Your business and its website have been minding their own business, when all of sudden, you found yourself on the receiving end of a demand letter. The letter gives you an ultimatum: Pay up, or go to court. Allegedly, your website is in violation of not just one, but three separate laws.

You look into these laws more closely, and it feels like a bad joke–one was written for tapping phone lines in 1967, one for federal wiretaps in 1986, and one for catching computer hackers 1989. None of them even references cookies, pixels, or chat widgets–the technologies your demand letter asserts are the source of the violation.

Opportunistic law firms have successfully used these decades-old laws to launch a nationwide wave of privacy lawsuits and demand letters aimed at the tracking tech running quietly on sites like yours. They’re known as CIPA, the ECPA, and the CDAFA, and lately they travel as a group, stacked into the same complaint like three kids in a trenchcoat sneaking into an R-rated movie.

Why Are We Seeing So Many of These Lawsuits?

Since 2022, over 4,700 wiretap lawsuits have been filed in the US (as of this writing). Before 2022, wiretap litigation was relatively rare. It took time for plaintiffs’ firms to figure out how to repurpose wiretap laws written in the rotary-phone era for modern litigation. They realized these laws were worded broadly enough that, if you squint, they could be applied to modern website tracking technologies: pixels, analytics tags, session-replay tools, chat widgets, and the like.

The theory: when your site quietly ships a visitor’s activity to a third party, that’s a modern “interception,” and the use of commonplace tracking technologies amount to broadly defined and highly regulated wiretapping technologies like “pen registers” and “trap-and-trace devices.” We’ll get into more detail on how these theories work in a bit.

Healthcare was the opening act. Healthcare organizations using the Meta Pixel were quietly sending patient-portal data to Meta, creating sensitive facts and sympathetic plaintiffs, and sector settlements have since topped $100 million. It’s since spread to retail, fintech, wellness apps, data brokers, and pretty much anyone with a California-facing site.

This isn’t about one law; it’s a playbook, and the three below are the plays.

The Three, Decoded

CIPA (California Invasion of Privacy Act)

Enacted in 1967 to stop phone-tapping, it declares privacy “a personal and fundamental right.” It requires all-party consent, meaning everyone has to agree before communications can be recorded. This is a stronger standard than federal law, which is why plaintiffs love it. Three theories show up in CIPA lawsuits:

• Wiretapping (a third-party pixel “eavesdrops” in real time; § 631)
• Session replay (tools recording clicks and keystrokes capture “confidential communications”; § 632)
• Pen register/trap-and-trace (a tracker logging routing data like IP addresses is cast as a digital version of an old phone-number logger; § 638.51)

Damages run $5,000 per violation under § 637.2 of CIPA—and “per violation” does heavy lifting, since plaintiffs argue every visit counts.

ECPA (Electronic Communications Privacy Act)

CIPA’s 1986 federal cousin, the ECPA, is applicable nationwide. Tacking ECPA onto a wiretap lawsuit allows for the possibility of another $10,000 per violation or $100/day in any federal court, making it very attractive for plaintiffs’ firms.

However, unlike CIPA, it has a one-party standard for consent. Since a website operator is a party and consents to the use of its own tools, you would expect that to be a complete defense against ECPA lawsuits.

The twist is the ECPA’s crime-tort exception: if the interception was “for the purpose of committing any criminal or tortious act,” then it doesn’t matter if one party consented to the interception. In practice, courts have accepted three criminal or tortious acts to permit the inclusion of the ECPA in wiretap litigation:

1. Common-law invasion of privacy
2. HIPAA violations in healthcare cases
3. Inaccuracies in the company's own privacy policy (the most recent strategy to bundle ECPA in wiretap litigation)

The last theory is the one to watch. In August 2025, Smith v. Rack Room Shoes let an ECPA claim proceed against a retailer on the theory that inaccuracies in its own privacy policy could supply the required “tort.” If your policy says one thing and your tags do another, you’ve invited plaintiffs to tack on ECPA claims to their CIPA lawsuit.

CDAFA (Comprehensive Computer Data Access and Fraud Act)

If CIPA and the ECPA weren't enough, plaintiffs are now adding a third statute to the pile: the California Comprehensive Computer Data Access and Fraud Act, or CDAFA. Originally designed to combat computer hacking, the CDAFA prohibits knowingly accessing a computer and taking or using data without authorization.

Plaintiffs argue that when a website embeds third-party tracking scripts, pixels, session replay tools, cookies, and the like, the site owner is "causing" a visitor's device “to be accessed” and taking their data without consent. That's a different legal angle than CIPA and the ECPA, which focus on the interception of communications. The CDAFA focuses on the unauthorized use of data, which means it can survive even when the interception arguments face pushback.

So why are plaintiffs' attorneys tacking it on now? Two practical reasons:

1. Many CIPA pen register claims are currently frozen—a California appellate court accepted a writ to decide whether that provision of CIPA even applies to the internet, and cases are being stayed while they wait. CDAFA claims aren't being stayed, so they keep the pressure on.
2. The CDAFA includes an attorneys' fees provision that CIPA doesn't. In class action litigation, the threat of fee-shifting (where the losing party pays the winning party’s legal fees) is real leverage, and plaintiffs' firms know it.

The result is a statute that spent decades in relative obscurity and is now a standard addition to website tracking complaints—one more reason for companies to take a hard look at what's running on their sites.

Beyond the Three

The big three aren’t alone. Plaintiffs run the same playbook under other all-party-consent wiretap statutes. These include Pennsylvania’s WESCA and Florida’s FSCA in particular, but also Illinois, Washington, Massachusetts, and Michigan. Damages range from $1,000 to $50,000 per violation depending on the state. Layered on top are the more-than twenty comprehensive state privacy laws (CCPA/CPRA and its successors), whose consent rules don’t always line up with the wiretap statutes—so a banner that satisfies one framework may fail another.

The VPPA Deserves Its Own Beat

The Video Privacy Protection Act is another privacy law with a private right of action worth flagging. Congress passed it in 1988 after a newspaper published a Supreme Court nominee’s video-rental history. It bars a “video tape service provider” from disclosing what you watched without consent. Plaintiffs now aim it at any site that embeds video alongside a tracking pixel, arguing the pixel discloses your viewing activity to a third party like Meta.

The hook is different from wiretapping—it’s about disclosure of viewing history, not the “interception” of communications that wiretap laws focus on—and the damages are steep: $2,500 per violation plus fees.

Like wiretap lawsuits, it’s also genuinely unsettled: are courts split on who even counts as a “consumer” under the law. (E.g., is it someone who signed up for a free newsletter? Watched video content without subscribing?) And in January 2026, the Supreme Court took up Salazar v. Paramount Global to decide who is protected by the VPPA and who isn’t.

If you have video anywhere on a content or marketing page, treat VPPA as a first-tier risk, not a footnote.

Website Practices and Technologies That Run Higher Risk (and What Courts Treat More Gently)

Nothing here is a guarantee, because the law is unsettled. But patterns have emerged.

Higher Risk

If you run any of the following technologies or practices on your website (or suspect you may), it’s worth taking a hard look at your consent management practices:

• Ad pixels (Meta, TikTok) on sensitive or logged-in pages—this is where the big settlements are made.
• Session-replay and keystroke capture, especially in forms.
• Live chat and chatbots, since a real-time conversation looks the most like a real-time “interception.”
• Anything that fires before consent—courts are likely to question whether a banner can cure an interception that has already happened.
• Privacy policies that don’t match your data flows (as we saw in the Rack Room decision, that mismatch invites ECPA risk).

More Defensible (with Caveats)

Wiretap litigation risk doesn’t mean all website tracking is off-limits. Some practices pose less risk, like the following:

• Collecting only generic device/browser metadata (Khamooshi v. Politico tossed a pen-register claim for lack of concrete injury).
• Pen-register theories in California state court, where judges have repeatedly held § 638.51 is a telephone statute that doesn’t reach websites (NetScout, Palo Alto Networks, EquipmentShare). Federal courts in California lean the other way, so where you’re sued matters. The same facts can win in one courtroom and lose in another.

First Steps to Protect Yourself

1. If you don’t have a consent management platform (CMP), get one. CMPs help you categorize the trackers on your website and block them or permit them to fire based on consumer preferences. Since every jurisdiction has slightly different rules around consent for tracking, homegrown/DIY approaches to consent management are incredibly difficult to build and scale–and that difficulty increases the likelihood of errors that open you up to wiretap litigation.
2. Map every tag, pixel, and script on your site. Be sure to include subdomains and anything behind a login. With your CMP, classify each tracker and the cookies it sets by purpose (e.g., strictly necessary vs. analytics vs. advertising). Be honest about that "strictly necessary" label: misclassifying an advertising tag as essential is how you end up firing it before consent and straight into a lawsuit.
3. Gate tags, pixels, and scripts behind real consent. Use a CMP that actually blocks tags until consent is given, not just provides a pretty banner with minimal functionality. Honor Global Privacy Control signals and log consent.
4. Make your privacy policy true. Match it to what your tags actually do. Mismatched privacy policies and data tracking practices grow your exposure to wiretap litigation.
5. Pressure-test vendors. Read their data-processing terms and verify any “privacy-safe” modes actually limit collection. Be sure to include data processing addenda in your contracts tailored to high-risk jurisdictions like California.
6. Have a demand-letter plan. Don’t ignore them, and don’t panic-settle. Preserve evidence and loop in counsel with specific experience. It could be that settling is your best path forward, or you might want to take it to court; only your legal counsel can advise you accordingly.

If You’re an Osano Customer

Good news: You’ve already got the tools to reduce wiretap litigation risk–it’s just a matter of configuring them in the right way.

Read through our documentation on reducing wiretap risk specifically with Osano. Following these steps will go a long way toward protecting your organization.

If You Use Another CMP

While every CMP has slightly different capabilities, there are general steps you can take to reduce your risk.

We developed a checklist that you can follow to protect your organization from wiretap litigation. Most CMPs should allow you to follow these steps.

Access your copy here.