Third Circuit Gives Pennsylvania Consumers New Footing for Internet Tracking Claims
Following a recent decision,1 the Third Circuit Court of Appeals breathed new life into Pennsylvania consumer claims that the practice of tracking a customer’s movements on a company’s website violates Pennsylvania’s Wiretapping and Electronic Surveillance Control Act (WESCA).2 WESCA makes it unlawful to intentionally intercept any wire, electronic, or oral communication.3 For years, Pennsylvania courts applied a “direct party” exception to WESCA, finding that a party who directly receives a communication does not “intercept” it. This limited the scope of potential claims under WESCA, which provides a direct cause of action for consumers.4
In Popa v. Harriet Carter Gifts, Inc., however, the Third Circuit determined that subsequent revisions to WESCA significantly curtailed this exception. In 2012, in an apparent effort to codify the direct party exception as related to police investigations, the Pennsylvania General Assembly revised the definition of “intercept” in WESCA to exclude any communications directly received by law enforcement, so long as law enforcement meets certain criteria.5 Under the Third Circuit’s interpretation, the 2012 revisions limited the direct party exception to only those circumstances described in the statute—that is, direct communications to law enforcement that otherwise meet certain criteria.
Not surprisingly, numerous class actions quickly followed the Popa decision, each alleging that companies violated WESCA by tracking the plaintiffs’ activities on the companies’ websites. However, the Popa decision still leaves certain questions unanswered. First, the Third Circuit’s decision is based on its presumption about how the Pennsylvania Supreme Court would interpret WESCA and the revised definition of “intercept.” If the Pennsylvania Supreme Court has occasion to consider this question, it could effectively overrule Popa if it interprets WESCA differently. Plaintiffs will likely try to avoid this by primarily filing suit in federal district courts in Pennsylvania, which remain bound by the Popa decision until further notice. However, a question could be certified to the Pennsylvania Supreme Court asking it to weigh in on the interpretation of the revised version of WESCA.
Second, WESCA still contains various other defenses for defendants, including the potential defense that consumers give implied consent to tracking by visiting websites with accessible privacy policies that inform visitors of the tracking. The Third Circuit, however, left open the question of whether browsing a website with an accessible privacy policy constitutes implied consent. Regardless of how the Court decides that question, though, companies should closely review their policies—both terms and conditions, as well as privacy—to ensure that, to the degree applicable, they clearly state the manners in which visitors’ information may be collected and aggregated by the company or third parties. Affirmative opt-in mechanisms can also be used to seek consumers’ express consent to the collection of information as described in a company’s privacy policy. Opt-in mechanisms like these can help avoid potential arguments over whether a consumer gave implied consent to a privacy policy.
Third, identifying the point when an interception occurs could give rise to jurisdictional arguments. In Popa, the Third Circuit determined that the interception occurred when the plaintiff’s browser, situated in Pennsylvania, delivered information that was routed to the defendants’ servers out of state. The Third Circuit, therefore, held that Pennsylvania courts had jurisdiction. This interpretation seemingly would exclude anyone from a potential class who accessed a website from outside of Pennsylvania. On the other hand, in today’s highly mobile society, where people often access websites on their smartphones, the Popa court’s interpretation could raise a host of jurisdictional complications, as well as constitutional concerns, such as implications for the Dormant Commerce Clause.6
The Popa decision represents a significant shift in applying WESCA, and while potential defenses are available, unanswered questions remain. What is clear, however, is that companies should anticipate the potential for these claims and take steps to prepare. In addition to reviewing their privacy policies and terms and conditions to ensure they completely and accurately disclose a company’s collection, use, and disclosure of data, companies should review their agreements with website managers and software or marketing providers who collect information from visitors to a company’s web site to ensure that the the practices are accurately disclosed in the company’s privacy policy and determine if the agreements include indemnification for claims related to use of data collected from the company’s web site visitors.
The lawyers at K&L Gates LLP are prepared to assist companies as they navigate this new landscape of potential liability.
This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm's clients.
