Contact Us
Salesloft company logo
Platform Overview
PRODUCTS
Cadence Icon
Cadence

To build and nurture pipeline

Conversations Icon
Conversations

Find insights and coach

Deals Icon
Deals

Pipeline management and forecasting

Forecast Icon
Forecast

Predict future sales outcomes

Rhythm Icon
Rhythm

Take the right actions at the right moment

Drift Icon
Drift

Engage in-market buyers early

BY ROLE
BY NEED
Pricing
Contact Us
Request a Demo

Wiretapping FAQ

December 11, 2023

Summary

Recently, several lawsuits have been filed against Drift customers alleging that the use of our chatbots violates the California Invasion of Privacy Act (“CIPA”). These lawsuits allege that the use of Drift chatbots where there is no notice or consent to recording the messages constitutes an illegal recording of a communication made without chat participants’ consent and, in doing so, “records, intercepts, and eavesdrops” on communications in a manner that violates CIPA. These allegations are unequivocally false and inaccurate, and are contrary to Drift’s data collection and use practices. Drift takes the privacy and security of personal data very seriously. We do not use or process personal data submitted via the chat function beyond what is necessary to provide the Drift service to our customers, and do not share any chat communications data with any third parties. 

 

Introduction

Recently, demands have been sent and, in come instances, class action lawsuits have been filed alleging that companies are using: 

  1. “session replay software” to track a user’s interactions with the website (their clicking, scrolling, swiping, hovering and typing); and 
  2. coding tools that create and store transcripts of conversations that users have in a website’s chat feature.  
 

The plaintiffs filing these lawsuits are doing so under a wiretapping statute - they claim that recording their interaction with the website chat bot constitutes an illegal recording made without their consent.  Additionally, the sharing of (or in this case, ability to access) the chat transcript with a third party as the chat is occurring is a factor in the wiretapping law.

While Drift does not provide services that fall under the definition of session replay software, the Customer’s instance of the Drift Platform maintains a transcript of the chat which is then stored in the Customer’s Drift account and, as such, is recorded

Please note: 

  • Drift does not monitor or view the contents of Customer chats with its site visitors (unless and only to the extent expressly directed by the Customer to do so during customer success calls).
  • Drift does not use any such chats or the contents thereof for its own purposes, nor does it sell any Customer data to third parties. 
  • The Drift chatbot does not share cookie information with third parties (like Meta, Google, etc.) and Drift does not share or sell chat data with third parties. 
  • Communications in the Drift widget are between the Drift Customer and its site visitor(s) - Drift is the medium for the communication. Drift itself iis not communicating with site visitors or eavesdropping on chats. 
  • Drift Customers are the controllers of the data, including the chats, that they collect and/or sync into Drift - Drift cannot and does not do anything with the data unless (such as alter, modify, delete, scan, etc.) unless so directed by the Customer. 
  • Drift only has access to chats for customer and technical support purposes only, in the same way Microsoft would with emails in Outlook or Google would with emails in Gmail.  
  • More information about Drift’s position with respect to customer data is found at: https://www.drift.com/gdpr/
  • The Customer's privacy policy applies to their collection and use of data in their Drift account. Drift’s own privacy policy does not apply to customer data. It is only minted for Drift’s data that Drift collects and uses in its own business operations, separate from its product and customers’ accounts. 

There are fines associated with each violation of these statutes (per communication). As such, Drift recommends that Customers work with their legal counsel, internal and/or external, to assess the risk specific to their companies and to take action accordingly.

 

California Invasion of Privacy Act (CIPA) & Wiretapping

In California, it is a crime to record someone’s conversation without their consent. Under the CIPA, it is illegal to record conversations, including telephone conversations, unless everyone involved in the conversation consents. Recently, California courts have interpreted this statute to include electronic communications and tracking software.  If someone violates CIPA by recording a conversation without consent, they may be subject to penalties (including statutory damages of up to $5,000.00 per violation - one single utterance constitutes one violation). The statute of limitations on the CIPA is 1 year from the date of the recording/conversation. 

It is important to note that California is not the only state with a wiretapping law. Nearly every state has a wiretapping law, so this is not just a California issue. Some states’ wiretapping laws, however, including California, Florida and Virginia among others, require that both parties involved in the conversation consent to its recording (“two-party consent”). Notably, the type of consent that is to be gathered from the individual (either explicit or implied) is not prescribed. As such, companies may rely on implied consent and need not gain explicit consent from the second party. There is a federal wiretapping law and that law generally does not require additional consents.

 

Configuring Drift & Compliance with CIPA:  

Customers are responsible for using Drift in compliance with applicable laws and should bring this issue to the attention of their company’s legal counsel and/or do a risk assessment to determine what approach they should take.  Here are some examples of considerations the Customer may want to take into account:

  • Does the customer engage with individuals in states that legally require both parties to consent to the recording of a conversation?
  • Is the Customer’s privacy policy up to date and does it include the data collected via Drift or other tools in the Customer’s marketing or sales stack?
  • Is the Customer’s privacy policy linked in their Drift Chatbot?
  • What is the Customer’s preferred method of collecting consent if they choose to do so (e.g. do they prefer to collect a consent as the first chat message or close the chat without consent, does the Customer use a consent management platform that can be used to collect the consent?)
  • Has Customer implemented any notice that chats are or may be recorded (both in the privacy policy and as outlined below)?

It is best practice to collect or ensure consent in some way, whether by notice or direct consent. This may be done any number of ways, based on the Customer’s risk tolerance, goals, use of Drift, etc. The Customer may:

  1. Include some notice in the chat that notifies site visitors engaging with the chat that the chat transcript is recorded.
    • This would require adding messaging to every applicable Playbook in the application. 
  2. Include some notice in the widget that notifies site visitors engaging with the chat that the chat transcript is recorded 
    • Drift has updated the persistent footer space (Image #3 under the below link) so that our Customers may include text (added under “Privacy Policy Link Text in Image #3) that provides notice of recording and links the Customer privacy policy. 
    • See example below under What Drift is Doing with Its Own Drift Account.
  3. Configure the Consent feature under Drift Privacy Settings to run in the United States. 
    • Drift does not recommend this for gathering only consent to recording, as it may result in lower engagement with the bot and direct consent is not required under wiretapping laws.
    • Notice of recording may, however, also be added in any Consent Messages (Image 2 under the above link) where Customer has already enabled the Consent feature for data privacy law compliance. 

You can create or modify your persistent footer and/or consent forms at Settings > Data Privacy > Consent Forms. For additional details on Data Privacy settings, check out this page on Drift Privacy Settings. To always display the privacy policy link on your chat widget, check off the box as seen below.

rtaImage.png 

What Drift is Doing with Its Own Drift Account:  

After reviewing the statute and discussing internally, as well as with outside counsel knowledgeable in this area, Drift has chosen to include a persistent footer in the chat widget linking to the company's privacy policy. This will include a very short sentence explaining that data will be recorded (in accordance with that privacy policy) and that engaging with the widget constitutes consent to that recording. 

 

Example: By continuing to chat, you consent to this chat being recorded and stored in Drift in accordance with our Privacy Policy. [with link to company’s privacy policy included] 

 

The Drift product has been reconfigured to allow for multiple lines to be shown as a persistent footer in the chatbot. Drift recommends that each customer include language it feels is most appropriate for it and its business to provide notice and gather consent from its site visitors. Customers will continue to be able to customize the text in such footer and include links (such as to their Privacy Policy). The reconfiguration is live and available to all Customers as of Thursday, June 15, 2023. 

 

Please note that this help doc is not meant to provide legal advice, and that all Customers should present this issue to their legal teams and work with their legal teams on a solution that is appropriate to the individual Customer’s data collection strategy and risk tolerance.