August 17, 2022

Third Circuit Ruling in Wiretap Case May Bring Greater Scrutiny to Privacy Policy Disclosures

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all OnPractice content.
Register Now

Key Takeaways

  • In response to NaviStone’s “parade of horribles” argument, the Third Circuit noted that its ruling does not necessarily foreclose websites’ usage of cookies or third party marketing companies.

In a class action with potentially significant impact on data sharing disclosures that companies routinely provide in online privacy policies, the Third Circuit recently ruled that NaviStone, a third party marketing service, was not a "direct party" under the Pennsylvania Wiretapping and Electronic Surveillance Control Act (WESCA) and thus was potentially subject to liquidated damages under that statute for intercepting communications between the plaintiff and the website she had visited.  The interplay between the Third Circuit's ruling and the potential impact on privacy policy disclosures require some technical background, which we have done our best to summarize.

The plaintiff in Popa v. Harriet Carter Gifts had visited the Harriet Carter Gifts website and begun the process for completing an online purchase of cat stairs.  As occurs during many website interactions, Harriet Carter Gifts sent HTML code to the plaintiff's browser that caused the plaintiff's browser to simultaneously send a GET request to NaviStone.  When it received the GET Request, NaviStone sent code to plaintiff's browser that enabled the installation of a cookie which both identified the browser and tracked plaintiff's activity on the Harriet Carter website.  This communication stream also enabled NaviStone to facilitate targeted advertising to plaintiff.  The lawsuit alleged that the HTML code re-routing electronic communications to NaviStone constituted an illegal interception under Pennsylvania's wiretap law. The district court granted summary judgment against plaintiff, but the Third Circuit reversed.

The Third Circuit's analysis focused on whether NaviStone was a "direct party" to the communications between Harriet Carter and plaintiff, which is an exception recognized by the Federal Wiretap Law as well as the wiretap laws of other states.  Pennsylvania had previously adopted a similar exemption, but did so in the context of law enforcement investigations where police officers had masqueraded as intended recipients of communications.  The Third Circuit ruled that this was the only scenario under which WESCA recognized a direct party exception.  Critical to the Court's determination that Pennsylvania's direct party exception was limited to law enforcement was a 2012 amendment to the law that expressly revised the law's definition of "intercept" to exclude monitoring by law enforcement masquerading as third parties.  Under rules of statutory construction, the Court held that this express limitation foreclosed broader exceptions, thus limiting the scope of the direct party exception.  In other words, only law enforcement officers, under the expressly identified scenarios set forth in WESCA, can avail themselves of the direct party exception.

The Third Circuit's analysis did not end there, however.  The Court also considered - and rejected - NaviStone's contention that the interception occurred in Virginia, where the defendant was located, finding instead that the interception occurred at the point where the communication was re-routed to NaviStone, which occurred on plaintiff's browser.  This ruling thus disposed of NaviStone's argument that WESCA could not regulate commerce that occurred wholly outside the Commonwealth.   

In response to NaviStone's "parade of horribles" argument, the Third Circuit noted that its ruling does not necessarily foreclose websites' usage of cookies or third party marketing companies.  In particular, the Court noted that WESCA provides an all-party consent exception whereby a interception is permissible if all parties to the communication consent.   Which leads to perhaps the key question: did plaintiff consent to NaviStone's interception of her electronic communications?

NaviStone argued that the Harriet Carter privacy policy disclosed the sharing of personal information with third parties and thus plaintiff impliedly consented to the interception of her communications by NaviStone.  Pennsylvania, like many states, recognizes that prior consent to wiretapping "can be demonstrated when the person being recorded knew or should have known[] that the conversation is being recorded."  Plaintiff argued that she had neither read the privacy policy nor agreed to its terms.  The Third Circuit ultimately declined to rule on this, remanding the issue to the District Court for further consideration.

The District Court's pending ruling on whether prior consent can be implied through privacy policy disclosures may have a significant impact on future wiretap cases.  Thousands of U.S. websites are configured with third party code, such as NaviStone's, to enable digital advertising.  Thirty-eight (38) states, in addition to the District of Columbia, have a wiretap law, and many such laws contain liquidated damages provisions of  $1,000 (or more) per violation.   Eleven (11) states require all-party consent to the recording of conversations. Whether all-party consent can be inferred through the posting of a privacy policy that discloses third party sharing of electronic communications will therefore be a closely watched issue by plaintiff's attorneys, digital marketers and other third parties that obtain personally identifiable information through cookies and third party data sharing.  Any ruling that does not clearly embrace a broad reading of prior consent may lead to increased wiretap litigation in states with wiretap laws like Pennsylvania.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Ballard Spahr

New York Restricts Automated Decision Making in Employment

By Timothy Dickens Ballard Spahr August 29 , 2022

Businesses operating in New York City should be aware of a local law addressing the use of automated employment screening and decision-making tools coming into effect on January 1, 2023.

Status Update: Federal Contractor Vaccine Mandate Injunction Narrowed

By Lila A. Sevener Ballard Spahr August 29 , 2022

On August 26, 2022, the United States Court of Appeals for the Eleventh Circuit narrowed the nationwide injunction of Executive Order 14042, which requires federal contractors and employees who work on or in connection with a covered federal contract, or share a workplace with another employee who works on or in connection with such contracts, to be fully vaccinated against COVID-19.

Unions Cannot Force OSHA to Issue Permanent COVID Standard

By Shannon D. Farmer Ballard Spahr August 26 , 2022

On August 26, 2022, the U.S. Court of Appeals for the District of Columbia Circuit turned back efforts by a group of unions seeking to force the Occupational Safety and Health Administration (OSHA) to quickly issue a permanent rule establishing protections for healthcare workers from COVID-19.

More From Privacy

5 Trends to Watch: 2023 Venture Capital

By Chinh H. Pham Greenberg Traurig January 20 , 2023

The current macroeconomic environment, coupled with record increases in valuations over the last several years, is creating an increase in down-rounds, re-pricings, and recapitalizations.

5 Trends to Watch: 2023 Hospitality

By Samantha Ahuja Greenberg Traurig January 18 , 2023

For many hotels, the pandemic exacerbated the challenges of finding enough qualified workers to fill jobs.

Cookies and Other Tracking Technologies May Violate HIPAA

By Karin E. Ross Greenberg Traurig January 18 , 2023

In the midst of significant privacy changes in many U.S. states affecting tracking technologies such as cookies, pixels, and adtech, new lawsuits are alleging entities violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) via impermissible disclosure of protected health information due to the use of these technologies.

Featured Stories