A recent federal court ruling in a matter of first impression could have broad implications on data privacy in Pennsylvania, particularly with respect to the way in which a company obtains information about visitors to its website. See Popa v. Harriet Carter Gifts, Inc., 2021 WL 2463304 (W.D. Pa. Jun. 17, 2021).
Ashley Popa brought a class action lawsuit against Navistone, a third-party advertising company, and Navistone’s client, Harriet Carter Gifts (“Harriet Carter”). In her lawsuit, the Named Plaintiff alleged that Navistone and Harriet Carter violated the Pennsylvania Wiretapping and Electronic Surveillance Control Act (“WESCA”) by unlawfully intercepting information about her web-browsing behavior while she shopped online.
Popa had visited Harriet Carter’s website where she provided her email address, searched for items, and added items to her online cart, but did not purchase anything. Popa’s visit to the website was simultaneously accompanied by a series of underlying communications between Popa’s web browser, Harriet Carter’s website servers, and Navistone’s servers. The interplay of these communications, some of which involved the transmission of data regarding Popa’s activities on the Harriet Carter website, formed the basis of Popa’s allegation that both Navistone and Harriet Carter violated WESCA by intercepting communications between her web browser and the Defendants’ respective servers.
Navistone and Harriet Carter moved for summary judgment on the grounds that their actions did not constitute an interception under WESCA since they were separate and direct recipients to communications from Popa’s web browser. In assessing the merits of the Defendants’ motion for summary judgment, the Court noted that “[t]he threshold consideration in any claim arising under WESCA is whether there was an interception of communications.” [1]
The Court first analyzed the question of whether the interaction between Popa’s browser and Defendants’ website servers constituted an “interception” of information under WESCA. For guidance on this issue, the Court initially looked to WESCA’s definition of interception, but noted that it was silent on the specific type of communications at issue here. The Court then looked to a trio of Pennsylvania appellate court opinions, which collectively established that an interception does not occur “where a party elects to speak with or send messages to a recipient because the recipient acquires the information contained in the communications by virtue of being a direct party to the communication.” [2]
Recognizing that the forms of communication at issue in the appellate opinions—phone calls and typed electronic messages—were not directly applicable to the uniquely technical circumstances before the Court, the Court turned to a Third Circuit case, In re Google Inc. Cookie Placement Consumer Privacy Litigation, 806 F.3d 125 (3d Cir. 2015), for guidance on the communicative relationship between a visitor’s web browser, the server of the visited website, and the third-party servers of advertising companies. In In re Google, a case in which the plaintiffs alleged that defendants violated the Federal Wiretap Act by placing third-party cookies on a website visitor’s web browser, the Third Circuit held that the users’ web browsers and the servers of the third-party internet advertising companies were communicating directly by sending and receiving information regarding the visited webpages.
After finding that the processes and operations underlying the communications between Popa’s web browser, Harriet Carter’s website server, and Navistone’s servers were “materially similar” to those discussed in In re Google, the Court held that the communications between Popa’s web browser and Navistone were direct communications. The Court further found that Popa, by choosing to visit Harriet Carter’s website, “initiated” the “conversations” between her web browser and Defendants’ servers. [3] The fact that Popa was unaware of Navistone’s involvement in the communications was “inconsequential” to the Court because it “does not change the fact that she freely initiated the entire process, and upon doing so, her web browser carried out her request by directly beginning and participating in the ensuing ‘conversations.’” [4]
In this circumstance, the Court held that there could be no interception of communications, and therefore no WESCA violation. Accordingly, summary judgment was entered in favor of Defendants.
The Court’s decision is currently on appeal before the Third Circuit, so further developments in this space may be forthcoming. As it stands, the ruling in Popa is significant in that it protects a practice utilized by many companies of tracking certain information about website visitors, either on their own or via a third-party service. While website tracking may one day be more closely regulated by state or federal privacy laws, the practice remains a viable method for companies to obtain information about visitors to its website.