Most websites collect information about visitors to enhance user experience and support marketing and sales efforts. Common website technologies – such as cookies, pixels, session replay tools, and chatbots – help businesses improve their website functionality, analytics, and advertising.  However, businesses of all sizes that use these technologies are increasingly becoming targets of website wiretapping claims.

Overview of the Claims

 For the past several years, plaintiffs have sought to apply decades-old wiretapping statutes to modern website technologies.  Claims are being brought in particular under the California Invasion of Privacy Act of 1967 (“CIPA”), the federal Electronic Communications Privacy Act of 1986, and the Florida Security of Communications Act, all of which provide private rights of action and statutory damages between $100-5,000 per violation.  Plaintiffs allege that by deploying website technologies before receiving a visitor’s express consent, companies are unlawfully intercepting or disclosing electronic communications in violation of these statutes.

These claims continue to increase nationwide.  Although most wiretapping claims are brought under California or Florida law, they are not limited to companies headquartered in those states.  Any company using website technologies may become a target.  A small number of plaintiffs’ firms and pro se litigants are fueling huge waves of demand letters and litigation, affecting organizations of all sizes across industries.

Mitigation Considerations

 Website technologies evolve rapidly, as does the legal landscape applicable to those websites. Regularly reviewing and auditing website technologies can help ensure that they remain aligned with business objectives while identifying ways to reduce potential legal risks.

The California Legislature is currently considering Senate Bill 690 which, if enacted, could narrow the scope of certain CIPA-based website tracking claims.  Until the legal landscape becomes clearer, however, companies should work closely with their legal, technology, and marketing teams to proactively identify risk areas, evaluate the necessity of existing website technologies, and implement appropriate governance and consent practices.

Companies that receive wiretapping demand letters or website-tracking complaints should contact experienced counsel to evaluate facts and defenses and develop a strategy for response.  For any questions about assessing or mitigating wiretapping claim risk for your website, please contact Lisa Ellingson or another member of Winthrop & Weinstine’s Data Privacy, Cybersecurity & Artificial Intelligence (AI) team.

July 8, 2026