Two class action lawsuits filed in the last month in Pennsylvania federal court bring to light the perils of using website tracking software. In each of the cases, one against retailer Bloomingdale’s and the other against insurer Liberty Mutual, the class action plaintiffs allege that these defendants violated Pennsylvania’s Wiretapping and Electronic Surveillance Control Act by using third-party website tracking software on their websites to record and track website visitors’ use of the websites without the express knowledge or permission of those visitors.
Similar cases were brought and are still being litigated in other jurisdictions, including suits brought this week in California (against Ulta and Bass Pro Shop), last month in Florida (against Home Depot) and California (against Papa Johns), and in October in Massachusetts (against Goodyear). Another similar case was recently dismissed in Florida (against Costco). These suits, including those against Bloomingdale’s and Liberty Mutual which may also be dismissed, serve as a necessary reminder to businesses regarding the use of website tracking software and the related disclosure to website visitors of a website’s collection of visitor information.
Consumer privacy in the United States, including the privacy of information collected on websites, is governed by a patchwork of state and federal laws and regulations. Most notably, the Federal Trade Commission Act, and its state-equivalent consumer protection laws, including the Unfair Trade Practices and Consumer Protection Law in Pennsylvania, regulate unfair and deceptive commercial practices. These laws and regulations have been interpreted to require businesses to accurately warn website visitors of its information collection and sharing practices (typically in the form of privacy policies) and provide adequate protection of personal information. A business’s failure to comply with these laws and regulations can result in steep fines and penalties, along with possible liability to website visitors for damages caused by such non-compliance. Now, compounding the risk to businesses seems to be this possible violation of state wiretapping laws when using website tracking software without full and proper disclosure to website visitors.
If your business would like to review this issue further, please contact Partner Don Geiter. Don is a Certified Information Privacy Professional (U.S.) (CIPP/US) and leads the firm’s Cybersecurity Service Team.