Surge in Website Wiretapping Lawsuits: New Litigation Risk for Online Tracking Technologies

Takeaways

• Plaintiffs’ firms are increasingly using state and federal wiretapping laws to sue website operators over common tracking technologies.
• Tools like Google Analytics, chatbots, session replay, and tracking pixels are being framed as illegal “eavesdropping.”
• Statutory damages can reach $5,000 per website visitor, creating massive exposure even for B2B companies.
• Many claims are weak but designed to force quick settlements through costly litigation threats.
• Privacy and cookie notices alone are not sufficient—proactive consent or technical and legal changes are now critical to mitigate risk.

We are writing to alert you to a critical and rapidly escalating litigation trend targeting website operators across the United States. In recent months, there has been a significant surge in class action lawsuits and pre-litigation demand letters alleging that standard website technologies, such as Google Analytics, chatbots, session replay software, and tracking pixels (from LinkedIn, Meta, TikTok, and others) violate state and federal wiretapping laws.

These wiretapping laws, most commonly the California Invasion of Privacy Act (CIPA) and the Electronic Communications Protection Act (ECPA), were originally drafted to protect the privacy of communications in the era of physical phone lines and industrial espionage. However, plaintiffs’ firms are aggressively utilizing these antiquated statutes to claim that the automatic sharing of user data with third-party vendors (such as Google, Meta, or Microsoft) constitutes illegal “eavesdropping” or the use of an unauthorized “pen register.” Statutory damages under these laws can reach $5,000 per violation (per visitor), creating liability even for websites with moderate traffic or that are business to business.

This area of law is highly volatile and is not consistently applied, but court rulings at the early pleading stages of claims have created a sufficient incentive for “strike demands,” that is, frivolous or weak legal demands primarily to pressure you into a quick, cheap settlement to avoid the legal expense in actually defending a claim. This has generated a cottage industry of submitting demands to website operators, more or less at random, in an attempt to secure quick settlements.

Unfortunately, merely having a cookie consent program in compliance with privacy laws like the California Consumer Privacy Act (CCPA) will not prevent you from receiving these demands or allow an “easy out” in litigation. However, there are ways to mitigate the risk of receiving these demands and reducing liability to litigate or settle these demands:

• Consider changing to an “opt-in” consent model for all online tracking technologies;
• Disabling any unneeded or unused tracking technologies;
• Ensure your Privacy Policy is up-to-date;
• Increasing the prominence of your notice banner and updating its language to specifically describe any tracking technologies and to include direct links to your Privacy Policy and Terms of Use;
• Auditing your consent management platform to ensure it is working as intended; and
• Updating your domain Terms of Use with mandatory arbitration and class action waiver terms.

Please reach out to your Dykema contact or to our Privacy Hotline at CyberResponder@dykema.com if you would like to discuss this issue.