October 16, 2021

Volume XI, Number 289

Advertisement
Advertisement

October 15, 2021

Subscribe to Latest Legal News and Analysis

October 14, 2021

Subscribe to Latest Legal News and Analysis

Another Court Dismisses Session Replay Software Litigation Based on Disclosures in Privacy Policy

While session replay software litigation was the hottest development in data privacy litigation earlier this year, yet another court has rejected such a theory of liability—making it even more likely that this trend has already peaked.  In this instance, the U.S. District Court for the Northern District of California ruled (for the second time) that a user who accepted the website’s Privacy Policy had consented to have his information collected.  Javier v. Assurance IQ, No. 20-cv-02860, 2021 U.S. Dist. LEXIS 158236 (N.D. Cal. Aug. 6, 2021).

Recall that session replay software captures certain aspects of a user’s interactions on web applications (mouse movements, clicks, typing, etc.) along with underlying contextual user data to help website operators enhance users’ experiences.  Accordingly, session replay software allows a website operator to recreate (or “replay”) a visitor’s journey on a web site or within a mobile application or web application.  Rather than focusing on user activity after leaving a particular website, session replay software concerns how a user interacts with a specific website.  Creative plaintiffs lawyers have filed dozens of putative class action litigations this year alleging that a website operator’s use of session replay software violates certain state wiretap acts—including those of California and Florida.  This is because a minority of states have all-party consent wiretap laws (requiring all parties to a conversation or interaction to consent to a recording).  Plaintiffs in these cases have alleged that because they did not affirmatively consent to the defendant’s use of the session replay software, the website operator has violated the applicable state’s wiretap law.

Here, in Javier, the plaintiff alleged violations of the California Invasion of Privacy Act and the California Constitution based on the defendants’ alleged recording of user actions and collection of information from one of its websites.  The defendant, a platform that uses data analytics to connect individual consumers with personalized insurance plans based on their particular needs and budgets, allowed potential consumers to seek a quote through the website. Once a person had entered the preliminary basic information, he or she was prompted to click a button saying “View My Quote.” On the bottom of that web page was a notice, including a hyperlink, stating, “By clicking ‘View My Quote’ I indicate my intent to agree to th[e] website’s Privacy Policy.” The Privacy Policy, in turn, stated that Assurance IQ would collect the content and personal information of individuals who sought quotes, which could include personal and family health information, and information about how the user viewed content or engaged with the website.

In March, the Court granted Defendants’ motion to dismiss the first amended complaint, with leave to amend, concluding Plaintiff consented to the conduct about which he complained.  Unfortunately for Plaintiff, his complaint fared no better upon repleading.  The Northern District, in granting Assurance IQ’s motion to dismiss, reiterated what has become an oft-cited mantra: where the plaintiff has “sufficient notice” of the privacy policy, and sufficient notice that clicking “View My Quote” would indicate his acceptance of the Privacy Policy, he had given his consent to the collection of the information.  It is, however, not an all-or-nothing situation.  The Court held that the consent only applies to the actions disclosed in the Policy (in this instance, the Court found that the alleged collection of information fell within the activities described in the Policy, although one might imagine circumstances in which this was not the case).

Based on the principle that “consent is generally limited to the specific conduct authorized,” this ruling may encourage website hosts and online entities to write their policies as broadly as possible to give themselves legroom to argue that their visitors had consented.  For more on this, stay tuned—CPW will be there to keep you in the loop.

© Copyright 2021 Squire Patton Boggs (US) LLPNational Law Review, Volume XI, Number 250
Advertisement

About this Author

Elizabeth Helping Columbus Ohio Litigation Liability Associate Attorney Squire Patton Boggs
Associate

Elizabeth P. Helpling is a member of the Litigation Practice, where her practice focuses on complex and general litigation matters, including commercial liability matters, alternative dispute resolution and insurance litigation. She is also a member of the Judicial Release Coalition, and her pro bono work focuses on criminal justice reform and advocacy.

614 365 2821
Kristin L. Bryan Litigation Attorney Squire Patton Boggs Cleveland, OH & New York, NY
Senior Associate

Kristin Bryan is a litigator experienced in the efficient resolution of contract, commercial and complex business disputes, including multidistrict litigation and putative class actions, in courts nationwide.

She has successfully represented Fortune 15 clients in high-stakes cases involving a wide range of subject matters.

As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing business-oriented privacy advice to a wide range of clients, with a particular focus on companies handling customers’ personal data. In this...

216-479-8070
Advertisement
Advertisement
Advertisement