Website Operators Should Take Steps to Mitigate Risk of Session Replay and Chatbot Technology Litigation

Recently, there has been a wave of consumer privacy class action litigation against website operators alleging privacy violations around the use of session replay and chatbot technology.

Remarkably, no specific legislative change triggered this increase. Instead, the rise follows recent court decisions holding businesses liable under state wiretap and eavesdropping laws for their use of third-party operated session replay and chat window technologies.

Following these court decisions, enterprising plaintiffs’ attorneys – fueled by the prospect of recovering significant statutory damages – have sought to repurpose decades-old wiretapping and eavesdropping statutes, such as the California Invasion of Privacy Act (“CIPA”) and similar statutes in Massachusetts and other states, to generate claims arising from the use of such technologies, which are commonly deployed to improve the customer experience. These tools capture user-submitted content and conversations on businesses’ webpages, which plaintiffs assert constitutes unlawful wiretapping and eavesdropping.

Significantly, because CIPA contains an exemption for direct party liability — meaning a party cannot wiretap or eavesdrop on its own conversation — liability for aiding and abetting wiretapping is driving plaintiffs’ successes in court. Under this theory, litigants assert that when businesses deploy third-party session replay and chatbot technologies, they are aiding and abetting the technology provider’s unlawful wiretapping and eavesdropping.

Specifically, litigants are pursuing claims under Section 631 of CIPA, which prohibits “wiretapping,” specifically: “Any person who… intentionally taps, or makes any unauthorized connection . . . with any telegraph or telephone wire, line, cable or instrument . . .; or who willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report or communication while the same is in transit or passing over any wire, line, or cable or is being sent from, or received at any place within this state.” Section 631 also imposes liability on any person “who aids, agrees with, employs, or conspires with any person” who violates the wiretapping prohibition.

Courts addressing Section 631 claims have identified potential liability under any of four theories: (1) intentional wiretapping; (2) willfully reading or attempting to read the contents of any messaging over wire; (3) attempting to use or communicate information obtained as a result of either of those two things; or (4) aiding or abetting someone in violation of the prior three bases for liability.

What can businesses do to reduce the risk of litigation?

Courts have yet to settle on a predictable set of factors to determine liability under laws such as CIPA. However, there are common threads in judicial decisions which help inform how businesses can reduce their profile as potential targets of class-action litigation.

For instance, when deploying third-party chatbots on websites, businesses should consider beginning each dialogue with a disclosure informing the customer that the bot is operated by a third party, and that the chat may be recorded.

Similarly, when using session replay or similar technologies (such as keystroking), businesses should consider deploying pop-up disclosures or consent buttons at the bottom of the webpage – appearing as soon as a user enters the site – indicating that customer interactions will be monitored and recorded by third-party technology providers. Such disclosures, if done correctly, may allow businesses to defend against and warn-off litigation based on consumer notice and consent.

Additionally, to the extent feasible, companies should minimize the amount of customer information third-party providers collect through session replay and chatbot technologies, and ensure that agreements with such third parties make clear that those providers capture information solely on behalf of the business. Doing so may encourage courts to view third-party technology providers as mere agents of the website operator, allowing businesses to benefit from the direct party exemption.

While such measures may eventually prove unnecessary as wiretap and eavesdropping cases play out in the courts, for the time being they can help businesses avoid the immense cost being foisted upon defendants through the current wave of class action litigation.

For more detail about class action litigation under CIPA and other state wiretapping laws, please see our June 8, 2023 alert: California Invasion of Privacy Act (CIPA) Decisions Continue to Create Uncertainty for Websites Using Third-Party Technology.