The surge in lawsuits against companies due to third-party data collection on their websites comes from the growing concern over online privacy and data protection. Some attorneys see this as a new opportunity to provide their services. These lawsuits are often filed under wiretapping statutes, such as the federal Wiretap Act and state equivalents, which prohibit the interception of electronic communications without consent.
The main issue lies in the data collection practices employed by third-party scripts and cookies on websites. These scripts, often embedded by advertisers, analytics providers, or other service providers, grab users’ interactions and sometimes collect data without their proper explicit consent. This data can include browsing history, clicks, searches, and other behavioral information.
A number of third parties offer “session replay” tools to be used on BTC websites. One of the most popular is a company called Crazyegg. It and other tools have a legitimate purpose of using the collected data to help optimize web sites, especially focusing on increasing user conversions.
This data collection is what privacy-focused attorneys focus on as “wiretapping.” These attorneys are leveraging wiretapping statutes to hold companies accountable for their data collection practices. The lawsuits allege that companies are essentially allowing third parties to “eavesdrop” on users’ online activities without proper consent, thus violating wiretapping laws.
Just like recording a conversation between two people is not ok unless both are notified and agree, relying on notice only before collecting data is now generally illegal and can be a serious criminal charge. These lawsuits are creating the risk of criminal exposure for your company employees, in addition to public relations issues.
For companies, the risk lies in their potential liability for allowing third-party data collection without proper user consent. Mitigating this risk involves several key steps:
Audit Third-Party Providers
Companies should conduct thorough audits of all third-party scripts and cookies running on their websites. They need to understand what data providers are on their sites, which data these providers are collecting, how they’re using it, and whether they’re obtaining proper user consent prior to data collection. Pay particular attention to session replay tools.
Implement Consent Mechanisms
Companies must implement robust consent mechanisms to ensure users are aware of and agree to the data collection practices of third-party providers. This involves implementing cookie consent banners, opt-in/opt-out mechanisms, and providing clear information about data collection in privacy policies.
Vendor Contracts
Review and update vendor contracts to include provisions that hold third-party providers accountable for compliance with privacy laws and regulations. Companies should require vendors to adhere to strict data protection standards and provide indemnification for any legal liabilities arising from non-compliance.
Update Privacy Policies
Examine your privacy policy to ensure you are providing notice to consumers. Call out any third party session replay software and other analytics tools. Also identify what data is collected by the software, and for what purposes.
Monitor Compliance
Regular monitoring of third-party data collection practices is essential to ensure ongoing compliance. Companies should regularly review and update their consent mechanisms, assess the data collection activities of third parties, and promptly address any non-compliance issues.
Educate Employees
Employee training and awareness programs are crucial to ensure that everyone in the organization understands the importance of privacy compliance and their role in mitigating risks associated with third-party data collection.
Overall, proactive measures such as auditing, implementing consent mechanisms, monitoring compliance, strengthening vendor contracts, and educating employees can significantly reduce the risk for companies facing wiretapping or other lawsuits related to third-party data collection on their websites. By prioritizing user privacy and adopting best practices, companies can navigate this evolving legal landscape more effectively while safeguarding user trust and avoiding costly legal disputes.