According to the Seattle complaint, the ZIllow website’s computer code allows the website to “capture and record,” among other things, “the visitor’s personal or private sensitive data, sometimes even when the visitor does not intend to submit the data to the website operator, or has not finished submitting the data ….”
Straite noted that, while Zillow has posted a privacy policy on its website that states it will “collect a variety of information automatically,” the policy is “incredibly vague.”
“It includes things like search history, what you clicked on, the amount of time you spend looking at parts of the website,” he said. “It doesn’t say ‘mouse movements.’ ‘Session play providers’ doesn’t appear. None of the clear details about what is collected is disclosed.”
Because the policy is vague, Straite said, the typical visitor to Zillow’s website — even if they stop to read the privacy policy, which isn’t a given — likely would not fully understand the data it will collect about them.
“You would think this privacy policy protects your data,” when it doesn’t, he said. “This is a test of how vague a privacy policy can be. If this counts as fair disclosure, we’re in trouble.”
He said courts are increasingly receptive to the idea that “consent is not valid if the use is not explained. Tech companies always say they are collecting to improve their services, but they want more data to sell you more.”
‘Nothing Nefarious’
There are those, of course, who believe session replay is not a threat to consumers.
Philip Yannella is a partner and practice co-leader for the Privacy and Data Security Group at the law firm Ballard Spahr LLP in Philadelphia. He believes that a “dark cloud” has been cast over session replay because it is misunderstood.
“It’s really nothing nefarious,” he said. “It is simply an analytical tool that’s widely used by pretty much every digital content manager in the country.”
Yannella said the goal of session replay is “to try to learn more about user behavior on the websites. Session replay, what it does is basically track users’ clicks, their navigation through the website, any kind of follow through, any links that they’re hitting on the website.”
It then aggregates all of that data, he said, to create, “for lack of better word, a recording of the user’s interaction with the website.”
Yannella cautioned that it does not actually record the user — as in recording his or her face — but everything the user does while on the website. “It can give the impression that somehow your laptop is videoing you while you’re sitting at your computer, but that’s not really what’s happening at all.”
While lawyers for the plaintiffs in the Zillow lawsuits claim that session replay constitutes an invasion of privacy, Yannella says Zillow and other companies will strongly disagree.
“What Zillow would say to the privacy claims is, the user typed in information on the website and they shared that with the website operator, so there cannot be an expectation of privacy for information that someone voluntarily shares with a website. … The privacy claim may be a bit overstated.”
Transparency & Consent
When asked about the lawsuits, a Zillow spokesperson said the company is aware of them, adding that it takes the privacy and security of users’ information “very seriously.”
"We are transparent with our users through our privacy policy, which explains to users the types of information we collect as they use our apps and websites," the spokesperson said.
Yannella said consent is the biggest issue in the session replay lawsuits — including the Harriet Carter Gifts lawsuit.
“Most wiretap laws in the United States, including the Federal Wiretap Law, are one-party consent,” he said. “That means that only one party to the communication has to consent to the wiretapping.”
Pennsylvania, he noted, is one of 11 states that require two-party consent.
“Consent doesn’t have to be ‘express written consent,’” he said. “You don’t have to sign a document that says ‘I consent,’ you don’t even have to click a box that says, ‘I consent.’ Most of these state laws will allow consent to be inferred.”
He said one defense that NaviStone used in the Harriet Carter Gifts case was that it disclosed what it does in its privacy policies, “and the plaintiff should reasonably have expected” to have their behavior on the website tracked, “because that occurs everywhere on the internet. So the plaintiff certainly must have known about this; indeed, they were told about this in (NaviStone’s) privacy policy.”
For Yannella, that is the bottom line. “Everyone does it,” he said. “Everyone is using website analytics, and everyone, pretty much, is working with companies like … NaviStone to enable targeted advertising. So the scope of these lawsuits is wide-ranging.”
Fundamental Flaw
The lawsuits have a fundamental flaw, because “plaintiff’s lawyers are attempting to use laws from the 1960s that were developed 25 to 30 years before the commercial internet really came into its heyday, Yannella said. “They’re trying to, essentially, use these new technologies and cram them into these old laws, and these old laws were not meant at all to deal with targeted advertising or website analytics. These things didn’t even exist back then.”
Because of that, it is “difficult to try to make the analogy that targeted advertising is the same as tape-recording a conversation,” he said. “It’s just not”
If the plaintiffs win, he said, “it’s going to have a significant impact on most online retailers; really, on most online companies. Because it’s getting to the core of online commerce. Everyone is doing it this way.”
The end result if the plaintiffs win, Yannella said, is “you’ll see websites and targeted advertisers probably change their approach. If you’re a website operator, you’ll probably have to get (direct) consent and they’ll probably have to do that through some kind of just-in-time consent, like maybe a cookie banner,” which announces that cookies will be installed if the user continues and requires the user to click a button.
“That’s a pretty clear way to button up this issue,” he said, “and make sure you don’t get sued.”