The question is – do wiretapping statutes apply in cases where there is no traditional third party interceptor? And more practically speaking, how does an entity using plug-ins and cookies avoid liability under wiretapping statutes while there is so much uncertainty in the law?
We previously blogged about this issue In re: Facebook, Inc. Internet Tracking Litigation (here). We reported how: (i) the district court dismissed the plaintiff’s action, which brought claims under, inter alia, the Electronic Communications Privacy Act (ECPA) and California Invasion of Privacy Act (CIPA), pursuant to the “party” exception (i.e., there was no third party intermediary); and (ii) the Ninth Circuit reversed on grounds that the “party” exception is applicable where the sender is unaware of the transmission. We also explained how the result of this Ninth Circuit decision was a split between circuit courts on the applicability of wiretapping statutes where a sender’s own computer transmits messages, and also a split within the Ninth Circuit. And at the time we blogged, Facebook had filed a motion for rehearing before the Ninth Circuit.
Earlier this week, the Ninth Circuit denied Facebook’s motion for reconsideration, thereby solidifying the aforementioned splits. While according to public sources Facebook has thus far declined to comment on its next steps, it seems likely that Facebook may file a petition for a writ of certiorari in the Supreme Court.
Unless and until the Supreme Court clarifies the scope of the Wiretap Act, those using third party cookies or plug-ins to track users’ Internet activity would be wise to (1) review their disclosures and ensure that they provide detailed information about what third party plug-ins and cookies the site uses, and exactly when and how they work (while being careful to ensure that, at the same time, they do not reveal corporate trade secrets or other confidential information); (2) review their consent procedures to ensure that affirmative consent to the use of the disclosed plug-ins and cookies is sought; and (3) review any contracts and terms of service with the third party.
On the flip side, companies that offer plug-ins may want to contractually require website operators to provide detailed disclosures and seek affirmative consent from users before installing code, or alternatively, they may want to implement their own consent mechanisms for their plug-ins, such as a “2-click solution.” A 2-click solution is where a user clicks on an image (such as a “Like” button), and then informed consent is obtained directly from the user before installing the plug-in (e.g., “By clicking ‘Like’ you install a plug-in from Company X, which will direct your browser to send a copy of the URL of the visited page to Company X”).
If you have any privacy questions related to your company’s use of plug-ins or cookies, please contact us at firstname.lastname@example.org.