"Why is a raven like a writing desk?" Alice never found out the answer to the Mad Hatter's riddle. What might she make of its 21st century cousin, why is a chatbot like a tape recorder?
Solving this particular riddle has become important to judges in California, where plaintiffs continue to bring cases alleging certain third-party website integrations can violate users' privacy.
In legal practice, analogies are not just literary devices. They are powerful tools that can shape the interpretation of laws and the outcome of cases. This is even more the case in the mashup between new technologies and old legal theories.
The comparison of a chatbot to a tape recorder is more than a whimsical simile — it is a legal argument that seeks to clarify the nature of digital communications in the context of the California Invasion of Privacy Act.
In recent years, privacy counsel have responded to a flurry of lawsuits that allege violations of CIPA and similar wiretapping statutes in a handful of other states, including Pennsylvania and Illinois. Though many have called such suits farfetched and frivolous, they are based on a simple — and avoidable — privacy concern.
To wit: The contents of communications should be treated with care and protected from third-party snoops, even if those communications are innocuous website form entries or sidebar chats.
Third-party integrations are common on websites, whether in the form of plug-ins, cookies, pixels or other tracking technologies. Most of these tools are limited to accessing various types of metadata, including characteristics of the user's device, behavioral data and the like.
One important side note: Even collecting relatively anodyne data can invite regulatory scrutiny if it tends to reveal sensitive information, such as health-related inferences, as the U.S. Federal Trade Commission has recently and repeatedly reminded companies.
But when third-party integrations facilitate or capture communications, a red flag should go up in the minds of privacy pros.
Data that could be considered to reveal the contents of a communication is usually captured on websites in one of two situations. That's either through a chat interface, such as a customer service window, or by use of session replay scripts that capture a user's entire display surface without redacting information typed into search bars or form fields.
In the recent flurry of private litigation under the wiretapping theory, plaintiffs argue that these integrations, however benign, violate users expectations of privacy when communication data is shared with third parties. They deploy an analogy used in wiretapping case law that these third-party companies, which may be unknown to the user, are effectively listening in on communications like a "friend against the door."
At a high level, the themes of these recent cases are easy to unpack. A few judges who have peeked at substantive arguments in these cases have concluded that third-party integrations can't count as wiretaps because communications are not "intercepted," or are not captured while "in transit" between parties. Given the fickle nature of legal interpretations around data flows, it is best not to rely only on arguments like this.
More often, the strength of these cases has turned on whether the third-party integration is more like a friend against the door or more like a tape recorder.
A Third Circuit order early last year granted American Eagle Outfitters’ motion to dismiss a wiretapping case, explaining the importance of this metaphorical distinction in detail:
"During the conversation, when the third party was purportedly recording and storing the transcript, the third party appears to be operating like a tape recorder. When a party captures and stores data, courts have found that they operate like an extension of the defendant (i.e. a tape recorder)."
After the conversation, Plaintiff alleges that the "third party publicly boasts of its ability to harvest valuable data from such communications for the benefit of its clients," and "(d)efendant and third parties then harvest data ... for financial gain." The alleged use of the data by the third party therefore does not appear to be independent. The pleadings, taken as true at this stage, nowhere suggest that the third party has the ability to use the information independently. The bare allegations only suggest that the third party analyzed or used the data on behalf of or in tangent with Defendant.
Does that sound familiar? It should. If other courts agree with this analysis, privacy pros should feel right at home advising on how to avoid this type of legal liability. When third parties operate as an extension of the controller, like a tape recorder in their hand, they are not eavesdroppers or wiretappers.
Thus, if third-party integrations are scoped as service providers or processors, with their access to data limited to providing a service on behalf of the controller website, and with their right to use communication data for their own purposes properly limited through contractual and technical measures, allegations of wiretapping are likely to fail.
Of course, clarity on these issues will not fully stop cases from being brought. Yet litigators are already noting a slowdown. Most of these cases are either dismissed on procedural grounds or settle, though a couple are now finally moving through the discovery phase of litigation and could be fought to a final court decision. A decision on the merits would be a game changer for the future of these arguments, as courts have not fully grappled with the wiretapping theory of third-party plugins. Even without such a decision, the majority of these lawsuits are being blocked at various initial stages, causing the flurry to slow to a sprinkle. If you would like to go deeper into the weeds, Husch Blackwell has a helpful rundown of some of the most recent lessons from these cases.
As the never-ending ingenuity of technology crashes against the prosaic headlands of legal analysis, it is easy for observers to get bogged down by confusing analogies and unsolvable riddles. But if privacy pros look at things through the lens of policymakers — and everyday ordinary consumers — it is sometimes easier to figure out the right thing to do.
Scrutiny over communication data is not likely to lessen any time soon. For example, the current draft of the American Privacy Rights Act treats “the private communications of an individual” as sensitive data. This means it would require opt-in consent for the transfer of such information to third parties, unless they are operating strictly as service providers “for the purpose of performing one or more services or functions on behalf of, and at the direction of, a covered entity.”
Sometimes the best riddles are those where the answer is right in front of us all along.
Please send feedback, updates and teatime stories to cobun@iapp.org.
Cobun Zweifel-Keegan, CIPP/US, CIPM, is a managing director for the IAPP in Washington, D.C.