Are we about to have another summer of session replay software litigation? A unpublished ruling out yesterday from the Ninth Circuit Court of Appeals suggests so, at least insofar as claims under California law is concerned.

A short refresher: session replay software captures certain aspects of a user’s interactions on web applications (mouse movements, clicks, typing, etc.) along with underlying contextual user data to help website operators enhance users’ experiences.  Accordingly, session replay software allows a website operator to recreate (or “replay”) a visitor’s journey on a web site or within a mobile application or web application.  Rather than focusing on user activity after leaving a particular website, session replay software concerns how a user interacts with a specific website.

In 2021, plaintiffs lawyers filed dozens of putative class action litigations alleging that a website operator’s use of session replay software violates certain state wiretap acts—including those of California and Florida.  This is because a minority of states have all-party consent wiretap laws (requiring all parties to a conversation or interaction to consent to a recording).  Plaintiffs in these cases have alleged that because they did not affirmatively consent to the defendant’s use of the session replay software, the website operator has violated the applicable state’s wiretap law.

The plaintiff alleged violations of the California Invasion of Privacy Act and the California Constitution based on the defendants’ alleged recording of user actions and collection of information from one of its websites.  The defendant, a platform that uses data analytics to connect individual consumers with personalized insurance plans based on their particular needs and budgets, allowed potential consumers to seek a quote through the website. Once a person had entered the preliminary basic information, he or she was prompted to click a button saying “View My Quote.” On the bottom of that web page was a notice, including a hyperlink, stating, “By clicking ‘View My Quote’ I indicate my intent to agree to th[e] website’s Privacy Policy.” The Privacy Policy, in turn, stated that Assurance IQ would collect the content and personal information of individuals who sought quotes, which could include personal and family health information, and information about how the user viewed content or engaged with the website.

Although the district court had twice granted defendant’s motion to dismiss, yesterday the Ninth Circuit Court of Appeals reversed finding that plaintiff had sufficiently stated a claim under the California Invasion of Privacy Act (“CIPA”).  Javier v. Assur. IQ, LLC, 2022 U.S. App. LEXIS 14951 (9th Cir. May 31, 2021).  As an initial matter, the Ninth Circuit held that “[t]hough written in terms of wiretapping, Section 631(a) applies to Internet communications.”  This was because the statute broadly imposes liability on anyone who “reads, or attempts to read, or to learn the contents” of a communication “without the consent of all parties to the communication.” (quoting Cal. Penal Code § 631(a)) (emphasis supplied).

The Court was left with the question of how the California Supreme Court “would interpret Section 631(a) to require prior consent.”  Based on other rulings concerning the scope and application of CIPA, the Ninth Circuit held in this case that “the California Supreme Court would interpret Section 631(a) to require the “prior consent of all parties to a communication.”  This was based on the Court’s examination of relevant precedent as well as the California Supreme Court’s prior directive that “all CIPA provisions are to be interpreted in light of the broad privacy-protecting statutory purposes of CIPA.”

As such, in this case the Ninth Circuit held that Plaintiff “has sufficiently alleged that he did not provide express prior consent to [Defendant’s] wiretapping of his communications . . . [Plaintiff] has therefore alleged sufficient facts to plausibly state a claim that, under Section 631(a), his communications . . . were recorded . . .  without his valid express prior consent.”  However, the Court declined to rule on other arguments raised on appeal, including “whether [Plaintiff]  impliedly consented to the data collection.”  As other privacy pros are suggesting, this case suggests that a robust privacy policy may not be enough for an organization and it could open doors to organizations including an affirmative opt-in function going forward as a risk mitigation measure.

For more on this, and whether this ruling leads to a resurgence of session replay software claims (at least in California state and federal court), stay tuned.