Third-Party Website Tracking Could Trigger Pennsylvania's Wiretap Statute Protections: Third Circuit | Practical Law

Third-Party Website Tracking Could Trigger Pennsylvania's Wiretap Statute Protections: Third Circuit | Practical Law

In Popa v. Harriet Carter Gifts, Inc., the US Court of Appeals for the Third Circuit vacated the district court's grant of summary judgment for defendants in a case examining whether deploying third-party cookies to track website visitor behavior, and the exchange of information involved, is subject to the Pennsylvania Wiretapping and Electronic Surveillance Control Act (WESCA).

Third-Party Website Tracking Could Trigger Pennsylvania's Wiretap Statute Protections: Third Circuit

by Practical Law Data Privacy & Cybersecurity
Published on 20 Oct 2022Pennsylvania, USA (National/Federal)
In Popa v. Harriet Carter Gifts, Inc., the US Court of Appeals for the Third Circuit vacated the district court's grant of summary judgment for defendants in a case examining whether deploying third-party cookies to track website visitor behavior, and the exchange of information involved, is subject to the Pennsylvania Wiretapping and Electronic Surveillance Control Act (WESCA).
Update: On October 18, 2022, the US Court of Appeals for the Third Circuit granted Harriet Carter Gifts' petition for a rehearing, vacated its August 16, 2022 opinion, and filed an amended opinion that:
  • Upheld its original August 16, 2022 judgment.
  • Clarified issues raised in Harriet Carter's rehearing petition (see Box, Amended Opinion).
(Popa v. Harriet Carter Gifts, Inc., 45 F.4th 687 (3d Cir. Aug. 16, 2022), reh'g granted, vacated by , and amended, superseded by, (3d Cir. Oct. 18, 2022).)
On August 16, 2022, in Popa v. Harriet Carter Gifts, Inc., the US Court of Appeals for the Third Circuit vacated the US District Court for the Western District of Pennsylvania's grant of summary judgment for defendants Harriet Carter Gifts, Inc. and NaviStone, Inc. (45 F.4th 687 (3d Cir. Aug. 16, 2022)). The Third Circuit noted that a retailer and its third-party digital marketer were not exempt from claims that they violated Pennsylvania's Wiretapping and Electronic Surveillance Control Act (18 Pa. C.S. §§ 5701 to 5782) (WESCA) simply because the plaintiff's website browser directly communicated with their servers.
Unless an exception applies, taking an action in Pennsylvania to acquire (intercept) an electronic communication with a device, in this case by deploying software and third-party website tracking cookies to send data about a website visitor's behavior to a third party's servers, triggers WESCA's application. Further, WESCA requires the consent of all parties to the communication, not just one party, to avoid liability for an interception.

Background

Ashley Popa is an individual consumer who visited Harriet Carter's online shop on her iPhone where she searched for items, added an item to her cart, provided her email address via a website pop-up window, and began (but did not complete) the checkout process before leaving the website.
During this online interaction, allegedly without Popa's knowledge, the Harriet Carter website directed Popa's browser to also communicate directly with servers operated by NaviStone, a third-party marketing service provider Harriet Carter hired. This interaction resulted in the placement of NaviStone's tracking cookie on her device. Harriet Carter used its communications with Popa's browser to display the relevant items and content that Popa directly requested and to place her selected items in her website shopping cart. NaviStone used its background communications with Popa's browser and the tracking cookie to collect information about how she interacted with the Harriet Carter website, including which pages she visited, when she provided her email address, and when she added an item to her cart. NaviStone could later use this type of information to identify which of Harriet Carter's customers to target for promotional mailings.
Popa sued Harriet Carter and NaviStone for WESCA violations and invasion of privacy for this use of NaviStone's tracking software technology. The district court dismissed the invasion of privacy claim and entered summary judgment in favor of Harriet Carter and NaviStone for the WESCA violation claim. Popa appealed the district court's grant of summary judgment for the WESCA violation claim.

Outcome

On appeal, the Third Circuit vacated the district court's order granting summary judgment for the WESCA claim and remanded the case to the district court, holding:
  • WESCA does not provide a direct-party liability exception for communications that a defendant received directly from the plaintiff, except for law enforcement activities under certain conditions. Consequently, the fact that Popa's browser directly communicated with NaviStone's servers would not exempt Harriet Carter and NaviStone from liability under WESCA for acquiring her browser communications through NaviStone's software and cookie. While this differs from the Federal Wiretap Act (18 U.S.C. § 2510 to 2523), which explicitly provides a direct-party exemption, WESCA operates as a supplement to the federal law and can provide greater, but not lesser protection.
  • NaviStone intercepted Popa's electronic communications with Harriet Carter at Popa's mobile phone browser when it routed those communications to its own servers. This makes the geographic location of Popa's phone during those communications the interception point. If further proceedings establish the interception point occurred in Pennsylvania, WESCA would apply to the interception.
  • It was unclear whether Popa provided implied consent for Harriet Carter to send her communications to a third-party company based on privacy policy disclosures allegedly provided on the website and factual disputes prevented the appellate court from considering this issue.
The Third Circuit further explained that WESCA prohibits the interception of wire, electronic, or oral communications and it broadly defines the term intercept to mean the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device. In other words, anyone who acquires an electronic communication, such as a text message or chat sent directly to them, intercepts it unless an exception under WESCA applies.
WESCA contains many exceptions but it does not expressly carve out liability for parties directly involved in the communication. The Third Circuit declined to read an exception for direct parties into the statute, reasoning:
  • Legislative amendments to WESCA that narrowly codified a direct-party exception for certain law enforcement interceptions that originated from previous state court decisions, and that also imposed additional conditions on the exception, meant that the legislature chose not to include exceptions for other direct parties or intended recipients within the statute's new definition of the term intercept.
  • WESCA differs from the Federal Wiretap Act, which expressly provides direct-party and one-party consent exceptions. The Pennsylvania legislature was aware of the Federal Wiretap Act when it amended WESCA and could have chosen to codify similar exceptions, but chose not to.
  • WESCA also expressly carves out from liability communications acquired where all parties provided prior consent. Reading in an exception for direct recipients that does not require all parties' consent conflicts with and undercuts the exceptions actually included by the Pennsylvania legislature.
In analyzing whether Harriet Carter and NaviStone are liable under WESCA, open questions remaining for the district court to assess include whether:
  • The interception of Popa's communications occurred in Pennsylvania (and whether WESCA would apply).
  • Harriet Carter posted a website privacy policy that sufficiently alerted Popa that NaviStone was receiving her communications (and whether Harriet Carter could demonstrate implied consent to meet the WESCA all parties' consent exception).

Practical Implications

Many online tracking technologies rely on software or coding that runs in the background and causes a user's browser to send electronic information to third parties, such as user activity and device attributes. The Third Circuit's broad interpretation of when someone intercepts a communication and narrow interpretation of WESCA's liability exceptions may increase the risks that companies and marketing technology service providers face when using these tracking technologies in Pennsylvania or other states with similar wiretapping or electronic communications privacy laws.
Notably, the decision left open the possibility that prominent, clear, and transparent privacy notices disclosing how these background communications work and who receives them could provide website operators and their partners with an implied consent defense to WESCA claims. However, the exact elements or standards required to obtain implied consent remains unclear.
Prior express consent from all parties also provides businesses with a clear defense to WESCA and other state wiretap claims. Companies should take a hard look at their online marketing practices, website operations, privacy disclosures, and consent mechanisms to better understand and mitigate potential risks before deploying tracking technologies that could trigger state wiretapping laws.

Amended Opinion

On October 18, 2022, the Third Circuit addressed Harriet Carter's petition for rehearing by vacating and amending its original opinion, however the amended opinion did not change the court's ultimate judgment (Popa v. Harriet Carter Gifts, Inc., 45 F.4th 687 (3d Cir. Aug. 16, 2022), reh'g granted, vacated by , and amended, superseded by, (3d Cir. Oct. 18, 2022)).
Harriet Carter's rehearing petition argued that the WESCA legislative amendments, which narrowly codified a direct-party exception for certain law enforcement interceptions, should also apply to other exchanges involving direct parties or intended recipients. It based this argument on a criminal suppression case regarding text messages between two consenting individuals, one of whom forwarded the messages to law enforcement after the exchange ended (Commonwealth v. Diego, 119 A. 3d 370 (Pa. Super. Ct. 2015)).
The court rejected Harriet Carter's argument, distinguishing the facts in Diego from the website visitor behavior tracking present in this case. The court noted that the text message exchange at issue in Diego involved a consented intercept where the parties mutually knew or should have known the conversation was recorded, so it did not establish a broad direct-party exception to WESCA. It also noted that the conduct in Diego was not similar to the type of surreptitious tracking that occurred through Harriet Carter's website. The court re-affirmed that WESCA does not contain a general direct-party exception and confirmed its August 16, 2022 judgment vacating the district court's ruling and remanding the case to the district court. (Popa, (3d Cir. Oct. 18, 2022).)