By Jennifer Blanco
January 11, 2023
Imagine someone following you as you walk through a department store, noting every item you touch, grab, or show interest in—this can be a bit creepy. As a consumer, you would likely want to know if someone is logging your every click.
Session Replay Software is a type of software typically utilized by businesses with consumer-facing websites. Replay Software helps companies understand how consumers interact with their site by tracking their interaction within the page. Essentially, every click, each piece of information entered into a questionnaire box, even if not submitted, is logged. This replay software allows companies to improve their consumer experience by refining any errors within their website. It also allows businesses to better market the products consumers are mainly attracted to on the site.
While this software benefits businesses, problems can also quickly arise when visitors to a website that is using Replay Software are not aware they’re being recorded. When individuals are unaware that their every click is being documented, businesses can face invasion-of-privacy claims and data privacy issues. In today’s modern age, virtually everything is purchased through a website (i.e., clothes, jewelry, groceries). The main question when learning about Replay Software is: how do companies take advantage of this software but not cross the line into invasion of privacy?
Disclosure, Consent, or Both?
Although Replay Software has many benefits, both to companies and consumers, a big concern is the lack of disclosure by the companies. If consumers’ info is being tracked on a website, companies need to disclose what is being tracked. Many cases involving invasion of privacy and data privacy violation claims have concerned a lack of disclosure from the website operators. For example, major session replay cases involving Zillow, Expedia, and Papa Johns have lacked initial disclosure and consent from consumers. The Plaintiffs in those cases alleged violation of the “Wiretap Act” and “State Invasion of Privacy Acts.” So, if information is being logged during a user’s session, a disclosure should be provided.
But when is a disclosure not needed? There are five categories of data practices that companies can engage in without offering consumers disclosure: (1) product and service fulfillment, (2) internal operations, (3) fraud prevention, (4) legal compliance and public purpose; and (5) first-party marketing.
"Take it or leave it."
Other than disclosures, some websites and companies offer a “take it or leave it” or “walk away” option. This option is most common in retail and software licensing business models. In these instances, for a consumer to access the website, they must adhere to and accept the terms being provided if they want access to the website. Companies have a right to limit their business to those willing to accept their policies. Three factors are considered in determining whether the “take it or leave it” choice is appropriate. First, there must be adequate competition, so that the consumer has alternative sources to obtain the product or service in question. Second, the transaction must not involve an essential product or service. Last, companies offering “take it or leave it” choice must clearly and conspicuously disclose the terms of the transaction so that the consumer can understand the value exchange.
Opt-out Provisions and When They Are Necessary
Companies must provide consumers with a choice of whether to be tracked across other parties’ websites. The Federal Trade Commission (“FTC”) agrees that when a company has a first-party relationship with a consumer for delivery of a specific service also tracks the consumer’s activities across other parties’ websites, such tracking is inconsistent with the context of the consumer’s first-party relationship with the entity. Companies should give consumers a choice before collecting sensitive data for first-party marketing. Affirmative express consent is appropriate when a company uses sensitive data for any marketing, whether first or third-party. This risk exists regardless of whether the entity collecting and using the data is a first party or a third party that is unknown to the consumer.
To Diclose or Not Disclose?
Before recording any user interaction, companies should expressly and affirmatively gain user consent. One way to do so is through pop-up cookie banners before the users interact with the websites or access any software. Additionally, ensuring privacy policies are updated and conspicuously hyperlinked on the software or web page provides users with sufficient notice of the privacy policies, and any disclosures. These policies should clearly indicate that users may be monitored while on a website or while using software. Decisions from cases dealing with Session Replay Software have left open the possibility that prominent, clear, and transparent privacy notices disclosing how these background communications work and who receives them could provide website operators with an implied consent defense to wiretapping claims. However, the precise elements or standards required to obtain implied consent remain unclear. Providing consumers with clear disclosure notices and obtaining consent when needed will allow companies to comply with State and Federal regulations dealing with Invasion of Privacy and Data Privacy issues while being forthcoming with consumers.
**This article is not intended to give, and should not be relied upon for, legal advice in any particular circumstance. All information, and content in this article are for general informational purposes only. No action should be taken in reliance upon the information contained in this article without obtaining the advice of an attorney.
Further, if you want to get involved, gain more experience to grow your cybersecurity skills, or to volunteer - follow Latinas in Cyber (LAIC), sign up to volunteer with us.
We are launching a Mentorship Academy January 2023, be sure to follow us to find out more details about the mentoring cohort and subscribe to us at www.latinasincyber.com.
Author Jenn Blanco, LAIC Online Contributor & Brand Ambassador -
Jenn Blanco is the Legal Counsel at Conquest at Cyber with a Certificate in Intellectual Property, focused on Cyber Law, Trade Secrets and Trademarks.