Last week the Third Circuit reversed a summary judgment ruling in favor of Harriet Carter Gifts and NaviStone for alleged violations of Pennsylvania’s Wiretapping and Electronic Surveillance Control Act, or WESCA. See Popa v. Harriet Carter Gifts, Inc., Case No. 21-2203, 2022 WL 3366425 (3rd Cir. Aug. 16, 2022). This lawsuit is one of many recent putative class actions attempting to apply decades-old wiretapping laws against websites and their service providers. The named plaintiff is a consumer that allegedly shopped on Harriet Carter Gifts’ website while NaviStone’s marketing software was installed on the website. Plaintiff argued that defendants violated WESCA by simultaneously sending her interactions with Harriet Carter’s website to NaviStone.
The district court granted summary judgment in favor of the defendants, holding that there was no interception as a matter of law because NaviStone was a direct recipient of plaintiff’s communications. In reaching this conclusion, the court relied on Pennsylvania state court cases involving undercover law enforcement who were not found liable for wiretapping claims when they were the direct recipients of the communications, even if not the intended recipients. The district court also held that even if there had been an interception, it occurred not in Pennsylvania, but rather in Virginia where NaviStone’s servers were located.
The Third Circuit disagreed, holding that NaviStone’s position as a direct recipient of Popa’s communications did not allow it to escape liability under WESCA. The court explained that since the state court cases the district court relied on were decided, the Pennsylvania legislature amended WESCA to include an explicit exception for undercover law enforcement. This amended language foreclosed an expansive reading of the state court cases beyond law enforcement circumstances, such that NaviStone could not rely on the direct recipient exception. The court also rejected the argument that the interception occurred outside of Pennsylvania at NaviStone’s servers in Virginia; instead the court reasoned that the interception occurred at Popa’s browser, although the court noted that the record did not show whether she was in fact in Pennsylvania at the time. The court was unconvinced by defendants’ arguments that the decision would mean websites could never use cookies or third-party marketing companies to analyze customer data. The court noted that consent is a clear exception to wiretapping liability under WESCA, but declined to address the parties’ consent arguments as these had not yet been decided by the lower court.