Cacophony or Concerto?: Analyzing the Applicability of the Wiretap Act’s Party Exception for Duplicate GET Requests

By David Koenig

The Electronic Communications Privacy Act (“Wiretap Act”) prohibits the intentional interception of an electronic communication. However, “parties to a communication” can intercept a communication without Wiretap Act liability. Parties include the intended recipients of a communication. When internet users navigate the internet, they communicate with websites using GET requests. The users’ GET requests call out to websites and websites respond by providing the websites’ content to the users. During this process, websites receive user data. This data can include information about the website visited, the search terms used to locate the website, and referral data identifying the last web page the users visited.

Digital advertisers may populate websites users visit with advertisements or plug-ins that allow users to “like” content. In doing so, advertisers generate secondary GET requests between users and advertisers. Secondary GET requests are duplicates of the GET requests between users and websites insofar as they share user data. Advertisers retain and identify this data.

In the Third and Ninth Circuits, internet users argued that digital advertisers used the duplicate GET requests to intercept user data contained in the GET requests between users and websites—arguably a violation of federal law under the Wiretap Act. Digital advertisers invoked the party exception, arguing that advertisers were parties to the duplicate GET request between internet users and advertisers. If so, the advertisers would be parties to the user data received in the duplicate GET requests and exempt from Wiretap Act liability. The Third Circuit held that the party exception applied to the advertisers’ duplicate GET requests. The Ninth Circuit rejected this approach and held that the party exception did not apply.

This Note argues that digital advertisers are unintended recipients that are ineligible for the party exception. First, transmitting duplicate user data via a second communication is an effective—and sometimes necessary—method of interception for electronic communications on the internet. In that case, duplicate GET requests may indicate interception. This requires courts to analyze shared data, not individual GET requests. Second, equating a direct recipient of a duplicate GET request with an intended recipient lacks judicial support and cannot properly decide party status. Third, users enter URLs or click hyperlinks to navigate the internet. This identifies the websites that users visit as the intended recipients of user data, not digital advertisers. As such, advertisers are best categorized as unintended recipients and therefore ineligible for the Wiretap Act’s party exception.