Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations

3rd Circuit overturns decision in WESCA suit

Courts Appellate Third Circuit Privacy, Cyber Risk & Data Security Wire Tapping


On August 16, the U.S. Court of Appeals for the Third Circuit overturned a district court’s decision in a Wiretapping and Electronic Surveillance Control Act (WESCA) suit against a retailer and third-party marketing company (collectively, “defendants”). According to the opinion, the plaintiff searched the retailer’s website while the “browser simultaneously communicated” with both the retailer and a third-party marketing service. The messages to the third party marketing service alerted it to how the plaintiff was interacting with the website, including which pages she visited, when she filled in an email address, and when she added an item to her cart. The plaintiff filed suit against the defendants for using a software that used a code that placed “cookies on the user’s browser so that her activity on the webpage had an associated visitor ID,” and “told the user’s browser to begin sending information to [the third party marketing service] as she navigated through the website, such as communicating that the user had clicked the ‘add to cart’ button or tabbed out of a form field,” in violation of WESCA. The district court dismissed the common law claim and subsequently granted summary judgment to the defendants on the WESCA claim, finding that the defendants were exempt from liability as direct parties to the electronic communications.

The 3rd Circuit reversed and remanded, stating that the district court “never addressed whether [the retailer] posted a privacy policy and, if so, whether that policy sufficiently alerted [the plaintiff] that her communications were being sent to a third-party company.” The appellate court further disagreed “with the District Court’s holding that [the third party marketing company] is exempt from liability because it was a direct party to [the plaintiff’s] communications and that interception only occurred at the site of [the third party marketing company] servers in Virginia.”