End Days For Session Replay Software Litigation: Another Case Bites the Dust
Since this summer CPW has declared session replay software litigation predicated on violation of state wiretap statutes as dead in the water. Judges apparently agree. Earlier this month yet another court kicked to the curb a session replay software dispute that asserted violations of Florida’s wiretap law, the Florida Security of Communications Act (“FSCA”). Goldstein v. Costco Wholesale Corp., 2021 U.S. Dist. LEXIS 170815 (S.D. Fla. Sep. 9, 2021). Read on to learn more.
In Goldstein, as succinctly summarized by the Court:
This action joins a flurry of virtually identical cases wherein creative class action litigants have seized on a novel reading of Florida’s decades-old wiretapping statute, the [FSCA], to attack the use of so-called session replay software on commercial websites. The FSCA provides a cause of action against parties that intercept or use private communications without the speaker’s consent. Fla. Stat. §§ 934.10(1)(a), (d). Plaintiff alleges that Defendant violated the FSCA by using session replay software to record Plaintiff’s mouse clicks and other commands on Defendant’s website.
Defendant moved to dismiss the case for failure to plead a cognizable claim. The Court agreed, dismissing the Complaint in its totality.
As an initial matter, the Court noted that “Courts may not rewrite statutes to change with the times . . . Rather, the Court must take the law as it is and apply it faithfully to new facts as they arise. Here, Plaintiff asks the Court to rewrite Florida’s wiretapping law in the face of changing technology.” The Court rejected Plaintiff’s invitation. This was because “[t]he relevant terms of the FSCA must be construed in a manner consistent with their plain meaning and context.”
The Court’s analysis started with the FSCA’s plain language. The FSCA includes the following provisions as relevant to Plaintiff’s claims:
Section 934.03(1)(a) of the FSCA prohibits “[i]ntentionally intercept[ing], endeavor[ing] to intercept, or procur[ing] any other person to intercept or endeavor to intercept any wire, oral, or electronic communication”.
Similarly, Section 934.03(1)(d) of the FSCA prohibits “[i]ntentionally us[ing], or endeavor[ing] to use, the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of [the FSCA].”
Insofar as definitions of terms used in the FSCA are concerned, “intercept” means “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” Fla. Stat. § 934.02(3).
And finally, “contents” as used in the FSCA encompasses “any information concerning the substance, purport, or meaning of that communication.” Fla. Stat. § 934.02(7).
In the Complaint, Plaintiff asserted that Defendant intercepted the substance of his communications with Defendant’s website which included: (1) his movements on the website (mouse clicks, scroll movements, and page/content viewed) and (2) information voluntarily input (keystrokes, search terms, cut and paste actions, etc.).
The Court flatly rejected these allegations as falling within the purview of the FSCA. This was because, the Court found, “these actions did not convey the substance of any communication.” Instead, at best, this “mere tracking of Plaintiff’s movements on Defendant’s website is the cyber analog to record information Defendant could have obtained through a security camera at a brick-and-mortar store.”
Indeed, the text of the FSCA supported the Court’s ruling. The FSCA explicitly excludes “[a]ny communication from an electronic or mechanical device which permits the tracking of the movement of a person or an object.” Fla. Stat. § 934.02(12)(c). While the Court recognized that “the tracking in this case is virtual rather than physical, . . . . the plain language of the statute exempts the sort of tracking that triggered this action.”
To put it simply: “Defendant’s recordings of Plaintiff’s purported communications contained no substance. No substance means no contents, no contents means no interception, and no interception means no FSCA violation.”
A defining attribute of many data privacy and cybersecurity litigation is that plaintiff’s statutory and common law theories of liability (CCPA and BIPA, among other notable exceptions aside) predated the development of the technologies and business practices that are now routinely challenged in court. In this case, the Court got it right. The legislative history of the FSCA made clear it was geared towards addressing concerns not implicated by the use of session replay software litigation. A business monitoring mouse clicks on its own website is hardly the same, for instance, as a third-party intercepting a private telephone conversation. However, that’s not to say data privacy plaintiffs won’t come up with another novel legal theory next week challenging the same practices at issue in this case. Not to worry-CPW will be there to keep you in the loop. Stay tuned.