Chat with Caution: The Growing Data Privacy Compliance and Litigation Risk of Chatbots

In a new wave of privacy litigation, plaintiffs have recently filed dozens of class action lawsuits in state and federal courts, primarily in California, seeking damages for alleged “wiretapping” by companies with public-facing websites. The complaints assert a common theory: that website owners using chatbot functions to engage with customers are violating state wiretapping laws by recording chats and giving service providers access to them, which plaintiffs label “illegal eavesdropping.”

Chatbot wiretapping complaints seek substantial damages from defendants and assert new theories that would dramatically expand the application of state wiretapping laws to customer support functions on business websites.

Although there are compelling reasons why courts should decline to extend wiretapping liability to these contexts, early motions to dismiss have met mixed outcomes. As a result, businesses that use chatbot functions to support customers now face a high-risk litigation environment, with inconsistent court rulings to date, uncertain legal holdings ahead, significant statutory damages exposure, and a rapid uptick in plaintiff activity.

Strict State Wiretapping Laws

Massachusetts and California have some of the most restrictive wiretapping laws in the nation, requiring all parties to consent to a recording, in contrast to the one-party consent required under federal and many state laws. Those two states have been key battlegrounds for plaintiffs attempting to extend state privacy laws to website functions, partly because they provide for significant statutory damages per violation and an award of attorney’s fees.

Other states with wiretapping statutes requiring the consent of all parties include Delaware, Florida, Illinois, Maryland, Montana, Nevada, New Hampshire, Pennsylvania, and Washington. As in Massachusetts and California, litigants in Florida and Pennsylvania have started asserting wiretapping claims based on website functions.

Plaintiffs' Efforts to Extend State Wiretapping Laws to Chatbot Functions

Chatbot litigation is a product of early favorable rulings in cases targeting other website technologies, refashioned to focus on chat functions. Chatbots allow users to direct inquiries to AI virtual assistants or human customer service representatives. Chatbot functions are often deployed using third-party vendor software, and when chat conversations are recorded, those vendors may be provided access to live recordings or transcripts.

This most recent wave of plaintiffs now claim that recording chat conversations and making them accessible to vendors violates state wiretapping laws, with liability for both the website operator and the vendor. However, there are several reasons why the application of wiretapping laws in this context is inappropriate, and defendants are asserting these legal arguments in early dispositive motion practice with mixed results.

What Businesses Can Do to Address Growing Chatbot Litigation Risk

Despite compelling legal arguments for why these suits should be stopped, businesses with website chat functions should exercise caution to avoid being targeted, as we expect to see chatbot wiretap claims to skyrocket. This litigation risk is present in all two-party consent states, but especially in Massachusetts and California. Companies should beware that they can be targeted in multiple states, even if they do not offer products or services directly to consumers.

In this environment, a review and update of your company’s website for data privacy compliance, including chatbot activities, is advisable to avoid expensive litigation. These measures include:

• Incorporating clear disclosure language and robust affirmative consent procedures into the website’s chat functions, including specific notification in the function itself that the chatbot is recording and storing communications
• Expanding website dispute resolution terms, including terms that could reduce the risk of class action litigation and mass arbitration
• Updating the website’s privacy policy to accurately and clearly explain what data, if any, is recorded, stored, and transmitted to service providers through its chat functions, ideally in a dedicated “chat” section
• Considering data minimization measures in connection with website chat functions
• Evaluating third-party software vendors’ compliance history, including due diligence to ensure a complete understanding of how chatbot data is collected, transmitted, stored, and used, and whether the third party’s privacy policies are acceptable

Companies may also want to consider minimizing aspects of their chatbots that have a high annoyance factor – such as blinking “notifications” – to reduce the likelihood of attracting a suit. This list is not comprehensive, and businesses should ensure their legal teams are aware of their website functions and data collection practices.

If you have any questions about the recent wave of chatbot class action litigation or would like help determining whether your business can take steps to improve its privacy compliance program to manage its chatbot litigation risks, please contact Melanie Conroy, Kathleen Hamann, or Ariel Pardee.