§ 8.02 Civil Violations Under the Wiretap Act

• Jurisdiction: United States
• Publication year: 2020

§ 8.02 Civil Violations Under the Wiretap Act

[1] Introduction

Section 2520(a) provides that "any person whose wire, oral or electronic communication is intercepted, disclosed or intentionally used in violation of this chapter may in a civil action recover from the person or entity, other than the United States, which engaged in that violation such relief as may be appropriate."¹³⁷ In general, at least since 2004, most courts in the United States that have considered this issue have found that Section 2520 provides a private cause of action only against those defendants who violate the plain language of section 2520(a), i.e., those who unlawfully intercept, disclose, or use a communication, all of which are within the ambit of section 2511, and therefore there is no private cause of action for possessing, manufacturing, distributing, or advertising a wiretapping device.¹³⁸

The Sixth Circuit found that where the defendant also plays an active role in the use of a violative device to intercept, disclose, or intentionally use a plaintiff's electronic communications, the defendant violates sections 2520.¹³⁹ The Sixth Circuit agreed with the majority view concluding "that those other courts that have adopted a narrow reading of § 2520 have the better end of this debate. This is because the phrase 'engaged in that violation' plainly refers back to the earlier clause defining the 'violation' as an 'intercept[ ], disclos[ure], or intentional[ ] use[ ].'"¹⁴⁰ However, the Sixth Circuit concluded that violations of section 2512 could still give rise to civil liability¹⁴¹ where the defendant "manufactured, marketed, and sold [the wiretap device] with knowledge that it would be primarily used to illegally intercept electronic communications" and then "remained actively involved" by operating the server where the intercepted communications were stored.¹⁴² Thus, because the defendant "actively manufactured, marketed, sold, and operated the device" that it knew was used to intercept, disclose, or intentionally use communications, the Sixth Circuit concluded that the defendant had "'engaged in' a violation of the Wiretap Act . . ."¹⁴³

However, circuit courts are unanimous in holding that private right of action exists for the unauthorized interception of encrypted satellite television broadcasts.¹⁴⁴

[2] Elements

Thus, "[a] plaintiff pleads a prima facie case under the [section 2511] by showing that the defendant (1) intentionally (2) intercepted . . . (3) the contents of (4) an electronic communication, (5) using a device."¹⁴⁵ It is generally understood that "electronic communication" includes a diverse set of digital communications such as web cookies, URLs, and e-mails.¹⁴⁶ See § 8.02[9[b] infra.

[3] Content

The issue of whether the intercepted "electronic communication" includes "content" as required by 18 U.S.C. § 2510(4) has arisen frequently in the civil arena especially in regard to class action lawsuits.

For example, a putative nationwide class of mobile device users alleged that Apple had violated Title 18, Section 2511(1)(a) and (1)(d) United States Code by collecting plaintiffs' precise geographic locations data from Wi-Fi towers, cell phone towers, and GPS data on plaintiffs' devices and by using that location data to develop an expansive database of information about the geographic location of cellular towers and wireless networks throughout the United States.¹⁴⁷ The court dismissed the claims on the ground that the identities of parties is not "content" as defined by the Wiretap Act finding that: " 'content' is limited to information the user intended to communicate, such as the words spoken in a phone call. Here the allegedly intercepted electronic communications are simply users' geolocation data. The data is generated automatically, rather than through the intent of the user, and therefore does not constitute 'content' susceptible to interception."¹⁴⁸

[4] Secondary Liability

The overwhelming majority of courts have held that Section 2520 does create secondary liability, for example, by procuring the interception by another.¹⁴⁹ In other words, manufacturers of consumers' mobile devices could not be secondarily liable for software that allegedly intercepted consumers' text messages and online search queries.¹⁵⁰

[5] Immunity

Section 2520(d)(1) provides that "good faith reliance" on "(1) a court warrant or order, a grand jury subpoena, a legislative authorization, or a statutory authorization; (2) a request of an investigative or law enforcement officer under section 2518(7) of this title; or (3) a good faith determination that section 2511 or 2511(2)(i) of this title permitted the conduct complained of is a complete defense against any civil or criminal action brought under the chapter."¹⁵¹

[6] Remedies

Remedies include injunctive relief, actual and punitive damages and reasonable attorney's fees.¹⁵² Section 2520(c)(2) authorizes statutory damages where a defendant intentionally intercepts electronic communications.¹⁵³ This subsection sets the damages at the greater of "(A) the sum of the actual damages suffered by the plaintiff and any profits made by the violator as a result of the violation; or (B) statutory damages of whichever is the greater of $100 a day for each day of violation or $10,000." Courts are split on whether damages under Section 2520(c) are discretionary or mandatory.¹⁵⁴ However, federal courts have substantial discretion in fashioning an appropriate damages remedy under the ECPA.¹⁵⁵ In determining the amount of the damages, courts have considered the following factors: (1) the severity or minimal nature of the violation; (2) whether there was actual damage to the victim; (3) the extent of any intrusion into the victim's privacy; (4) the relative financial burdens of the parties; (5) whether there was a reasonable purpose for the violation; and (6) whether there is any useful purpose to be served by imposing the statutory damages amount.¹⁵⁶

[7] Use of Illegal Recordings in Judicial Proceedings (18 U.S.C. § 2515)

Section 2515 precludes "attorneys from using or disclosing illegal recordings, and information derived from such recordings, even in a manner intimately associated with ongoing judicial proceedings."¹⁵⁷ Further, a clients' disclosure of information obtained in violation of wiretapping to their attorneys for a purpose other than defending themselves against wiretapping charges violates the wiretapping statute.¹⁵⁸ Courts, however, have recognized an impeachment exception into this prohibition.¹⁵⁹

[8] Class Actions

A number of Section 2520 cases have generally involved class action allegations that defendants intercepted electronic communications relating to smart phone transmissions or that a website operator intercepted electronic communications that it was not authorized to intercept. For example, in Campbell v. Facebook, Inc.,¹⁶⁰ the Ninth Circuit affirmed the entry of a class action settlement over the objections of a single class member. The class claimed that Facebook violated the ECPA through nonconsensual capturing, reading, and use of website links included in private messages sent or received by users.¹⁶¹

The court found that plaintiffs asserted "a concrete harm" under 18 U.S.C. § 2511(a) (1) and the California Invasion of Privacy Act.¹⁶² The court first reasoned that "the harms protected by these statutes bear a close relationship to ones that have traditionally been regarded as providing a basis for a lawsuit," most prominently, the right to privacy.¹⁶³ The court stated: "There is a straightforward analogue between those traditional torts and the statutory protections codified in ECPA and CIPA against viewing or using private communications. Moreover, under the privacy torts that form the backdrop for these modern statutes, 'the intrusion itself makes the defendant subject to liability.'"¹⁶⁴ Thus, according to the court, "historical practice provides support not only for the conclusion that wiretapping is actionable, but also for the conclusion that a wiretapping plaintiff need not allege any further harm to have standing."¹⁶⁵ The court also noted that its conclusion in that regard is consistent with the Third Circuit's holding in In re Nickelodeon Consumer Privacy Litig.¹⁶⁶ that violations of ECPA of the "type alleged here" "involve a clear de facto injury."¹⁶⁷

Facebook also objected to the settlement on the ground that plaintiffs lacked standing to bring the case.¹⁶⁸ The court rejected this argument finding that Facebook confirmed that it identifies and collects the contents of user's individual private messages and that this was done without the consent the members of the class. This means that the plaintiffs "claimed a violation of the concrete interests that ECPA and CIPA protect, regardless of how the collected data and information was later used."¹⁶⁹ The court further found that at the time plaintiffs filed the complaint Facebook was actively accessing private messages and continued to retain the messages which meant that "there was a risk that it would resume using the data, . . . sharing the data . . . was sufficient for Plaintiffs to have standing to seek injunctive relief."¹⁷⁰

In another Ninth Circuit case, the court upheld the district court's summary judgment in favor of defendant finding that undeliverable messages not intercepted in violation of the Wiretap Act because these messages were not in transmission.¹⁷¹

A California district court found that allegations that software installed on consumers' mobile devices by a software developer and device manufacturer ran code that intercepted incoming text messages and outgoing web queries and search terms were sufficient to state a prima facie case that the developer intercepted electronic communications contemporaneously with their transmission as required by Title 18, Section 2510(4) of the United States Code.¹⁷² The same court, however, also found that the consumer's user names and passwords did not reveal the...