Third Circuit Gives Pennsylvania Consumers New Footing for Internet Tracking Claims
Following a recent decision,1 the Third Circuit Court of Appeals breathed new life into Pennsylvania consumer claims that the practice of tracking a customer’s movements on a company’s website violates Pennsylvania’s Wiretapping and Electronic Surveillance Control Act (WESCA).2 WESCA makes it unlawful to intentionally intercept any wire, electronic, or oral communication.3 For years, Pennsylvania courts applied a “direct party” exception to WESCA, finding that a party who directly receives a communication does not “intercept” it. This limited the scope of potential claims under WESCA, which provides a direct cause of action for consumers.4
In Popa v. Harriet Carter Gifts, Inc., however, the Third Circuit determined that subsequent revisions to WESCA significantly curtailed this exception. In 2012, in an apparent effort to codify the direct party exception as related to police investigations, the Pennsylvania General Assembly revised the definition of “intercept” in WESCA to exclude any communications directly received by law enforcement, so long as law enforcement meets certain criteria.5 Under the Third Circuit’s interpretation, the 2012 revisions limited the direct party exception to only those circumstances described in the statute—that is, direct communications to law enforcement that otherwise meet certain criteria.
Not surprisingly, numerous class actions quickly followed the Popa decision, each alleging that companies violated WESCA by tracking the plaintiffs’ activities on the companies’ websites. However, the Popa decision still leaves certain questions unanswered. First, the Third Circuit’s decision is based on its presumption about how the Pennsylvania Supreme Court would interpret WESCA and the revised definition of “intercept.” If the Pennsylvania Supreme Court has occasion to consider this question, it could effectively overrule Popa if it interprets WESCA differently. Plaintiffs will likely try to avoid this by primarily filing suit in federal district courts in Pennsylvania, which remain bound by the Popa decision until further notice. However, a question could be certified to the Pennsylvania Supreme Court asking it to weigh in on the interpretation of the revised version of WESCA.
Second, WESCA still contains various other defenses for defendants, including the potential defense that consumers give implied consent to tracking by visiting websites with accessible privacy policies that inform visitors of the tracking. Because the Third Circuit declined to resolve this question, companies should closely review their policies—both terms and conditions, as well as privacy—to ensure that, to the degree applicable, they clearly state the manners in which visitors’ information may be collected and aggregated by the company or third parties. Opt-ins can also be used for consumers to consent to these terms, and by continuing to browse the website, visitors consent to this collection.
Third, identifying the point when an interception occurs could give rise to jurisdictional arguments. In Popa, the Third Circuit determined that the interception occurred when the plaintiff’s browser, situated in Pennsylvania, delivered information that was routed to the defendants’ servers out of state. The Third Circuit, therefore, held that Pennsylvania courts had jurisdiction. This interpretation seemingly would exclude anyone from a potential class who accessed a website from outside of Pennsylvania. On the other hand, in today’s highly mobile society, when people typically access websites on their smartphones, the Popa court’s interpretation could also raise a host of jurisdictional complications, as well as constitutional concerns, such as implications for the Dormant Commerce Clause.6
The Popa decision represents a significant shift in applying WESCA, and while potential defenses are available, unanswered questions remain. What is clear, however, is that companies should anticipate the potential for these claims and take steps to prepare. In addition to reviewing their privacy policies and terms and conditions, companies should consider reviewing their agreements with website managers and software or marketing providers to determine if the agreements include indemnification.
1Popa v. Harriett Carter Gifts, Inc., 45 F.4th 687 (3d Cir. 2022).
218 Pa.C.S. § 5701-5782
318 Pa.C.S. § 5703(1).
4See, e.g., Commonwealth v. Proetto, 771 A.2d 823 (Pa. Super. Ct. 2001); Commonwealth v. Cruttenden, 58 A.3d 95 (Pa. 2012).
5Specifically, the definition excludes direct communications to law enforcement “where the investigative or law enforcement officer poses as an actual person who is the intended recipient of the communication, provided that the Attorney General, a deputy attorney general designated in writing by the Attorney General, a district attorney or an assistant district attorney designated in writing by a district attorney of the county wherein the investigative or law enforcement officer is to receive or make the communication has reviewed the facts and is satisfied that the communication involves suspected criminal activities and has given prior approval for the communication.” 18 Pa.C.S. § 5702.
6The defendants in Popa, in fact, submitted a letter to the court on 23 September 2022 in connection with their petition for a rehearing, indicating that the court’s extension of liability under WESCA to any website that can be accessed in Pennsylvania has led to a spike in lawsuits by plaintiffs who otherwise “have no nexus to the Commonwealth.” See https://www.law360.com/articles/1533666/attachments/0.