The case of Popa v. Harriet Carter Gifts, Inc. “began with a quest for pet stairs.” Plaintiff Ashley Popa searched Harriet Carter Gifts’ website, added pet stairs to her cart, but never completed the purchase. During her “quest,” Popa’s information was collected not only by Harriet Carter Gifts, but also by a third-party marketing company, NaviStone, using cookies technology. In an opinion with potentially far-reaching ramifications, the Third Circuit held that NaviStone’s collection of Popa’s information violated Pennsylvania’s Wiretapping and Electronic Surveillance Control Act (WESCA). This decision follows the Ninth Circuit’s lead in reviving similar claims brought pursuant to the California Invasion of Privacy Act that were initially dismissed on the basis that retroactive consent was not valid. In both cases, however, there remains a question as to whether the consumers impliedly consented to the collection of their browsing information as a result of disclosures in the website operators’ privacy policies.

Background of Litigation

Like many other states’ wiretapping laws, WESCA “prohibits the interception of wire, electronic, or oral communications, which means it is unlawful to acquire those communications using a device.” It also provides a private right of action for individuals to bring suit against parties for such unlawful interception.

While Popa was on the Harriet Carter website browsing for pet stairs, Popa’s browser communicated with servers operated by Harriet Carter Gifts. And, as part of the online marketing services NaviStone provides to Harriet Carter Gifts, Popa’s website also communicated with servers operated by NaviStone. This interaction allowed NaviStone to place a tracking cookie on Popa’s device. The cookie, in turn, allowed NaviStone to collect information about how Popa interacted with the Harriet Carter website to enable Navistone to show Popa personalized advertisements across the web.

Popa filed a class action lawsuit against Harriet Carter and NaviStone, claiming that Harriet Carter and NaviStone used tracking technology without her knowledge or consent in violation of WESCA. The district court granted summary judgment in favor of Harriet Carter and NaviStone on the WESCA violation claim, holding that NaviStone could not have “intercepted” Popa’s communications because NaviStone was a “party” to the “electronic conversation,” or alternatively, that if any interception did occur, such interception occurred outside Pennsylvania’s borders, and thus WESCA did not apply.

On appeal, the U.S. Court of Appeals for the Third Circuit ruled Harriet Carter and NaviStone could be held liable for violating WESCA if they deployed software and tracking cookies to collect data about a website visitor’s behavior without the visitor’s consent. While questions remain regarding whether Harriet Carter’s website had a posted privacy policy during Popa’s visit, and whether that privacy policy was sufficient to imply consent, numerous class actions have already been filed under similar theories. Because the district court did not address the implied consent argument in its summary judgment order, the Third Circuit declined to address it in the first instance and instead remanded the case to the trial court for further proceedings. The question will now become whether, under Pennsylvania law, Popa “knew or should have known[] that the conversation was being recorded” as a result of the website’s privacy policy such that she impliedly consented to the recording.

Takeaways

This ruling highlights the importance of obtaining consent from website visitors before collecting their data. It also underscores the need for retailers and digital marketers to be aware of and comply with state and federal laws related to electronic communications and data collection.

The decision also has practical implications for companies and digital marketing service providers engaged in the “passive collection” of consumer data in which background technologies collect a consumer’s information without the consumer affirmatively providing that information. The Third Circuit’s broad interpretation of the “interception” of a communication and narrow interpretation of the exceptions to liability under WESCA may increase the risks to companies and service providers that use these tracking technologies in Pennsylvania or states with similar wiretapping or privacy laws.

To mitigate these risks, companies should carefully review their online marketing practices, website operations, privacy disclosures, and consent mechanisms to ensure compliance with state and federal laws related to electronic communications, data privacy, and data collection. Providing clear and transparent privacy notices that disclose how these background communications work and who receives them may help to establish an implied consent defense to WESCA claims. However, the exact elements or standards required to obtain implied consent are currently unclear. Nonetheless, prior express consent from all parties is another clear defense to WESCA and other state wiretap claims.