Ashley Popa initiated a legal action against Harriet Carter Gifts, Inc. and NaviStone, Inc. after she discovered that NaviStone, a third-party marketing service, tracked her online behavior while she was browsing Harriet Carter’s website for pet stairs. Popa claimed this tracking violated Pennsylvania’s Wiretapping and Electronic Surveillance Control Act (WESCA), which prohibits the interception of electronic communications. Although Popa provided her email and interacted with the site, she was unaware that NaviStone was also receiving data about her activities.
The District Court granted summary judgment in favor of the defendants, ruling that NaviStone did not "intercept" communications because it was considered a “party” to the electronic exchange. Additionally, the court found that any alleged interception occurred outside Pennsylvania, making the Act inapplicable. However, upon review, the appellate court disagreed with both interpretations of Pennsylvania law, vacated the summary judgment, and remanded the case for further proceedings.
Harriet Carter’s HTML code included JavaScript that initiated a GET request to NaviStone's Virginia server, which then sent "OneTag" code to Popa's browser. This code placed cookies to track user activity with a visitor ID and relayed information to NaviStone regarding user interactions on the website, such as button clicks. NaviStone utilized this data for targeting promotional mailings. In 2019, Popa filed a lawsuit against Harriet Carter and NaviStone, alleging violations of the Wiretapping and Electronic Surveillance Control Act (WESCA) and a common law invasion of privacy claim. The District Court dismissed the invasion of privacy claim but allowed the WESCA claim to proceed to summary judgment, where the court ruled in favor of the defendants. Popa appealed the summary judgment, invoking diversity jurisdiction under 28 U.S.C. 1332(d)(2) and appellate jurisdiction under 28 U.S.C. 1291.
The standard for reviewing the summary judgment is de novo, assessing facts in favor of the non-moving party. Summary judgment is warranted when there are no genuine disputes regarding material facts. The WESCA provides a civil cause of action for individuals whose communications are intercepted or disclosed unlawfully, allowing them to sue those responsible for such violations. It functions alongside the Federal Wiretap Act, permitting states like Pennsylvania to offer greater protection than federal law. Popa claims that NaviStone intercepted her communications with Harriet Carter’s website and that Harriet Carter facilitated this interception. The defendants counter that no interception occurred as NaviStone was a direct party to the communications, and they also argue that any interception took place outside Pennsylvania or that Popa had given implied consent. Each of these defenses will be evaluated.
NaviStone and Harriet Carter can only be held liable to Popa if they ‘intercepted’ his communications, as defined under 18 Pa. C.S. 5725(a). The term ‘intercept’ has a specialized meaning in the context of wiretapping laws, extending beyond its ordinary definition of stopping or seizing. Under the Pennsylvania Wiretap and Electronic Surveillance Control Act (WESCA), ‘intercept’ refers to the acquisition of the contents of any wire, electronic, or oral communication via any device. This broad definition implies that even a direct recipient of a communication could be considered to ‘intercept’ it.
However, the defendants argue that Pennsylvania courts have interpreted the statute to exclude liability when the alleged interceptor is the intended recipient of the communication. Historical cases, such as Commonwealth v. Proetto and Commonwealth v. Cruttenden, illustrate this principle. In Proetto, the court ruled that because the detective was the intended recipient of the communications, there was no interception under WESCA, despite his misrepresentation. The Cruttenden case reaffirmed this by establishing that communications to a direct recipient do not constitute interception. Therefore, if NaviStone was indeed a direct party to Popa’s communications, they may not be liable under the WESCA.
A police officer’s failure to identify themselves or misrepresentation of identity does not affect their status as a direct participant in a conversation, thereby making them an intended recipient. While prior cases suggested that Pennsylvania courts exempt direct recipients from the Wiretapping and Electronic Surveillance Control Act (WESCA), a 2012 amendment introduced a new definition of ‘intercept’ which includes the monitoring of communications by law enforcement officers. This definition explicitly states that communications involving law enforcement officers posing as intended recipients are not considered intercepted, provided there is prior approval from specific legal authorities after a review of suspected criminal activities.
The key change in the statute codifies a narrow exemption for law enforcement officers, limiting the broader implications of previous cases like Proetto and Cruttenden. The principle of expressio unius est exclusio alterius indicates that the enumeration of this exemption implies the exclusion of other potential exceptions. The Pennsylvania legislature opted to create a specific exception for law enforcement, rather than adopting broader language similar to the Federal Wiretap Act. Thus, the law emphasizes that mere participation in a conversation does not exempt officers from liability; they must also obtain prior supervisory approval for their actions to be lawful.
The Defendants' argument for a broader exception to the wiretapping prohibition conflicts with the Pennsylvania Wiretapping and Electronic Surveillance Control Act (WESCA). Specifically, WESCA permits interception of communications only when all parties consent, and there is no recognized "direct party" exception to this requirement, except for law enforcement under certain conditions. Therefore, NaviStone and Harriet Carter cannot evade liability simply by demonstrating that Popa directly communicated with their servers.
The location of interception is critical, as Pennsylvania courts have ruled that WESCA does not apply to conduct occurring entirely outside the state. Two possible interception points are identified: (1) at NaviStone’s servers in Virginia, which would necessitate a choice-of-law analysis, and (2) when Popa's communications left her browser without her consent, which, if within Pennsylvania, would invoke WESCA. The statute defines interception as the acquisition of communication contents through a device, and the act of acquisition occurs where there is an attempt to gain possession of communications. Historical examples, such as wiretapping, illustrate that interception occurs at the point where the communication is physically accessed or redirected. This interpretation aligns with several federal court rulings that define interception similarly, indicating it occurs when communication contents are captured or redirected.
In the context of telephone wiretaps, interception is determined by the jurisdiction where the tapped phone is located, as well as where law enforcement first overhears the communication. This principle extends to electronic communications, where interception occurs when software reroutes communications to an interceptor. In *Luis v. Zang*, a court ruled that interception happened when software automatically captured and transmitted communications to a server, irrespective of later user access. Similarly, in this case, NaviStone intercepted communications when its JavaScript code, installed on the Harriet Carter website, directed the visitor's browser to send data to NaviStone's servers.
The precise location of the interception is unclear, as it is assumed to have occurred in Pennsylvania, but lacks confirmation in the record. The District Court is tasked with determining any genuine issues of material fact regarding the interception location. Furthermore, the legality of using cookies or third-party marketing firms to analyze customer data under the Wiretapping and Electronic Surveillance Control Act (WESCA) includes exceptions, notably the all-party consent exception. As the Defendants consented to the interception, they would not face liability under this statute.
The central issue is whether Popa consented to the interception of her communications on the Harriet Carter website. The Defendants argue that Popa gave implied consent because a privacy policy was present on the website, despite Popa claiming she did not see it. The Pennsylvania Supreme Court's ruling in Commonwealth v. Byrd indicates that ‘prior consent’ does not necessitate actual knowledge; implied consent may arise if a person knew or should have known about the recording. The District Court did not address whether the privacy policy was posted and if it sufficiently informed Popa of the interception. The Defendants contend that the policy adequately warned a reasonable user, thus implying consent through her use of the website. Conversely, Popa disputes the adequacy of the policy and raises a genuine factual dispute regarding its existence at her time of visit. The court emphasizes that these matters should first be resolved by the District Court, particularly due to unresolved evidentiary disputes related to the privacy policy. The legal framework stresses the importance of privacy protection, requiring consent from all parties involved in the interception. The appellate court disagrees with the District Court’s conclusion that NaviStone is exempt from liability based on its role as a direct party to the communication and the location of the interception. Consequently, the court vacates the summary judgment order and remands the case for further examination.
