Popa v. Harriet Carter Gifts, Inc., 45 F. 4th 687 (3d Cir. 2022), reh’g granted and opinion vacated, No. 21-2203, 2022 WL 10224695 (3d Cir. Oct. 18, 2022), and on reh’g, 52 F. 4th 121 (3d Cir. 2022)
In August 2022, the Third Circuit handed down a decision addressing both exceptions to and the definition of “intercept” under the Pennsylvania Wiretapping and Electronic Surveillance Control Act (WESCA).[1]
In Popa v. Harriet Carter Gifts, Inc., Plaintiff brought an action for WESCA violations after visiting a website owned by Harriet Carter Gifts. She claimed that NaviStone, a third-party marketing services, embedded “session replay” software code on Harriet Carter Gift’s website that caused Plaintiff’s browser to communicate with both Harriet Carter Gifts and NaviStone simultaneously, allowing her interactions to be tracked.
Plaintiff brought an action for WESCA violations, alleging NaviStone intercepted her communication with the Harriet Carter Gifts website. Harriet Carter Gifts facilitated this interception by installing the code on their website knowing the code would collect and transmit the information communicated by Plaintiff to NaviStone.
The District Court granted summary judgment for Defendants holding there was no interception because NaviStone was a party to the communication, and even if there was an interception, it occurred where NaviStone’s servers were located in Virginia and is not covered by WESCA.
On appeal, the Third Circuit disagreed, clarifying that there is no direct-party exception under the WESCA. The Court reasoned that by explicitly incorporating the law enforcement exception but not the direct-party exception in the 2012 amendment to the statute, the legislature intended a narrow exception only applicable in the context law enforcement. The Court held that under the WESCA, unlike the federal wiretap statute, a third-party may not intercept communications even if the transmission is simultaneous, and that the consent of one party is not sufficient to avoid liability. All parties must consent.
The Third Circuit also addressed the question of where the interception occurred. While the Defendant argued interception occurred when the information reached their servers in Virginia, Plaintiff argued the interception occurred when her communications were sent from her browser to NaviStone without her knowledge. The Court noted that the WESCA defines interception as “aural or other acquisition of the contents of any wire, electronic or oral communication through the use of any electronic, mechanical or other device.”[2] Based on the ordinary use of “acquisition,” the Court held that “interception occurs where there is an act taken to gain possession of communications using a device.” Subsequently, interception occurred where NaviStone routed the communications to their servers, which was at Plaintiff’s browser.
The lower court’s decision was vacated, and the matter remanded for further proceedings to determine where NaviStone routed the communications to their servers and whether Plaintiff had consented to the interception.
The Third Circuit’s decision in Popa has potentially wide-ranging impacts. Website users are communicating with the website, and companies that embed code designed to transmit this data to third parties, whether for analytics or another purpose, could be held liable under the WESCA. The fact that the data is transmitted directly from the users’ browser to the session replay code provider’s servers does not protect the website operator, nor the session replay company from liability. Both may be subject to penalties of $100 a day for each day of violation, or $1,000, whichever is higher.
In 2017, researchers at Princeton’s Center for Information Technology Policy found that 492 of the most popular websites used session replay technology.[3] In August 2022 IDC, a global provider of market intelligence, reported that the customer experience continues to be a top priority when it comes to business’ tech and analytics spending.[4] It is likely that website operators will continue to deploy session replay code and similar technologies to harness consumer data for their own benefit. As a result, these websites may be collecting troves of personal data, including Personal Health Information, login and password information, social security numbers, credit card information, search information, and any other sensitive information disclosed through interaction with the website.
For more information contact Christian Levis at clevis@lowey.com or Amanda Fiorilla at afiorilla@lowey.com.
[1] Popa v. Harriet Carter Gifts, Inc., 45 F. 4th 687 (3d Cir. 2022), reh’g granted and opinion vacated, No. 21-2203, 2022 WL 10224695 (3d Cir. Oct. 18, 2022), and on reh’g, 52 F. 4th 121 (3d Cir. 2022)
[2] 18 Pa. C.S. § 5702.
[3] Steven Englehardt, No Boundaries: Exfiltration of personal data by session-replay scripts, Freedom to Tinker, (Nov. 17, 2017) https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/.
[4] David Wallace, How Data Maturity and Product Analytics Improve Digital Experiences and Business Outcomes, IDC, (August 2022), https://assets.ctfassets.net/jicu8fwm4fvs/H4zSwtwM3wD4GeyoLsmit/38cf9bb379b001ef963e358be75dcfcc/IDC_HeapAnalytics_WhitePaper_Final.pdf.