Developments and Trends in Privacy Law: A Look at BIPA and Wiretapping Litigation

Tuesday, May 7, 2024
02:00 PM - 03:00 PM Eastern Daylight Time
01:00 PM - 02:00 PM Central Daylight Time
11:00 AM - 12:00 PM Pacific Daylight Time

We will cover the latest developments under the Biometric Information Privacy Act (BIPA) and the recent wave of wiretapping class actions and arbitrations against website operators and third-party analytics companies, offering key takeaways and best practices to mitigate risk.

Key Takeaways

Originally created to address the surreptitious recording of phone calls or the use of eavesdropping devices, wiretap acts prohibit the interception of communications without consent. With the advancement of communications technologies, some legislation has been updated to address electronic methods, such as emails or texts.

The top three laws driving the most recent wave of litigation include the following:

  • The California Invasion of Privacy Act
  • The Florida Security of Communications Act
  • The Pennsylvania Wiretapping and Electronic Surveillance Control Act

Plaintiffs are focused on states that enforce “all-party consent” states, primarily California, Pennsylvania, Massachusetts, and Florida, with lawsuits targeting both website operators and digital marketers—sometimes third-party vendors that engage with website operators are pulled in as well. These lawsuits carry with them steep potential penalties, ranging from $1,000–$10,000 per violation.

A recent wave of class actions alleges “wiretapping” through the following technologies:

  • Session replay technology: The tracking of user activity on websites through keystrokes and mouse movements to study how consumers interact with the website
  • Chatbots: Conversations between consumers and a “virtual assistant” via instant messages on websites
  • Tracking pixels: Small files used by some social media sites to collect information about how users interact with a website
  • Pen registers/trap and trace devices: Litigation targets the alleged collection of identifying information about the user
  • Cookie rejections: Litigation challenges alleged failure to honor a user’s rejection of cookies

Best Practices to Mitigate Risk

Regarding privacy policies, check disclosures for the following:

  • Does it include a reference to online chats/session replay/pixels and related technologies as a source of collection?
  • Does it accurately reflect the uses and disclosures of the information collected?
  • Is it linked in the buy-flow process or in a cookie banner on the landing page?

Regarding chatbots or live chats, check disclosures for the following:

  • Does it inform the consumer that the chat will be recorded and/or personal information will be collected?
  • Does it appear above/prior to the field that collects the personal information?
  • Are there links to the Privacy Policy and Terms (particularly if there’s an arbitration clause)?

Check disclosures for the following regarding cookies:

  • Is the use of cookies consistent with the disclosures in the cookie banner?
  • Are rejection requests consistently being honored with those disclosures?
  • Is there a process in place to monitor for any potential issues that might arise?
  • Who has authority to place new cookies on the site, and who ensures that the placement complies with the cookie disclosures and rejection options?

Additionally, check vendor contracts to know whether there are indemnification clauses that could be invoked.

CLE credit: CLE credit in CA, IL, NY, PA, TX, VA, and WA is currently pending approval; CT, FL, and NJ (via reciprocity).