April 15 approaches, recalling for many Benjamin Franklin’s famous quip that nothing is for certain except death and taxes. If Franklin were a general counsel today, perhaps he’d add to his idiom lawsuits over website data collection and analytics. Lawsuits brought under state wiretapping and electronic surveillance control acts (WESCA) and other privacy-related statutes for online data tracking and analytics have been rampant. Many times, organizations have little appreciation that their marketing and analytical undertakings may run afoul of WESCA statutes. Other times, even if cognizant of the online tracking litigation, organizations mistakenly believe that they have provided appropriate disclosures, and that enforceable consents have been obtained from website users. Generally, liability under state WESCA claims turns on whether there was there an interception of a communication (and if so, where that interception took place), and whether the party whose communication was intercepted had granted consent. This article focuses on the third element—consent. 

For sure, as a defense under WESCA, consent is king. If the website user has consented to a website’s collection and use of his or her data, there is no liability. E.g., 18 Pa. S.C.A. Section 5704 (excepting from liability “where all parties to the communication have given prior consent to such interception”); Oliver v. Noom, 2023 WL 8600576, at *7 (W.D. Pa. Aug. 22, 2023) (“WESCA contains a consent exception, whereby a person may “intercept a wire, electronic or oral communication, where all parties to the communication have given prior consent to such interception.“). In terms of data processing efficiency, and with an eye toward mitigating liability, a website owner will want to ensure that obtained consent is unambiguous and clear to ward off potential disputes and dispose of potential litigation at its early stages. But getting to “yes” to demonstrate consent can be more rigorous than many online privacy notices facilitate.