Zillow Sued For Alleged Wiretapping

It’s not what you think – it involves consumers and keystrokes.

David Krechevsky
Someone typing on a computer

If your company maintains a website – whether offering financial products or just selling pet stairs – you now need to be familiar with state and federal wiretapping laws.

The term “wiretapping” probably brings to mind images of police detectives or FBI agents huddled in the back of a white panel van or in a dark room with headphones on, listening to and recording conversations among shady characters.

What likely doesn’t come to mind are interactive business websites. 

Yet a spate of recent class action lawsuits against a variety of business websites – including cases filed separately in September in Pennsylvania, Washington, and Missouri against Zillow Group Inc., as well as those filed against hardware retailer Lowe’s and travel website Expedia, among others – all cite state wiretapping laws as the basis of their complaints about invading consumer privacy.

The flurry of filed suits followed a federal appellate court decision in August that resurrected an earlier, similar lawsuit in Pennsylvania. Yet that lawsuit, Popa vs. Harriet Carter Gifts, owes a debt to even earlier suits involving Facebook (now Meta) and mobile software company Carrier IQ.

Privacy experts say all of these wiretapping lawsuits have far reaching implications for any business that maintains a website and uses coding, software, or third-party vendors to analyze what clients or consumers do when they visit online.

Just about every company uses some form of data analytics to understand how website visitors interact with a site, but the lawsuits will likely determine where the line is drawn between analytics and compromising privacy.

“The problem for these companies is, the exact moment that technology is allowing this data collection comes at a time when courts and consumers are asking for greater privacy protection,” said David A. Straite, a partner in the New York law firm DiCello Levitt and a certified information privacy professional.

Keystroke Logging & Location Tracking

To understand the issues in the lawsuits against Zillow and others, you have to go back to 2011, when lawsuits were filed nationwide against Carrier IQ and various mobile phone companies and services, including AT&T, Apple, Sprint (then Sprint Nextel) and T-Mobile. 

The lawsuits followed the discovery by security researcher Trevor Eckhart that Carrier IQ’s software was being surreptitiously loaded onto cell phones. The lawsuits claimed the software logged keystrokes and illegally intercepted private communications, in violation of the Federal Wiretap Act, the Stored Electronic Communications Act, and the Federal Computer Fraud and Abuse Act.

Carrier IQ and the companies that used its software on their phones, meanwhile, claimed it was intended only for network diagnostics. 

—David A. Straite

The class action lawsuits were consolidated in 2012 and eventually settled in 2016, with Carrier IQ and its co-defendants agreeing to pay $9 million.

That case “established that if you’re recording keystrokes before someone actually presses ‘enter’ — before they choose to send it — that the average person does not expect those partial thoughts to be sent,” Straite said. “Now you’re seeing technology marching fast ahead. The more basic technology in the Carrier IQ case is now much more sophisticated.”

Not Just Your Fingers

It’s not just keystrokes being tracked now, he noted, but possibly also cameras recording where your eyes look on the screen. And in many cases, you don’t have to hit the “enter” button for what you type to be tracked. Take, for example, when you start typing something into the Google search bar; you don’t have to hit enter to get suggestions, you get them starting with the first keystroke.

“Individual keys are being transmitted,” he said. 

Such keystroke logging is possible on potentially any website you visit, often without the user’s knowledge.

Most users, on the other hand, are familiar with “cookies,” the blocks of data that can be placed on devices by websites they visit. In 2012, a lawsuit accused Facebook of using cookies to track subscribers’ internet use even after they had logged off the company’s social media platform. 

In February of this year, Meta (Facebook’s parent company) agreed to settle the case for $90 million — 10 times the Carrier IQ settlement.

Straite, who was co-lead counsel for the plaintiffs in the Facebook case, noted that even before the settlement, the case had created significant law in favor of consumers. In a 2020 opinion in the case, the U.S. Court of Appeals for the Ninth Circuit ruled that unlawfully copying and then selling personal data creates “economic harm.” It also ruled that Facebook was not a party to the communication it intercepted from other websites for purposes of the Wiretap Act, meaning it needed each user’s consent before collecting the data. The U.S. Supreme Court declined to review the case last year, letting the appellate court decision stand.

“This settlement not only repairs harm done to Facebook users, but sets a precedent for the future disposition of such matters,” Straite said.

Popa v. Harriet Carter Gifts

Which brings us to those pet stairs. 

In 2018, Pennsylvania resident Ashley Popa used her smartphone to browse the website of Harriet Carter Gifts. She eventually found a set of pet stairs she liked and placed them in her digital cart, but never actually completed the purchase. 

It should have ended there, but Popa later discovered that NaviStone — a third-party digital marketing service hired by the retailer — had tracked all of her interactions with the shop’s website.

Believing her privacy had been compromised, and that NaviStone had “intercepted” her communications with the shop website in violation of Pennsylvania’s Wiretapping and Electronic Surveillance Control Act (WESCA), she sued both the shop and NaviStone.

The District Court dismissed part of her claim regarding invasion of privacy, but granted summary judgment – deciding the case on its merits without a jury – in favor of the defendants on the claim of violating WESCA. 

Popa appealed, and the U.S. Court of Appeals for the Third Circuit ruled in August that the lower court erred by granting summary judgment. 

In a decision labeled “precedential” – meaning it potentially has implications for all website privacy disclosures and consent practices – the Third Circuit court ruled that Harriet Carter Gifts and NaviStone were not exempt from liability under Pennsylvania’s wiretapping law simply because NaviStone was intended to receive the communications from Popa’s phone and, therefore, had not “intercepted” them.

The appeals court ruled that the only statutory exception under Pennsylvania’s wiretap law is for law enforcement activity specified in a 2012 amendment to the law. The court also ruled that NaviStone’s alleged interception of Popa’s communications with the gift shop occurred at the point where Popa’s phone was located at the time (in Pennsylvania), and not where its servers received them (in Virginia).

The appellate court also said it was sending the case back to the district court because it had granted summary judgment without addressing the issue of consent. 

In a report on the ruling posted to Lexology.com by Kathryn Deal, a partner with the law firm Morgan, Lewis & Brockius in Philadelphia and a former federal prosecutor, she wrote that the appeals court ruling may spark “renewed interest in session replay and other website-tracking claims” under WESCA. 

“To mitigate risk of liability and liquidated damages claims under Pennsylvania law, businesses and their digital marketers may want to review their disclosures and online practices to evaluate the strength of other defenses or exceptions to WECSA liability, including prior consent to any third-party data sharing,” Deal wrote.

Session Replay

She was right, of course, given the flood of lawsuits that followed the Third District Court’s ruling.

The lawsuits are all quite similar. Take, for example, the lawsuit filed Sept. 12 in U.S. District Court for the Western District of Washington in Seattle on behalf of two plaintiffs “and all others similarly situated.” The lawsuit names Seattle-based Zillow Group Inc. and Redmond, Wash.-based Microsoft Corp. as defendants.

In this complaint,  which mirrors the others, the plaintiffs claim Zillow employs Microsoft and other third-party vendors to “embed snippets” of computer code on Zillow’s website, “which then deploys on each website visitor’s internet browser for the purpose of intercepting and recording” their interactions with the site. This can include recording “mouse movements, clicks, keystrokes, … URLs of web pages visited, and/or other electronic communications in real-time.”

According to the complaint, third-party vendors then use the data to recreate each website visitor’s “entire visit” to Zillow’s website, which is called a “session replay.” 

“Microsoft and other Session Replay Providers create a video replay of the user’s behavior on the website and provide it to Zillow for analysis,” the complaint states, adding that this is the “electronic equivalent of ‘looking over the shoulder’ of each visitor to the Zillow website for the entire duration of their website interaction.”

The lawsuit claims this violates the Washington state wiretapping statute, and constitutes an invasion of the privacy rights of website visitors. Lawsuits in other states cite those states’ similar laws.

Expectation of Privacy

The Seattle complaint, like the others, makes the argument that website users have “a reasonable expectation of privacy in their interactions with websites.” It states that privacy polls and studies show that a majority of Americans consider “one of the most important privacy rights to be the need for an individual’s affirmative consent before a company collects and shares its customers’ data.” 

The suit does note that the computer code used to recreate visitors’ interactions is “utilized by websites for some legitimate purposes,” but adds that “it goes well beyond normal website analytics when it comes to collecting the actual contents of communications between” visitors and the websites. 

According to the Seattle complaint, the ZIllow website’s computer code allows the website to “capture and record,” among other things, “the visitor’s personal or private sensitive data, sometimes even when the visitor does not intend to submit the data to the website operator, or has not finished submitting the data ….”

Straite noted that, while Zillow has posted a privacy policy on its website that states it will “collect a variety of information automatically,” the policy is “incredibly vague.” 

“It includes things like search history, what you clicked on, the amount of time you spend looking at parts of the website,” he said. “It doesn’t say ‘mouse movements.’ ‘Session play providers’ doesn’t appear. None of the clear details about what is collected is disclosed.”

Because the policy is vague, Straite said, the typical visitor to Zillow’s website — even if they stop to read the privacy policy, which isn’t a given — likely would not fully understand the data it will collect about them.

“You would think this privacy policy protects your data,” when it doesn’t, he said. “This is a test of how vague a privacy policy can be. If this counts as fair disclosure, we’re in trouble.” 

He said courts are increasingly receptive to the idea that “consent is not valid if the use is not explained. Tech companies always say they are collecting to improve their services, but they want more data to sell you more.”

‘Nothing Nefarious’

There are those, of course, who believe session replay is not a threat to consumers.

Philip Yannella is a partner and practice co-leader for the Privacy and Data Security Group at the law firm Ballard Spahr LLP in Philadelphia. He believes that a “dark cloud” has been cast over session replay because it is misunderstood.

“It’s really nothing nefarious,” he said. “It is simply an analytical tool that’s widely used by pretty much every digital content manager in the country.”

Yannella said the goal of session replay is “to try to learn more about user behavior on the websites. Session replay, what it does is basically track users’ clicks, their navigation through the website, any kind of follow through, any links that they’re hitting on the website.”

It then aggregates all of that data, he said, to create, “for lack of better word, a recording of the user’s interaction with the website.”

Yannella cautioned that it does not actually record the user — as in recording his or her face — but everything the user does while on the website. “It can give the impression that somehow your laptop is videoing you while you’re sitting at your computer, but that’s not really what’s happening at all.”

While lawyers for the plaintiffs in the Zillow lawsuits claim that session replay constitutes an invasion of privacy, Yannella says Zillow and other companies will strongly disagree. 

“What Zillow would say to the privacy claims is, the user typed in information on the website and they shared that with the website operator, so there cannot be an expectation of privacy for information that someone voluntarily shares with a website. … The privacy claim may be a bit overstated.”

Transparency & Consent

When asked about the lawsuits, a Zillow spokesperson said the company is aware of them, adding that it takes the privacy and security of users’ information “very seriously.” 

"We are transparent with our users through our privacy policy, which explains to users the types of information we collect as they use our apps and websites," the spokesperson said.

Yannella said consent is the biggest issue in the session replay lawsuits — including the Harriet Carter Gifts lawsuit. 

“Most wiretap laws in the United States, including the Federal Wiretap Law,  are one-party consent,” he said. “That means that only one party to the communication has to consent to the wiretapping.” 

Pennsylvania, he noted, is one of 11 states that require two-party consent.

“Consent doesn’t have to be ‘express written consent,’” he said. “You don’t have to sign a document that says ‘I consent,’ you don’t even have to click a box that says, ‘I consent.’ Most of these state laws will allow consent to be inferred.”

He said one defense that NaviStone used in the Harriet Carter Gifts case was that it disclosed what it does in its privacy policies, “and the plaintiff should reasonably have expected” to have their behavior on the website tracked, “because that occurs everywhere on the internet. So the plaintiff certainly must have known about this; indeed, they were told about this in (NaviStone’s) privacy policy.” 

For Yannella, that is the bottom line. “Everyone does it,” he said. “Everyone is using website analytics, and everyone, pretty much, is working with companies like … NaviStone to enable targeted advertising. So the scope of these lawsuits is wide-ranging.” 

Fundamental Flaw

The lawsuits have a fundamental flaw, because “plaintiff’s lawyers are attempting to use laws from the 1960s that were developed 25 to 30 years before the commercial internet really came into its heyday, Yannella said. “They’re trying to, essentially, use these new technologies and cram them into these old laws, and these old laws were not meant at all to deal with targeted advertising or website analytics. These things didn’t even exist back then.”

Because of that, it is “difficult to try to make the analogy that targeted advertising is the same as tape-recording a conversation,” he said. “It’s just not”

If the plaintiffs win, he said, “it’s going to have a significant impact on most online retailers; really, on most online companies. Because it’s getting to the core of online commerce. Everyone is doing it this way.”

The end result if the plaintiffs win, Yannella said, is “you’ll see websites and targeted advertisers probably change their approach. If you’re a website operator, you’ll probably have to get (direct) consent and they’ll probably have to do that through some kind of just-in-time consent, like maybe a cookie banner,” which announces that cookies will be installed if the user continues and requires the user to click a button. 

“That’s a pretty clear way to button up this issue,” he said, “and make sure you don’t get sued.”

This article was originally published in the Mortgage Banker Magazine October 2022 issue.
Dave Krechevsky Headshot
David Krechevsky,
Editor
Published on
Oct 18, 2022
Mortgage Banker Magazine
How Voice Technology Influences What We Reveal About Ourselves

Information disclosure in the era of voice technology

American Marketing Association
Mortgage Banker Magazine
Farner, Fintech And The Future

How Rocket Cos. CEO Jay Farner is planning to be a player beyond mortgages

Katie Jensen
Mortgage Banker Magazine
Complaining Doesn’t Work. So, What Will?

Three tips that will make you part of the solution, not the problem

Nir Bashan
Mortgage Banker Magazine
Current Mortgage Market Cycle Unlike Previous Downturns

This down cycle is tougher than most, but it will likely be shorter-lived than prior cycles

Mortgage Banker Magazine
HOW TO: Market Research

Develop a fuller picture of your target customers

SCORE
Mortgage Banker Magazine
Taking A Peek At Secondary Market Options

A primer on selling loans directly to GSEs or securitizing loans yourself

Rob Chrisman
Connect with your local mortgage community.

Meet your your colleagues, both national and local, by attending an event in your area.

Become a subscriber.

Discover the story of your success. Subscribe to the nation’s longest running mortgage magazine.