Recent California class action lawsuits are targeting websites that employ chatbots to offer their consumers real-time, online assistance. In the aftermath of the Ninth Circuit decision in Javier v. Assurance IQ, LLC, a recent hotbed issue in digital marketing law is whether or not businesses acquire requisite consent before gathering data from a consumer’s website activity.
Anyone that has shopped at an online retailer is familiar with chatbots offering assistance on website home pages. These chatbots usually send a generic greeting in a small text box in the lower right-hand corner of the visitors’ computer screens. Consumers are able to engage in dialogue with the chatbot, whereby they can receive general assistance that appears in the form of pre-populated responses that draw from FAQs.
Recent lawsuits now allege that plaintiffs are unaware that their conversations with these bots are: 1) not with actual human beings; and 2) being recorded. Because online retailers never informed consumers of the nature of their chatbot interactions, nor sought their prior consent to be monitored and/or recorded, these lawsuits allege that the chatbot activity constitutes wiretapping in violation of the California Invasion of Privacy Act (“CIPA”).
So far, these chatbot wiretapping litigation proceedings remain in the pleading stages. As such, California courts have yet to issue a guiding decision on the issue. However, wiretapping allegations in the context of CIPA is nothing new, and online retailers can safeguard against this genre of class actions by familiarizing themselves with both the technology and corresponding regulations.
Need to record a real-life conversation? Shop voice recorders and more surveillance gear here.
Could Chatbot Conversations Violate Wiretapping Laws?
In the realm of digital marketing, chatbots offer customer engagement, sales lead generation, and 24/7 customer support that would normally require enormous overhead in the form of a live agent call center. Chatbots are operated and provided by third parties and coded into any part of the client retailer websites.
Large retailers, such as Old Navy, have found great success in employing chatbots to offer direct and personal assistance to an unlimited number of website visitors at the same time. In Licea v. Old Navy, LLC, the plaintiff alleges that he believed he was communicating with an actual Old Navy customer service representative when he conversed with a chatbot, provided by third party PolSource. He further alleges that he was unaware that the chatbot program was recording and storing their entire conversation, and that Old Navy shared the contents of his conversation with PolSource. Most importantly, the plaintiff alleges that Old Navy never disclosed that his chatbot conversation was being monitored, recorded, or shared, and his consent to such activity was never sought. In his prayer for relief, plaintiff has asked the Court to order Old Navy to rectify practices that he believes constitute wiretapping in violation of CIPA, and to pay statutory damages, which amount to $5,000 for each violation.
In the context of chatbot technology use, this is truly a novel issue. However, wiretapping allegations in the context of session-replay technology is nothing new. Session-replay allows a website operator to simulate a visitor’s keystrokes and mouse movements to obtain data used to improve website performance and/or prove that consent to certain website terms was communicated.
Session-replay lawsuits generally allege that the use of session-replay technology amounts to “wiretapping” the user’s website interaction. In the same manner that session-replay plaintiffs allege that websites covertly record visitors’ keystrokes and mouse movements, chatbot plaintiffs allege that their conversations are recorded without notice. Accordingly, some of the defenses available in session-replay lawsuits are worth exploring relative to Licea’s chatbot claims against Old Navy.
First and foremost, notice and consent would have obviated any of the causes of action plaintiff raised in his action against Old Navy. Chief to his claims is the fact that his conversation with a chatbot was being recorded without his knowledge. An open and notorious website disclosure that he was not communicating with a live agent, and that his conversation would be monitored, recorded, and possibly transmitted for data collection purposes would likely have put the entire matter to bed. Second, the party exception is a viable defense to chatbot wiretapping because Old Navy was arguably a participant in the conversation. As the court held in Graham v. Noom, Inc., a session-replay vendor providing its software to an online retailer is merely “record[ing] and analyzing its own data in aid” of the business.
Thus, the court concluded that the subject session-replay vendor was not a third-party eavesdropper, and its activity did not constitute wiretapping. Although not as strong and equivocal as notice and consent, it can be argued that Old Navy was not a third party to plaintiff’s chatbot communications. After all, PolSource leased the technology to Old Navy in order for Old Navy to “participate” in customer interactions to improve service, and also, to assist customers in real time. As Old Navy and other chatbot wiretapping lawsuits move forward, it will be interesting to see what other defenses online retailers mount against this new wave of alleged CIPA violations.
Online Retailers Must be Proactive In Guarding Against Wiretapping Lawsuits
Chatbot wiretapping allegations are the latest development in the CIPA class action landscape, but they certainly will not be the last. Online retailers must be aware and proactive given that class action plaintiffs are quick to pivot to the next frontier involving recorded activities and alleged lack of consent. While the defenses will largely remain the same, businesses can save themselves the headache of protracted litigation by preempting these lawsuits with website design that complies with applicable privacy laws. The attorneys at Klein Moynihan Turco have decades of experience keeping clients compliant with federal and state privacy and marketing laws.
This content was originally published here.