LawFlash

Third Circuit Rejects Direct-Party Exception for Digital Marketers Under Pennsylvania’s Wiretap Statute

August 24, 2022

In a precedential decision with potential implications for online privacy disclosures and consent practices, the Court of Appeals for the Third Circuit recently ruled that a retailer and its third-party digital marketer were not exempt from liability under Pennsylvania’s Wiretapping and Electronic Surveillance Control Act simply because the marketer’s server directly received the relevant communications from the plaintiff.

In Popa v. Harriet Carter Gifts Inc., the Third Circuit found that the only direct-party exception under Pennsylvania’s Wiretapping and Electronic Surveillance Control Act (WESCA) is for certain law enforcement activity specified in a 2012 statutory amendment. The court also ruled that the marketer’s alleged interception of the plaintiff’s online communications with the retailer occurred at the point where the marketer routed those alleged communications to its own servers, not merely where the marketer’s servers received them outside of Pennsylvania.

Given the court’s expansive view of WESCA’s reach, there may be renewed interest in session replay and other website tracking claims under the statute. To mitigate risk of liability and liquidated damages claims under Pennsylvania law, businesses and their digital marketers may want to review their disclosures and online practices to evaluate the strength of other defenses or exceptions to WECSA liability, including prior consent to any third-party data sharing.

BACKGROUND

In the putative class action lawsuit, plaintiff Ashley Popa alleged that she used her iPhone to shop for pet stairs on the website of Harriet Carter Gifts but did not ultimately complete the purchase. When she did so, Harriet Carter Gifts sent HTML code to the plaintiff’s browser that caused her browser to send a GET request to NaviStone, a digital marketer. Upon receipt of that GET request, NaviStone sent code to the plaintiff’s browser that installed cookies, captured certain information regarding the plaintiff’s activity on the Harriet Carter website, shared that information with NaviStone, and enabled NaviStone to assist Harriet Carter with targeted advertising. The plaintiff claimed that the rerouting of communications to NaviStone constituted an illegal interception under WESCA.

After the defendants won summary judgment at the district court level, the Court of Appeals for the Third Circuit vacated the order and remanded. The Third Circuit ruled that (1) the defendants could not avoid WESCA liability merely by showing that NaviStone directly received the challenged communications from the plaintiff, because the only direct-party exception under WESCA applies to certain law enforcement activities; (2) NaviStone’s alleged “interception” of the plaintiff’s online communications occurred at the point where it routed the plaintiff’s communications to NaviStone’s servers, even if NaviStone ultimately received those communications outside of Pennsylvania; and (3) whether Popa gave prior consent to the challenged interception of her communications required further consideration from the district court on remand.  

DIRECT-PARTY EXCEPTION

Under the Federal Wiretap Act and other state wiretap statutes, defendants are exempt from liability pertaining to communications they received directly from the plaintiff. The rationale for that exception, in general terms, is that a wiretapping claim requires interception of a communication, and a defendant does not intercept a communication that it directly receives from the plaintiff. Prior Pennsylvania case law found a direct-party exception to WESCA liability and applied it specifically to scenarios where a law enforcement officer covertly posing as another person directly received a communication as part of a criminal investigation.

In taking a narrow view of the direct-party exception under WESCA, the court relied on the 2012 amendment to the statute. In 2012, the state legislature amended WESCA to make clear that there is no WESCA liability for certain law enforcement activities, including where an officer directly receives a communication in an undercover or covert capacity with supervisory approval. The amendment did not specifically adopt a broader exception for other kinds of direct-party communications. The court construed that as a legislative decision to reject a direct-party exception beyond the law enforcement context enumerated in the amended statute. As a result, NaviStone was not exempt from liability under WESCA, even though its servers directly received the relevant communications from the plaintiff.

EXTRATERRITORIALITY AND THE PLACE OF INTERCEPTION

While the court took a narrow view of the direct-party exception to WESCA liability, it took a broader approach to analyzing where interception occurs for purposes of WESCA applicability. NaviStone argued that, to the extent any interception of the plaintiff’s communications occurred, it only occurred in Virginia, where NaviStone’s servers received the information at issue. In other words, the potential “acquisition of the contents” of any covered communication occurred outside of Pennsylvania. Accordingly, NaviStone asserted that WESCA should not apply to such out-of-state commerce because that application would violate the Commerce Clause.

In rejecting that argument, the court held that interception occurs “where there is an act taken to gain possession of communications using a device.” Therefore, the court found that the interception occurred where NaviStone’s JavaScript code rerouted the plaintiff’s communications with Harriet Carter to NaviStone’s servers. According to the court, such rerouting occurred at the location of plaintiff’s browser, which presumably was the location of her iPhone at the time of the rerouting; however, the court left it to the district court on remand to determine whether plaintiff’s browser was in Pennsylvania at the time of the challenged rerouting.

CONSENT

Finally, in response to NaviStone’s arguments about the undesirable consequences of interpreting and applying WESCA in such a broad fashion, the court noted that its ruling did not necessarily foreclose the use of tracking cookies or third-party digital marketing services because WESCA does not impose liability where all parties to a communication give prior consent to its interception. Under Pennsylvania law, prior consent to wiretapping exists where the plaintiff “knew or should have known that the conversation is being recorded,” but “actual knowledge” is not required. NaviStone argued that the plaintiff gave implied consent to any interception because Harriet Carter’s privacy policy disclosed the sharing of personal information with third parties. The plaintiff argued that she had neither read the privacy policy nor agreed to its terms, and she challenged whether the privacy policy was actually in place at the relevant time.

Because the district court granted summary judgment on other grounds without reaching the issue of consent, the court remanded that issue for further proceedings as to whether Harriet Carter had a privacy policy in place that adequately alerted a reasonable person to the data sharing with NaviStone.

CONCLUSION

Many consumer-facing businesses have websites that rely upon third-party coding, like NaviStone’s, to enable digital advertising and to deliver a tailored experience to their customers. Under the new Popa decision, those third-party marketing services cannot rely on a direct recipient exception to WESCA liability, and they are potentially subject to the statute’s reach based on the location of the plaintiff’s website browser, even if they received allegedly intercepted communications outside of Pennsylvania.

The Third Circuit’s narrow interpretation of a common exception to wiretapping liability and its broad interpretation of where interception occurs under WESCA highlight the importance of all-party consent under WESCA and other potential exceptions or defenses to alleged liability. For example, the Third Circuit’s decision assumed, but did not address, whether the JavaScript code used on Harriet Carter’s website constituted a “device” under WESCA, because the issue was not before the court. Similarly, in a marketplace where a variety of online data sharing technologies exist, defendants may have strong arguments under WESCA that certain code or software applications do not acquire the “contents” of electronic communications, as required for the statute to apply.

In addition, given the prevalence of third-party data sharing and the availability of liquidated damages under WESCA, the district court’s pending ruling on whether the plaintiff’s prior consent to interception should be implied through privacy policy disclosures may affect future wiretap cases brought under Pennsylvania law.

As the Popa remand proceeds, the case is a good reminder for website operators, digital marketers, and their partners to review their online marketing practices, privacy disclosures, contractual terms, buy-flow processes, and consent mechanisms and reevaluate how easily they could demonstrate consent to third-party data sharing at an early stage of litigation if faced with a putative class action under WESCA or other similar wiretapping laws.

CONTACTS

If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:

Chicago
Elizabeth B. Herrington

Philadelphia
Gregory T. Parks
Ezra D. Church
Kristin M. Hadgis

Los Angeles
Joseph Duffy

Miami
Brian M. Ercole 

Washington, DC
Dr. Axel Spies