How Buying Pet Stairs Led to a Class Action Lawsuit over Wiretapping
Since the Commonwealth of Pennsylvania does not have a comprehensive consumer data privacy statute, it relies on a patchwork of other statutes and regulations to protect its citizens’ data from unwanted access, collection and use. Among them, Pennsylvania’s Wiretapping and Electronic Surveillance Control Act, 18 Pa. C.S. § 5701 et seq. (WESCA) is at the center of a recent decision arising from a third-party marketing company’s surreptitious interception of a consumer’s communications while she was shopping online.
Plaintiff Ashley Popa navigated her way to the Harriet Carter Gifts website on her iPhone to shop for pet stairs. Popa eventually added a set to her cart and started but did not complete the checkout process. As she clicked through the website, Popa’s browser unsurprisingly communicated with Harriet Carter, but it also surreptitiously interacted with NaviStone, a third-party marketing service engaged by Harriet Carter. Popa left the Harriet Carter website without buying anything, but not before NaviStone sent a “OneTag” code to her browser allowing it to collect, among other things, pages Popa visited when she entered her email address and items she added to her cart.
Popa filed a lawsuit in the Western District of Pennsylvania asserting that Harriet Carter and NaviStone violated WESCA and common law invasion of privacy. (On appeal, the Third Circuit recognized that WESCA provides a private right of action for individuals, meaning that consumers can file lawsuits for purported violations without the need for waiting for government or regulatory action.) The District Court quickly disposed of the invasion of privacy claim and later granted summary judgment in favor of the defendants on the WESCA claim. Popa appealed the dismissal of her WESCA claim to the Third Circuit.
Third Circuit Appeal
The Third Circuit rejected defendants’ primary argument that Pennsylvania courts have excluded direct recipients of communications from WESCA culpability. In doing so, it noted that the holdings of the criminal suppression cases that the defendants relied on were later codified in amendments to WESCA, which shielded law enforcement officers from liability for interceptions when they are or posing as an “intended recipient.” It was noted that the Pennsylvania Legislature had the opportunity, but passed on adopting more expansive language defining intended recipients.
The Third Circuit found that the Pennsylvania Supreme Court would determine that WESCA does not include a broad direct-party exception and that the defendants could not avoid liability because Popa’s browser “unknowingly communicated directly with NaviStone’s servers.” In a broader context, in footnote 6, the Third Circuit acknowledged that this contradicts its holdings in cases brought under the Federal Wiretap Act, which has an expressed direct-party exception. For instance, in In re Google Inc. Cookie Placement Consumer Privacy Litigation and In re Nickelodeon Consumer Privacy Litigation, the claimants’ browsers sent GET requests directly to the defendants converting them to parties to the communication under the Federal Wiretap Act.
The Third Circuit then turned its attention to determining where NaviStone intercepted Popa’s communications, a critical question here because WESCA does not apply to conduct completely outside Pennsylvania. In other words, if the intercept occurred in Virginia, where NaviStone’s servers are located, then a court would have to conduct a choice-of-law analysis to determine if WESCA applied. The Third Circuit found that NaviStone’s intercept occurred at Popa’s browser, not where NaviStone routed the communications. Although the parties assumed the intercept occurred in Pennsylvania, the Third Circuit found no support in the record to identify where Popa’s browser met Harrier Carter’s website and where NaviStone’s code started directing her browser to communicate with its servers.
The Third Circuit remanded the case back to the District Court to determine whether there is a genuine issue of material fact about where the interception occurred.
The Popa opinion underscores the need for Pennsylvania businesses and digital marketing firms providing services in the Commonwealth to obtain consent from consumers prior to collecting their data or installing cookies on a browser. It also emphasizes that courts will give broad meaning to what “interception” of a communication is under WESCA. In doing so, this could create precedent for similar cases before the court until a comprehensive data privacy law is enacted in the Commonwealth of Pennsylvania.