether the Court could properly exercise personal jurisdiction over Liberty Mutual.[xv]

Just the Facts, Sam

In its discussion denying Liberty Mutual’s motion to dismiss for failure to state a claim under the Pennsylvania Wiretap Act, the Court focused on the importance of information to be obtained in discovery in enabling the Court to make necessary factual findings to determine key questions.[xvi]  Specifically, the Court noted that a more fulsome record was necessary to determine, in the context of Pennsylvania’s Wiretap Act, whether the session replay software employed would be considered a “device,” and whether the browsing activity collected would be considered the “contents of a communication.”[xvii]

Liberty Mutual argued that a device must be tangible, and therefore session replay software could not be considered a “device” under the Act.[xviii]  However, the Court reasoned that the “Act broadly defines an electronic or medical device as "any device or apparatus ... that can be used to intercept a wire, electronic or oral communication",” and declined to hold that session replay software is excluded from this definition as a matter of law.[xix]  The Court explained that various courts have held that software both did and did not constitute a device under Pennsylvania’s Wiretap Act and other similar anti-wiretapping statutes depending on how the software in question operated, and stated that “[g]iven the early stage of these proceedings, this Court will wait to determine whether session replay software constitutes a device . . . on a more fulsome record.”[xx]  The Court declined to impose a condition that a device must be tangible, and instead focused on the evidence to be obtained through discovery about how the session replay software operated in deciding whether the software could be considered a device under the Act.

Further, Liberty Mutual argued that Vonbergen’s browsing activity, including her mouse clicks, keystrokes, and search terms, lacked the type of contents that “are the hallmark of illegal “interceptions” under the act.”[xxi]  In analyzing this argument, the Court discussed prior cases in other jurisdictions that dismissed similar claims finding that the information collected did not constitute the contents of a communication, but were instead analogous to information that could have been obtained via a security camera that intercepted “a patron's movements through a brick-and-mortar store while they search for some undisclosed object.”[xxii]  Discovery is necessary, the Court concluded, to determine whether that analogy applies to Vonbergen’s browsing activity here and the specific session replay software at issue and whether Vonbergen’s clicks and keystrokes constituted content in the context of what Liberty Mutual did, or did not, do with the information it collected via the session replay software.[xxiii] Like the determination of whether the software in question could be considered a “device” under the Act, the Court emphasized that the devil is in the details regarding whether the information collected could be considered “contents of a communication.”

Consent and Disclosing Who Sam Is?

Even though Vonbergen alleged she was presented no disclosure or request for her consent by Liberty Mutual’s website, the Court agreed with Liberty Mutual’s argument that her prior consent could be demonstrated because Vonbergen “knew or should have known” that Liberty Mutual “would store the information [she] submitted via an online insurance form.”[xxiv] “However,” the Court reasoned, “Vonbergen has alleged that Liberty Mutual procured third parties to intercept her electronic communications, and the Court is reluctant to find that any reasonable person entering his or her information into an online form implicitly consents to its interception by a third party.”[xxv] 

In its analysis of this argument, the Court distinguished the criminal cases cited by Liberty Mutual noting that, Vonbergen was not warned her activity could be monitored or recorded before she entered information into Liberty Mutual’s insurance form, and that even if she consented to Liberty Mutual recording of her personal information, “she [had] plausibly alleged that she was not aware Liberty Mutual had procured an undisclosed third party to intercept that information too.”[xxvi]  Despite Liberty Mutual urging the Court to find the third party software operators to be “mere extensions of Liberty Mutual,” as California district courts have found in cases alleging violations of California’s Invasion of Privacy Act on similar facts, the Court reasoned it was “inappropriate” to make this proposed factual finding as a matter of law “at this early juncture in the proceedings.”[xxvii] 

Facts and circumstances germane to whether the third party involved in the communication was merely an extension of the website owner, such that the two could be fairly considered the same party under the Pennsylvania Wiretap Act, or was, conversely, a true third party that was an outsider to the communication between Liberty Mutual and Vonbergen could include:

• The parameters of the relationship between Liberty Mutual and the third party software providers;

• Whether the session replay software ran on Liberty Mutual’s website servers or servers belonging to the third party; and

• Whether the third party retained any copies of the information collected prior to or after providing that information to Liberty Mutual. 

The Court’s discussion of this point highlights the necessity of not only obtaining a website user’s consent to the recording of their activity by session replay software and similar tools, but also disclosure of and consent to any third party involvement in the collection of information via that software.  That discussion would be a moot point had Vonbergen been presented with an explicit disclosure of the third party software provider’s existence and role in the communication and had her explicit consent to the same been documented by Liberty Mutual.

DISCLAIMER: The information contained in this blog is not intended as legal advice or as an opinion on specific facts. For more information about these issues, please contact the author(s) of this blog or your existing LitSmart contact. The invitation to contact the author is not to be construed as a solicitation for legal work. Any new attorney/client relationship will be confirmed in writing.