TrustedForm and the CA Wiretapping Threat
Many of you use TrustedForm on your website to document consent for current or potential customers to be contacted by telephone, text message or email. TrustedForm provides significant benefits for all concerned with a website visit and the process of lead verification. In particular, TrustedForm helps document consent to be contacted for compliance with privacy laws such as the Telephone Consumer Protection Act (“TCPA”). TrustedForm also helps to protect you from baseless claims of TCPA violations by aggressive litigators. Recently, some of the same litigators who have threatened TCPA claims have been pursuing a new avenue of litigation. They have pursued cases against website owners and their service providers (like us) based on a CA wiretapping statute. These cases involve sites that use any type of lead verification and session replay technology like TrustedForm. This is yet another challenge for website owners, who are doing their best to conduct business responsibly. Again, ActiveProspect is at the frontlines of the battle. The purpose of this article is to provide some context and updates on recent legal developments.
As a company, our mission is to make consent-based marketing the best channel for customer acquisition. Consent-based marketing is the practice of only contacting consumers who have given their prior express written consent to be contacted. Ultimately, we want to put the control in the hands of the consumer and do away with unsolicited outreach by giving marketers a better alternative. Given that we are strong advocates of consumer privacy, we were very frustrated to be named in a few of these CA wiretapping complaints, even though most have been quickly dismissed.
Recently, a case that has gotten some attention is Javier vs. Assurance and ActiveProspect. The district court dismissed the Javier case, but the plaintiffs appealed that ruling. Unfortunately, the Court of Appeals for the Ninth Circuit reversed the district court’s dismissal order. The Ninth Circuit held that the basis for the district court’s decision—that the plaintiff had provided express consent retroactively to Assurance’s use of TrustedForm—was in error. In particular, relying on cases dealing with a different statute than the one under which Javier sued (and that arose in the context of telephone calls and not internet communications), the Ninth Circuit held that Javier had to provide his consent prior to any involvement by TrustedForm for his express consent to be effective. This decision was met with criticism.
The internet is a fundamentally different technology than telephone communication in which this 1993 California Wiretapping law is being interpreted. When you go to a website, by default your interaction with and activity on that website is logged. This logging and recording has become more sophisticated over the years with “session replays.” This technology works by taking the logged events on a site and replaying them with a copy of the site to visualize a replay of that user’s website session. While it looks like a video, it is not an actual video recording, but rather a reconstruction of the exact webpage and webform interaction in real time, as it occurred, on that day and time. We are a service provider to the website owner who relies on our technology to comply with the TCPA by documenting the consumer’s consent to be contacted. A website owner could build and implement its own technology to provide similar functionality. We simply provide the tool for capturing and archiving the webform interaction and consent language presented for compliance and verification purposes. Only the site owner can share a TrustedForm certificate (which includes the session replay) from their site for access by others.
We remain confident that we will prevail in the Javier case. It is important for everyone in the consent-based marketing ecosystem that we do. Since this Ninth Circuit of Appeals ruling, there have been some independent assessments of the case published by Eric Troutman of Troutman Firm and David Klein of KMT.
In the interim, developments such as Javier serve as an important reminder about the need for website owners to provide notice to site visitors about your privacy practices, including the use of session replay technology like TrustedForm. Use of the TrustedForm script (aka Web SDK) is specifically governed by our TrustedForm EULA, which requires that site operators provide notice to their visitors. As always, we recommend that you work with your privacy, legal and design teams to determine the most reasonable, balanced way to meet any webpage notice and consent language compliance requirements set forth in our EULA or under various data laws and regulations.