South Carolina automaker Volvo Cars is the latest company to get caught up in a growing number of lawsuits alleging websites geared toward consumers violate federal privacy and wiretapping laws.
The complaints focus on the use of "session replay" technology, which can be used to monitor and record mouse movements, keystrokes and information about a website user's device and browser information. Businesses embed the technology in their websites and say they use the information to study consumer behavior, how consumers interact with the websites and to make improvements to their websites and the information they provide.
Businesses ranging from the Papa John's pizza chain and Bass Pro Shops to Liberty Mutual and even the nonprofit Red Cross have been accused of violating web users' privacy in what Chicago law firm McDermott Will & Emery is calling "the next frontier in privacy class actions."
On Dec. 13, Volvo was added to the list.
Russell Smith, a California resident, alleged in court documents filed in his state that his mouse clicks and movements, keystrokes, search items, scroll movements, page views, copy-and-paste actions and other information were recorded while he browsed the volvocars.com website.
Smith said Volvo's actions violate the Federal Wiretap Act, adding in court documents that the law "is very clear in its prohibition against intentional unauthorized taping or interception of any wire, oral or electronic communication."
He added: "The collection and storage of page content may cause sensitive information and other personal information displayed on a page" could "expose website visitors to identity theft, online scams and other unwanted behavior."
Smith is asking a federal judge to certify his case as a class action, covering all consumers — estimated by him to be in the millions — who've visited Volvo's website and had their online movements monitored.
Violations of the Federal Wiretap Act are punishable by fines of at least $10,000 per occurrence.
Volvo has not filed a formal response to the lawsuit. A spokesman said the carmaker doesn't comment on pending litigation, but that it believes its website complies with federal and state laws.
Some businesses have successfully defended against such lawsuits by arguing that their websites and session replay providers are extensions of the company itself. In other words, the website is a "party to the communication" and wiretapping laws can only apply to third-party eavesdroppers. Some courts have dismissed cases after determining the consumers consented to the recording technology, either by agreeing to a terms-of-service notice or going on a website after being notified that such monitoring might take place.
But a recent appeals court decision indicates "session replay litigation is not dead but very much alive," according to lawyers with the Atlanta-based firm of Alston & Bird.
In that case, a Pennsylvania consumer filed a class-action lawsuit against Harriet Carter Gifts and software firm NaviStone. A district court tossed the case in favor of the two companies, saying they were direct parties to the communication taking place on the website. The U.S. Court of Appeals for the Third Circuit disagreed and remanded the case back for reconsideration.
That has legal experts advising clients to tread carefully when recording interactions with consumers who browse their websites.
"In summary, the case law in this area continues to develop inconsistently, and plaintiffs continue to advance novel interpretations of wiretapping statutes to file new claims," Ian Ross and Stephanie Peral, lawyers with Sidley Austin in Chicago, wrote for CPO Magazine, a data privacy journal.