Last week, the United States Court of Appeals for the Third Circuit denied rehearing en banc in a case about the application of Pennsylvania’s Wiretapping and Electronic Surveillance Control Act (“WESCA”), 18 Pa. C.S. § 5701 et seq., and issued an amended opinion to “clarify issues raised” by the defendants—an online retailer and an internet marketing company. The order leaves in place the Third Circuit’s August 2022 judgment in favor of the plaintiff consumer, which held that, dependent on further fact finding, defendants may be liable under WESCA for “intercepting” the consumer’s interactions with the retailer’s own website.

In Popa v. Harriet Carter Gifts, Inc., No. 21-2203, 2022 U.S. App. LEXIS 28799 (3d Cir. Oct. 18, 2022), the plaintiff visited and interacted with retailer Harriet Carter’s website. Harriet Carter’s website contained JavaScript code that sent an HTTP GET request to defendant third-party marketer NaviStone, which in turn loaded cookies and code on the plaintiff’s browser that sent details on the plaintiff’s website interaction to NaviStone’s servers in Virginia. Plaintiff alleged that the defendants were liable under WESCA for “intercept[ing]” the plaintiff’s electronic communications (NaviStone) or “procur[ing]” another to “intercept” the communications (Harriet Carter).

The District Court granted summary judgment in favor of the defendants by holding that (i) NaviStone could not have “intercepted” communications under WESCA because it was a direct recipient of the communications and (ii) NaviStone acquired any communications in Virginia, where its servers are located, not Pennsylvania.

The Third Circuit, however, vacated and remanded the District Court’s grant of summary judgment.

As more fully addressed in the amended opinion, the Third Circuit held that a 2012 amendment to WESCA—which added an “intended recipient” exception to the definition of “intercept,” but only for law enforcement officers—meant that the defendants could not “avoid liability merely by showing that [plaintiff] unknowingly communicated directly with NaviStone’s servers.”

The Third Circuit also held that the situs of an online “interception” under WESCA is not where the servers are located, but “the point where [defendant] routed th[e] communications to its own servers.”

Because no evidence was in the record as to where the plaintiff’s browser was located when NaviStone’s code was loaded, the Court remanded for further factfinding. Although the Third Circuit rejected the bases for the District Court’s judgment, it left open on remand the possibility that Harriet Carter’s privacy policy sufficiently alerted the plaintiff about the interception so as to constitute “prior consent” to an interception under WESCA (and thus absolving defendants of liability).

As the defendants’ rehearing briefing noted, Popa has already proven to be a significant case for the plaintiffs’ bar in Pennsylvania. Since the Third Circuit’s original opinion in August, over ten cases alleging similar WESCA violations have been filed in federal courts in Pennsylvania. See Defendants’ Fed. R. App. P. 28(j) Letter, Popa v. Harriet Carter Gifts, Inc., No. 21-2203 (3d Cir. Sept. 23, 2022), ECF No. 82-1 (collecting cases). Most notably, this decision has spawned more complaints involving the use of session replay software, an emerging privacy litigation field. Because session replay software is frequently used by the operators of commercial websites to enhance the experience of website visitors, it is broadly used across industries—making many take note of the rise in claims and accompanying litigation risk.

For more on this developing area of privacy litigation and other related topics, stay tuned. CPW will be there to keep you in the loop.