Providing Notice “When Every Click is Counted” – S.D. Cal. Weighs in
August 22, 2024
Privacy Plus+
Privacy, Technology and Perspective
This week, let’s highlight a recent case from the United States District Court for the Southern District of California, Price et al. v. Carnival Corp., which (in January), addressed, among other things, the issue of "notice" as it relates to online privacy, and specifically focused on the use of "Session Replay Code." This topic aligns with our previous post, When Opt-Ins are Illusory – The Fifth Circuit Weighs In. To review that post, please click on the following link:
https://www.hoschmorris.com/privacy-plus-news/when-opt-ins-are-illusory-fifth-circuit
Price et al. v. Carnival Corp., No. 3:23-cv-00236 (S.D. Cal. Jan. 2024)
In Price, the court considered a motion to dismiss a class action complaint against Carnival Corporation for allegedly violating various wiretap and privacy laws by deploying session replay code on its website without proper notice or consent from users. Plaintiffs claimed that Carnival’s use of this code allowed the company to intercept personal information, including passport numbers, driver’s license numbers, and payment details.
Session replay software typically tracks user interactions, like mouse movements and keystrokes, and sends this data to third parties—in the Price case, Microsoft. The court described the technology in more striking terms, highlighting its "constant surveillance" capabilities, noting that “[e]very click is counted, every keystroke is collected, and every cursor movement is catalogued.” The court explained that Microsoft not only records and analyzes this data but also provides Carnival with a “video replay” of the user’s visit and can even “expose[] a user’s browsing on other sites…including on websites where the user had intended to remain anonymous.”
Carnival defended its actions by arguing that users had consented to this “surveillance” either by using the website or through a "Cookie Policy" banner displayed at the bottom of the page. However, the court found Carnival’s notice to users to be insufficient. It pointed to Carnival’s use of a browsewrap agreement, criticizing the design and placement of the "Cookie Policy" banner, which was featured in small, inconspicuous text that blended into the website's background. The court noted that a user could potentially “click one of these large, red buttons before the Cookie Policy banner appears, and the banner may fail to appear on subsequent pages.” Accordingly, the court concluded that plaintiffs sufficiently alleged that the interception of their communications occurred without their consent.
You can review the opinion in full by clicking on the following link:
Our Thoughts
Tracking technologies—like, session replay code, web beacons and pixel tags, and third-party analytics, among other tools—have drawn increasing scrutiny by both regulators and the plaintiffs’ bar. While many companies rely on these tools to provide valuable insights and opportunities, their use raises significant privacy concerns and liability issues. Hence, it’s imperative to understand what these tools are and why they are being used on your website, if they are at all. In cases where there isn’t a compelling reason for their use, consider eliminating them. Otherwise, we suggest following this recipe:
Before integrating a new tracking tool into a website, conduct a thorough privacy impact assessment (PIA), even if not mandated by applicable law. A PIA helps identify potential privacy risks associated with the tool. Only by fully understanding those risks can an organization appropriately weigh them against the value of the tool, then proceed proactively with its implementation. The PIA process involves analyzing the tracking tool’s functionality, the type of data it collects, and how this data is used and shared. It also considers the legal requirements for obtaining user consent and providing notice about data collection practices. Deployment of a new tracking tool always requires a fresh look at an organization’s online privacy notice.
Next, it’s important to review any contractual obligations tied to the use of the tracking tool. Most tracking tools have terms of service that include limitations or conditions imposed by the tool provider on the organization implementing that tool—for example, requiring the provision of a specific reference to the tool in the organization’s privacy notice, or even requiring express, affirmative consent by users. Keep in mind that your organization may not have a direct relationship with the tool provider, but instead may rely on an intermediary, like a digital marketing agency, to contract for use of the tools. If an agency is representing your organization, you will need to ensure that your contract with that agency addresses the use of third-party tools. No third-party tools should be implemented without your organization’s knowledge and consent. And some organizations may even prefer to contract directly with the third-party tool provider to manage those tools. Regardless, your organization’s contract with its digital marketing agency should address how those risks are managed.
Another critical aspect is identifying the role of the tool provider—whether they are acting as a service provider or a third party. A service provider typically processes data on behalf of the organization under restrictive contractual terms that limit its own use of the data. In contrast, third parties have broader access to and use of the data for their own purposes. Understanding whether a provider is a service provider or a third party is crucial for ensuring that data is handled in compliance with legal and contractual requirements, and for maintaining transparency with users about how their information is being managed.
Finally, organizations should examine whether the tool has features that will allow the organization to configure restrictions on data use, or otherwise minimize data collection. Proper privacy configurations can help mitigate risk.
Keep in mind that placing a notice on a website will not guarantee effective notice, especially if that notice isn’t prominently displayed and designed to catch the user’s attention. A better approach is to use a clickwrap agreement, where users must click "I agree" to acknowledge their consent to the terms. While this introduces some friction, it also ensures users explicitly consent to the terms and thereby provides stronger legal protection, minimizing the risk of disputes about whether users were informed.
In short, it’s essential to understand the technologies used on your website, mitigate their risks, and, as highlighted in the Price case, provide clear, conspicuous, and easily understandable notices about data collection practices, especially when tracking technologies are involved.
---
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.