Session replay lawsuits are privacy class actions and demand letters. They accuse a website's session-recording software of illegal wiretapping when it captures clicks, keystrokes, and mouse movements without a visitor's prior consent. Most claims rely on California's CIPA. This is about the legal risk, not the cryptographic "replay attack" in security.
Below: what the software actually records, why it gets sued, and what courts have ruled through 2026. Then what a claim costs, and how to block the risk before it fires.
What Is Session Replay Software (and What Does It Record)?
Session replay software records and plays back a website visitor's on-page behavior so a team can watch exactly what that visitor saw and did. It captures mouse movements, clicks, scrolls, keystrokes, and page navigation, then reconstructs them as a video-like replay.
Teams use it for UX research, bug diagnosis, and conversion optimization. Common tools include FullStory, Hotjar, Microsoft Clarity, LogRocket, Mouseflow, Quantum Metric, and Contentsquare.
That same recording capability is what creates the legal exposure. A tool built to capture "everything a visitor did" is, from a plaintiff's lawyer's perspective, a tool that intercepts a private communication. The more detailed the capture, the more it resembles wiretapping in a courtroom.
Why Are Session Replay Tools Getting Sued?
Session replay tools get sued because plaintiffs reframe the recording as an illegal wiretap. The software intercepts the "contents" of a visitor's interaction with the site and routes that data to a third-party vendor without prior consent. Decades-old wiretap and eavesdropping statutes, never written for websites, now get applied to this exact data flow.
The theory has three moving parts. First, the visitor's clicks and keystrokes count as the "contents" of a communication with the site, not just metadata. Second, the session-replay vendor is a third party who receives that content. Third, no visitor consented to that vendor capturing the interaction before it happened.
Courts increasingly accept the first two parts. The mouse-movement and keystroke data a replay tool captures functions differently from a simple visit log, and California's Ninth Circuit has said as much. The consent question is where most cases now turn. A website that gets real, prior, opt-in consent removes the "without authorization" element the statutes require.
This is one front in a broader wave of website tracking lawsuits over pixels, cookies, and trackers. Those trackers often fire before a visitor has a chance to consent.
Which Laws Are Used to Sue Over Session Replay?
Four legal tracks drive session-replay litigation, each with a different jurisdiction and damages structure. California's CIPA is the dominant statute, but federal and state wiretap laws add exposure outside California.
| Law | Jurisdiction | Core theory | Consent standard |
|---|---|---|---|
| CIPA (California Invasion of Privacy Act) | California visitors, but reaches any business with California traffic | Wiretapping (Section 631), eavesdropping (Section 632), pen register/trap-and-trace (Section 638.51) | All-party consent required before capture |
| Federal Wiretap Act (ECPA) | Nationwide | Interception of electronic communications | Varies; recent suits argue no consent was given before capture |
| State wiretap acts (Pennsylvania's WESCA, plus Florida and Illinois statutes) | State-specific, but some reach out-of-state defendants with in-state visitors | Recording a communication without all-party consent | All-party consent in two-party-consent states |
| VPPA (Video Privacy Protection Act) | Nationwide, when video-viewing data is involved | Sharing a consumer's video-viewing history with a third party | Not consent-based; targets data sharing itself |
The California Invasion of Privacy Act (CIPA)
California accounts for 83% of the 1,853 website wiretapping and pen-register cases filed nationally between February 2022 and March 2025. That concentration is why CIPA is the dominant statute here. Plaintiffs bring session-replay claims under Section 631(a)'s wiretap theory and Section 638.51's pen-register theory. They argue the software functions as a device that captures routing and interaction data without consent or a court order. For the section-by-section mechanics, see what is CIPA.
Federal and State Wiretapping Laws
The federal Wiretap Act, part of the Electronic Communications Privacy Act, underpins a 2026 class action against JetBlue. That suit names FullStory directly, alleging the airline routed browsing data through the vendor without consent. The Act sets statutory damages under 18 U.S.C. Section 2520 at the greater of $100 per day or $10,000.
Several states layer their own two-party-consent wiretap statutes on top of federal law. Pennsylvania's WESCA is the most active example, carrying liquidated damages of $1,000 or $100 per day, whichever is higher, plus actual and punitive damages. Florida and Illinois are two other frequent filing grounds, since both are two-party-consent states with their own wiretap statutes. For the full state-by-state picture, see website wiretapping lawsuits.
Are Session Replay Tools Legal? What the Courts Actually Say
Session replay software is not illegal to use. It becomes a legal risk specifically when it records a visitor without prior consent, and courts are genuinely split on how far that risk extends.
Two rulings define the current split. In Mikulsky v. Bloomingdale's, the Ninth Circuit ruled on June 20, 2025 that session-replay recordings can meet the definition of "contents" under CIPA Section 631(a). That revived a dismissed claim and widened the theory's reach.
In Popa v. Microsoft, the Ninth Circuit went the other way on August 26, 2025. It dismissed a Pennsylvania WESCA claim because the plaintiff showed no concrete injury, comparing routine interaction tracking to a store clerk observing shoppers.
The newest data point cuts a middle path. It comes from In re BPS Direct, the Cabela's wiretapping litigation. The Third Circuit ruled on May 11, 2026 that standing to sue depends on what the software actually captured. Of eight named plaintiffs, only two made a purchase and therefore submitted credit card data. Those two had standing to proceed; the other six, who entered no sensitive data, were dismissed.
That split changes the real question. It is no longer whether session replay is legal, but what it captured and whether the visitor consented first. Courts have increasingly sided with defendants where the site disclosed the recording clearly and secured prior consent through a policy and a real banner. Some defense firms report they are gaining ground in these suits. Plaintiffs still keep filing wherever sensitive data moved through the recording without consent.
Real Session Replay Lawsuits: The Cases Driving the Trend
Real 2025 and 2026 rulings show the theory succeeding and failing on nearly identical facts. The outcome usually turns on what data the software captured and whether the court required proof of concrete harm.
| Case | Court and date | What was alleged | Outcome |
|---|---|---|---|
| Mikulsky v. Bloomingdale's | Ninth Circuit, June 20, 2025 | Session-replay software recorded and transmitted mouse movements, keystrokes, and page views to a third-party vendor without consent | Revived; recordings can meet CIPA's "contents" definition |
| Jones v. Bloomingdales.com | Eighth Circuit, dismissed February 2025 | Similar session-replay wiretap theory | Tossed at the federal appellate level |
| Popa v. Microsoft | Ninth Circuit, August 26, 2025 | Pennsylvania WESCA claim over session tracking | Dismissed; no concrete injury, no standing |
| In re BPS Direct (Cabela's) | Third Circuit, May 11, 2026 | Session replay captured purchase and browsing data across 8 plaintiffs | Split: 2 plaintiffs with credit card data proceed; 6 without sensitive data dismissed |
| JetBlue federal wiretap suit | E.D.N.Y., filed April 22, 2026 | FullStory-captured browsing data routed to a pricing vendor without consent | Pending as of this writing |
Two patterns run through these rulings. First, courts increasingly require a concrete, sensitive-data injury, not just a statutory technicality, before a claim survives a motion to dismiss. Second, federal appellate courts have gone opposite directions within months of each other on comparable facts. That is exactly why this remains an active, unsettled risk, not a closed question either way.
How Much Can a Session Replay Lawsuit Cost?
A session-replay lawsuit's cost comes from statutory damages multiplied across a visitor class. It also comes from the settlement pressure a demand letter applies before any suit is filed. The exposure varies by statute.
CIPA's civil damages provision, Section 637.2, sets the benchmark: $5,000 per violation, or three times actual damages, whichever is greater. No proof of financial harm is required. Pennsylvania's WESCA sets a separate, lower floor: liquidated damages of $1,000 or $100 per day, whichever is higher, plus actual and punitive damages. These figures come from different statutes and should never be blended into one number.
The federal Wiretap Act adds its own figure: statutory damages of $100 per day or $10,000, whichever is greater. These are three distinct statutory schemes, not one combined penalty, and each applies only where its own jurisdiction and elements are met.
The multiplier is what makes this expensive. At $5,000 per violation, a class of a few thousand California visitors implies exposure in the tens of millions on paper. That is exactly the leverage a demand letter is designed to use. Most small businesses never reach a class action. Instead, they receive a demand letter citing this exposure and offering to settle for a smaller, fixed amount before litigation starts. In practice, defense firms report those pre-suit demands often land between $15,000 and $50,000, priced just below the cost of mounting a defense.
Who Is Actually at Risk? (And Why "I'm Not in California" Is No Defense)
Any site running session-replay software without prior consent carries risk. That risk rises sharply if the software captures sensitive data, or the site has California visitors, regardless of where the business itself is located.
CIPA reaches any business whose website is used by California residents, even an out-of-state or international company with no California office. The Third Circuit's 2026 BPS Direct ruling sharpens this further. The plaintiffs who had standing were the ones who submitted credit card data, not the ones who only browsed.
| Higher risk if | Lower risk if |
|---|---|
| Session replay runs before the visitor consents | Script is blocked until the visitor accepts |
| The tool captures payment, health, or financial fields unmasked | Sensitive fields are masked or excluded from capture |
| The site has meaningful California or Pennsylvania traffic | Visitors are outside all-party-consent jurisdictions |
| No consent record exists to show what was agreed to | A logged, timestamped consent record exists |
A small business running low-sensitivity, consented recording is genuinely lower risk than the headlines suggest. The exposure concentrates where sensitive data moves without a consent record to point to. Many session-replay complaints also name the tracking pixel; the Meta Pixel lawsuit wave overlaps heavily with this same fact pattern.
How Do You Reduce Your Session Replay Lawsuit Risk?
The single highest-impact fix is blocking the session-replay script from loading until the visitor gives prior, opt-in consent. A passive banner that still lets the script fire first does not remove the legal exposure.
To reduce session-replay lawsuit risk:
- Get prior, opt-in consent and block the script until the visitor accepts, rather than letting the tool load first and reacting to a rejection afterward.
- Disclose the specific tool and vendor by name in your cookie and privacy policy, not a generic "we use analytics" line.
- Mask or redact sensitive fields, including passwords, card numbers, Social Security numbers, and health data. Masking takes real implementation effort and is a partial defense, not a complete one.
- Honor opt-outs and all-party-consent-state rules for any visitor in a jurisdiction that requires them.
- Keep a timestamped consent record for every visitor, so you can show exactly what was agreed to and when if a demand letter arrives.
Blocking is what actually closes the gap. Operators running consent banners report that a large share of visitors, by some accounts 50 to 65%, reject tracking when offered a real choice. A tool that only reacts to rejection after the fact has already captured data it should not have.
Disclose the tool in your policy; if you are unsure whether you need one at all, see do I need a cookie policy. The fix is to block cookies before consent, so the script cannot load until the visitor accepts.
How Consently Blocks Session Replay Scripts Until Visitors Consent
Consently scans for session-replay and analytics scripts and blocks them from loading until a visitor gives explicit, prior consent. That closes the exact gap most session-replay lawsuits target.
Consently is a consent management platform that gates every non-essential tracker, including session-replay tools, behind a visitor's affirmative choice. Its script and cookie auto-blocking stop the replay tool from firing before that choice is made. Its iframe blocking closes the same gap for embedded recording widgets.
The customizable consent banner shows a real accept, reject, and preferences choice, not a passive notice. Every choice is stored in an exportable consent log, the timestamped record that a demand letter or plaintiff's counsel tests first. Consently also supports region-based consent, so GDPR-region visitors see an opt-in flow and US-state visitors see the matching opt-out template.
Try Consently Free and see exactly which scripts on your site are firing before consent, no credit card required.
FAQs
Is session replay legal?
Yes, session replay itself is legal. It becomes a legal risk when it records visitors without prior consent, which plaintiffs frame as illegal wiretapping under laws like CIPA. Courts remain split on how far the theory reaches.
Can a small business really be sued over session replay?
Yes, in principle. Demand letters target website operators largely at random, regardless of size. Risk is far lower with prior consent, no unmasked sensitive-data capture, and clear disclosure of the tool.
Does a cookie consent banner protect me from a session replay lawsuit?
Only if the banner actually blocks the replay script until the visitor consents. A passive banner that displays alongside a script that is already recording does not remove the exposure.
Which session replay tools have been sued?
Lawsuits name the website operator, not the tool vendor, as the defendant. Complaints have identified FullStory (the JetBlue suit) and session-replay software running on retail sites, including Bloomingdale's and the BPS Direct/Cabela's litigation.
What is a session replay wiretapping demand letter?
A pre-litigation letter, often called a strike demand. It alleges your site's recording violated a wiretap statute and pressures a fast settlement before any suit is filed. Defense firms describe this as a cottage industry built around per-violation statutory damages.
Do I need consent to use Hotjar, FullStory, or Microsoft Clarity?
In GDPR regions and in all-party-consent US states, yes: get prior consent and block the tool until the visitor accepts. Masking sensitive fields is an added safeguard, not a substitute for consent.
Is session replay a GDPR problem too?
Yes. Under GDPR and ePrivacy rules, session replay generally needs prior consent and a lawful basis. It can be GDPR compliant only with masking of personal data, and masking takes real implementation effort; it is not automatic.
What should I do if I get a session replay lawsuit demand letter?
Do not ignore it. Preserve your records and consult privacy counsel. Audit whether your session-replay tool ran before a visitor consented, then fix the consent and blocking setup going forward. This is general information, not legal advice.

