Is your website violating California's Wiretap Act?

Retailers, financial services firms, and many other companies utilize third party session replay software to maintain a record of interactions with visitors to their websites for a variety of useful purposes, including to document consent,  prevent fraud, general compliance, and marketing purposes. However, a number of lawsuits have been filed alleging that the use of session replay software constitutes a surreptitious intercept of the consumer’s communications with the website in violation of California Penal Code § 631, a provision of the California Invasion of Privacy Act often referred as the Wiretap Law.

Section 631(a) provides a private right of action against anyone who “by means of any machine, instrument, or contrivance, … intentionally taps, … or who willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit….”^[1] The statute makes similarly liable anyone who aids or abets an unlawful intercept. The courts have made clear, however, that § 631(a) includes an “intended recipient” or “party” exception, such that a party to a communication cannot be liable under the Act for “intercepting” a message that was intended for that party. “Only a third party can listen to a conversation secretly.”^[2]

In a series of recent decisions, California federal courts have struggled to apply the Wiretap Law to the use of third party web-session recording software, diverging primarily on the issue of whether the software vendor is a third party interloper, subject to the law or, by virtue of standing in the shoes of the website operator, is a party to the communication who cannot be liable.

In Saleh v. Nike, Inc.^[3] and Yoon v. Lululemon USA, Inc., the courts held not only that the third party vendor could, in fact, be liable under § 631, but that the website operator who retained the service provider could be liable as an aider and abettor of the allegedly surreptitious interception. This seems to be an incorrect reading of the law.

In contrast, Graham v. Noom, Inc.,^[4] Johnson v. Blue Nile, Inc.,^[5] and Yale v. Clicktale, Inc.^[6] determined, consistent with the spirit and intent of the law to prevent third party intrusion into private communications, that the third party service provider “is an extension of” the website operator, and thus neither an unlawful interloper, nor the principle in an unlawful aiding and abetting scheme. 

The Ninth Circuit has not yet resolved the lower court split. A recent Ninth Circuit decision in Javier v. Assurance IQ, LLC reversed a trial court ruling that the consumer’s after-the-fact consent to the website’s privacy policy precluded a § 631(a) claim, but expressly did not address whether the plaintiff impliedly consented to the collection of data, whether the third party vendor is an extension of the website operator, or whether the website operator could be liable for aiding and abetting the collection of its users’ communications.^[7]

For more information regarding potential Wiretap Law exposure, please contact Dan Rockey or Merrit Jones.

[1] Pen. Code, § 631(a).  

[2] Graham v. Noom, Inc. (N.D. Cal. 2021) 533 F.Supp.3d 823, 831. 

[3] (N.D. Cal. 2021) 533 F.Supp.3d 823, 832–833. 

[4] (N.D. Cal., Apr. 8, 2021, No. 20-CV-08183-LB) 2021 WL 1312771, at *2.          

[5] (N.D. Cal., Apr. 15, 2021, No. 20-CV-07575-LB) 2021 WL 1428400, at *3.         

[6] Javier v. Assurance IQ, LLC (9th Cir., May 31, 2022, No. 21-16351) 2022 WL 1744107, at *1.