Lessons on compliance offered by recent dismissal of wiretapping class action

April 8, 2025

In a recent legal case involving an online retailer, a putative class action lawsuit under the Pennsylvania Wiretapping and Electronic Surveillance Control Act of 1978 (WESCA) was dismissed due to the successful assertion of consent as a defense. The case, Popa v. Harriet Carter Gifts, Inc., highlighted the importance of using notice and consent mechanisms to mitigate legal risks associated with the use of cookies, pixels, and other website tracking technologies that can potentially violate wiretapping statutes.

The plaintiff in the case alleged that Harriet Carter Gifts, Inc. and its technology vendor, NaviStone, Inc., intercepted her data while she visited Harriet Carter’s website, violating WESCA. However, the court ruled in favor of the defendants, emphasizing that the plaintiff’s continued use of the website implied consent to the data practices outlined in Harriet Carter’s privacy policy. This decision underscores the significance of clearly disclosing data collection practices and obtaining user consent to avoid potential legal liabilities.

Under Pennsylvania’s wiretapping laws, consent from all parties involved is required to intercept electronic communications lawfully. The court in Popa determined that the retailer’s privacy policy adequately disclosed the data collection practices and was conspicuously presented on the website, putting visitors on notice of its terms. As a result, the plaintiff could not establish a viable WESCA claim, leading to the dismissal of the lawsuit.

To mitigate the risk of wiretapping class actions, companies with an online presence should prioritize strategic notice and consent measures as part of their compliance efforts. By ensuring that privacy policies transparently disclose online tracking tools and technologies, businesses can proactively address potential legal challenges. These disclosures should encompass all data collection practices, including the involvement of third-party vendors, the use of cookies for analytics, and the protection of personally identifiable information (PII).

Additionally, companies should present their privacy policies in a clear and conspicuous manner to website visitors, ensuring that users are aware of the terms governing data collection and usage. By adopting best practices for notice and consent, companies can navigate the evolving landscape of data privacy regulations and reduce their exposure to wiretapping class action lawsuits. Implementing robust compliance programs that prioritize transparency and user consent is essential for safeguarding against potential legal risks in the digital age.