Litigation Minute: Protecting Against Session Replay Suits

What You Need To Know In A Minute Or Less

Throughout this series, we have discussed the recent surge of session replay lawsuits—particularly in Pennsylvania, California, and Florida—and the potential for these cases to involve both large classes of plaintiffs and significant damages awards. There are steps that companies can take, however, to guard against these lawsuits.

In a minute or less, here is what you need to know about these precautions.

Obtain Consent

Under the wiretapping statutes giving rise to these claims, consent of the recorded party is a defense. Although courts may find the inclusion of a detailed privacy policy on a website sufficient to secure implied consent from site visitors, obtaining visitors’ express consent provides a stronger defense against potential litigation. Many websites already include a banner asking visitors to agree to (or reject) the use of tracking cookies. By designing their websites to begin using cookies only after a visitor agrees to this arrangement, companies can establish clear consent and an absolute defense.

Present Clear Privacy Policies

Every company that collects data on its website should have a privacy policy visible on the site. While courts have yet to determine whether—and under which circumstances—a privacy policy can secure implied consent to data collection and tracking, companies improve their arguments if their privacy policies are detailed, clear, and accessible. For example, companies should consider incorporating charts to describe which information is collected, how it is collected, and when and where it is shared. 

Additionally, companies should make privacy policies easy for website visitors to find and read, better establishing that the visitors were aware (or should have been aware) of those policies. Companies, for instance, might consider linking to their privacy policies in multiple website locations. Privacy policies should be reviewed and updated on a regular basis. 

Minimize or Eliminate Sharing of Sensitive Information 

In certain cases, a company’s website may receive sensitive or personally identifying information from visitors, such as Social Security numbers, financial information, and confidential healthcare information. These companies should configure their data collection mechanisms to the fullest extent possible in order to avoid storing and sharing this type of information, as sharing this information with third parties may create additional avenues for plaintiffs in seeking damages.

When necessary to store or share this type of information, a company should state this necessity clearly on the website and, to the degree possible, obtain visitors’ express consent to the storage and sharing of their information.  

Review Vendor Agreements and Insurance Policies

Companies using third-party vendors to provide digital marketing services—including data collection and tracking—should carefully review their vendor agreements to determine whether the agreements include indemnification provisions. A company should understand not only whether an indemnification provision is in place, but also the functionality and scope of that provision. Companies should also ensure that they are apprised of any instances in which third-party vendors change their practices related to data collection and tracking.

Similarly, companies should carefully review their insurance policies to determine whether they include any coverage for these types of claims. Such policies might include general business liability policies, as well as directors and officers policies.