A website wiretapping lawsuit accuses an ordinary tracker of illegal "interception". A tracker sends a visitor's activity to a third party before consent. A serial plaintiff captures that transmission as evidence. Decades-old wiretap and pen-register laws then reframe it as a private claim worth thousands per visitor.
This article covers the six-step machine from tracker firing to settlement. It includes a real pixel-before-the-banner case, who is actually at risk, and the one fix that stops the trigger.
How Does a Website Wiretapping Lawsuit Work? (The Short Answer)
A website wiretapping lawsuit works as a six-step process. A tracker transmits visitor data to a third party, and a plaintiff captures that transmission as evidence. An old wiretap or pen-register law reframes the transfer as illegal interception. A demand letter arrives, the case moves through a divided court system, and most targets settle to avoid defense costs.
Plaintiffs' firms sue website operators under the California Invasion of Privacy Act (CIPA). Two other statute families drive the same lawsuits: the federal Electronic Communications Privacy Act (ECPA) and state copycat statutes. Common targets include pixels and chat widgets. Session replay tools and analytics tags are targeted too. The specifics of how CIPA's wiretapping sections define interception live in the dedicated CIPA explainer. This is one branch of the wider wave of cookie and pixel litigation that has produced tens of thousands of demand letters since 2022.
The reader who already runs analytics or ad pixels does not need the trigger explained twice. A tracker firing before consent is the actionable moment. Everything downstream, the evidence, the letter, the settlement pressure, flows from that single instant.
Step 1: A Tracker on Your Site Sends Visitor Data to a Third Party Before Consent
Analytics tags, ad pixels, session-replay scripts, chat widgets, and cookies transmit a visitor's activity to an outside vendor the instant the page loads. That activity can include clicks, keystrokes, IP address, or search terms. The transmission happens before any consent banner has recorded a choice, and that pre-consent moment is what plaintiffs' attorneys target.
The most litigated vectors are tracking pixels and session-replay code. The pixel-specific case lifecycle runs through the Meta Pixel case lifecycle. Recording tools face their own session-replay recording claims. Chat widgets and AI chatbots have drawn over 100 lawsuits under the same theory, according to Fox Rothschild's 2026 analysis.
The technologies most commonly named in demand letters include:
- Advertising pixels (Meta, LinkedIn, TikTok)
- Web analytics platforms such as Google Analytics
- Session-replay recording scripts
- Live chat widgets and AI chatbots
- Third-party cookies that fire before a consent choice is recorded
A tracker does not need to be malicious or hidden to trigger a claim. Standard, widely deployed marketing and analytics tools are the ones actually named in these suits.
Step 2: A Serial Plaintiff Captures the Transmission as Evidence
A repeat filer visits your site, triggers the tracker, and screenshots the network request that shows their data leaving for a third-party server. That screenshot becomes the evidentiary core of the demand letter or complaint.
One Reddit thread from a digital marketing agency described the exact mechanic.
A visitor searches for his own name and takes a screenshot of the network request to GA servers that includes his name. He then claims the site is using a sophisticated wiretapping device.
Four of that agency's clients received CIPA demand letters over Google Analytics' site-search feature within a two-month window in late 2025.
This is not one plaintiff working alone. Lawyers describe the pattern as a "shakedown," mass-filing demands against any company running standard tracking pixels. That characterization comes from a 2024 discussion among attorneys on Reddit's r/Lawyertalk. Fox Rothschild's 2026 client alert calls it a "cottage industry," noting that "hardly a week" passes without a business receiving one of these letters.
Step 3: An Old Wiretap or Pen-Register Law Reframes That Transfer as Illegal Interception
The statutes plaintiffs invoke were written for telephone wiretaps decades before websites existed. Plaintiffs' attorneys analogize a tracker to a wiretap or a pen register. The vendor supposedly "intercepts" the visitor's communication with the website. Deep coverage of CIPA's specific sections lives in the CIPA explainer; this section covers only the reframing mechanism.
Three legal theories drive nearly every claim.
The Wiretapping / "Two-Party Consent" Theory
California Penal Code section 631 targets intentional tapping of a communication line, or reading its contents. The statute requires this be done willfully. It also requires the act be done without the consent of all parties to the communication. Plaintiffs argue the website and its vendor together act as the interceptors. The transmission happened without every party's consent. Section-level mechanics live in the CIPA explainer.
The Pen-Register / "Trap and Trace" Theory
California Penal Code section 638.51 bars installing or using a pen register or trap and trace device without a court order. California law defines a pen register broadly.
A pen register is a device or process that records or decodes dialing, routing, addressing, or signaling information.
Plaintiffs recast a tracker that logs a visitor's IP address as a digital pen register. This theory carries the sharpest court split of the three, covered in Step 5.
The Federal Wiretap Act and State Copycats
The federal Electronic Communications Privacy Act (18 U.S.C. section 2510 et seq.) is nationwide. It does not require California residency. Its one-party-consent structure includes a crime-or-tort exception that reopens liability. Pennsylvania's Wiretapping and Electronic Surveillance Control Act, Florida's Security of Communications Act, and similar statutes in Illinois mirror CIPA's structure. This is why a business based entirely outside California can still face exposure.
Step 4: A Demand Letter Arrives (Often by FedEx)
A pre-suit demand letter, frequently sent by FedEx, alleges illegal "spyware" or wiretapping and threatens immediate litigation unless the recipient settles. Some firms send these letters at scale rather than after individualized investigation.
Do not panic-settle and do not reflexively ignore the letter. One Reddit commenter's advice was blunt.
Ignore any frivolous demand letters unless you are actually sued or served.
Privacy counsel at JD Supra recommends the opposite instinct: preserve evidence and consult counsel first. The two views are not actually in conflict. Both agree the wrong move is an immediate, unadvised payment. Both agree the right first step is understanding the letter's actual evidence.
Step 5: The Case Moves Through the Courts, and the Law Is Split
Courts disagree on whether these decades-old statutes reach modern website trackers, and the forum where a case is filed often decides its outcome. The pen-register theory carries the sharpest divide.
In March 2024, a Los Angeles County Superior Court dismissed a pen-register claim in Licea v. Hickory Farms. The court held that an IP address is not equivalent to the device-level "fingerprinting" at issue in the plaintiff-favorable case Greenley v. Kochava. The court's warning was direct.
A broad reading would potentially disrupt a large swath of internet commerce.
Weeks later, a different Los Angeles County Superior Court allowed a nearly identical claim against a hotel website to proceed. That court rejected the idea that merely visiting a site implies consent to a tracker's operation.
A second defense has thinned the wiretapping side of these cases: the "party exception". Section 631 targets a third party who eavesdrops on a communication, so a website that receives its own visitor's data cannot "wiretap" itself. Courts increasingly extend that logic to the tracking vendor. The Ninth Circuit applied it in the Papa John's litigation. The Third Circuit reached the same result where a browser sent data straight to the pixel provider. That made the provider a party rather than an eavesdropper. This reasoning dismisses many section 631 claims at the threshold, before any court weighs whether tracking violated the statute.
Federal courts have also narrowed standing, a separate question from whether the underlying claim is valid. In August 2025, the Ninth Circuit's Popa v. Microsoft held that ordinary click, scroll, and navigation tracking is not embarrassing, invasive, or otherwise private. The court compared it to a store clerk watching which aisles shoppers browse, and it dismissed the case for lack of Article III standing. In May 2026, the Third Circuit's In re BPS Direct, LLC; Cabela's, LLC Wiretapping Litigation drew a sharp line inside a single case. It affirmed dismissal for six plaintiffs who only browsed the site. It revived claims for two plaintiffs whose complete payment card information was allegedly captured by session-replay code during checkout.
Those defenses cut hardest for ordinary browsing and cut least for sensitive-data capture at checkout or on health pages. Holland & Knight and Fisher Phillips both describe the pen-register question as unresolved heading into mid-2026. No California appellate court has squarely ruled on whether section 638.51 reaches website trackers at all.
Step 6: How These Cases Settle, and What They Cost
Statutory damages, not proven harm, drive the settlement leverage. California Penal Code section 637.2 authorizes the greater of $5,000 per violation or three times actual damages. A plaintiff does not need to show any actual harm to bring the claim. The federal Wiretap Act authorizes $10,000 per violation or $100 per day. The Video Privacy Protection Act authorizes $2,500 per violation. Because "per violation" can mean per visitor, exposure scales directly with traffic.
| Statute | Statutory damages | Scope |
|---|---|---|
| CIPA (Cal. Penal Code section 637.2) | $5,000 per violation, or 3x actual damages | California-connected visitors; nationwide defendants |
| Federal Wiretap Act (ECPA) | $10,000 per violation, or $100 per day | Nationwide |
| Video Privacy Protection Act | $2,500 per violation | Nationwide, video-related data |
| State copycat statutes (e.g., Florida FSCA) | From $1,000 per violation | State-specific |
Most small and mid-sized targets settle rather than litigate. One Reddit thread reported demands around $25,000 against a small e-commerce operator. A separate practitioner account described typical settlements in a $10,000 to $20,000 band. One demand-letter recipient summed up the incentive plainly.
Many companies just pay to make it go away.
The high end of exposure runs far past CIPA's floor when sensitive data is involved. The FTC fined GoodRx $1.5 million in 2023 and banned it from sharing health data for advertising. That case involved prescription information shared with ad platforms via tracking pixels. The FTC separately required BetterHelp to pay $7.8 million in consumer refunds. BetterHelp also had to submit to a 20-year compliance program over pixel-based sharing of mental health data.
How a Website Wiretapping Lawsuit Works in Practice: The Pixel-Before-the-Banner Case
A small, family-owned e-commerce store runs a GDPR-compliant opt-in cookie banner. Two ad pixels fire on page load before any visitor makes a consent choice. One of those pixels is tied to an app the company deactivated three years earlier.
A serial plaintiff with roughly 20 other active suits visits the site. Those suits target brands including JC Penney and New Balance. The plaintiff triggers the pixels and screenshots the pre-consent network request. The screenshot shows the cookie banner still visible on screen at the moment the pixels fired. The plaintiff FedExes a demand letter seeking $25,000, citing California's Invasion of Privacy Act.
The store owner described the situation on Reddit in blunt terms.
Even in the screenshots sent in his letter, you can see our cookie consent banner up on his screen. I don't even recognize two of the pixels he is claiming.
A GDPR-compliant banner did not stop the claim. The trigger was the pixels firing before the visitor's choice, not the banner's presence. The orphan pixel compounded the exposure, since nobody on the team knew it was still transmitting data.
That single case demonstrates all six steps. Step 1 is the pre-consent trigger, and Step 2 is the screenshot evidence. Step 3 is the CIPA theory, and Step 4 is the demand letter. Step 5 is the unresolved question of how a court would rule. Step 6 is a $25,000 demand the small business could not easily absorb.
Who Is Actually at Risk? (And Why "I'm Not in California" Rarely Helps)
Any site with a visitor located in California can face a CIPA claim, regardless of where the business itself is based. The federal Wiretap Act plus state copycat statutes extend that exposure nationwide. Geography protects almost no one: a website reachable by a California resident satisfies CIPA's connection requirement, and ECPA has no state-residency requirement at all.
Certain site profiles carry elevated risk. They include:
- E-commerce stores running multiple ad pixels and checkout tracking
- Healthcare or HIPAA-adjacent sites, where the FTC has already brought high-dollar enforcement actions
- Sites using chatbots or AI-driven chat widgets, a category that has drawn over 100 lawsuits
- Sites running session-replay recording tools, especially on pages with financial or personal data entry
- Any site with pixels the current team did not install and does not actively monitor
Fox Rothschild's guidance is direct on this point.
Companies outside of California are in scope, and if you are in a health-related field your risk is even greater.
Why Your Cookie Banner Might Not Protect You
Having a consent banner is not the same as blocking trackers before consent. That gap is where most claims originate. A banner that displays correctly but does not stop trackers from firing first offers no legal protection. The trigger event already happened before the visitor made a choice.
Three failure modes recur across documented cases. They are:
- Trackers fire before the visitor clicks. The pixel-before-the-banner case above shows a plaintiff's screenshot capturing the banner still visible while the tracker had already transmitted data. Consent theater does not stop the transmission.
- Orphan pixels nobody recognizes. A pixel tied to a deactivated app, an old marketing vendor, or a forgotten integration keeps firing long after the team stops thinking about it. One store owner did not recognize two of the pixels named in a demand letter.
- Google Consent Mode alone is not a complete defense. Even with Consent Mode configured, a cookieless ping can still transmit personally identifying information, such as a search term, to Google's servers. One practitioner reported that Consent Mode "wouldn't have prevented the PII getting sent to GA servers via a cookieless ping". Treat this as a documented caution, not a universal rule. It was reported by a single source and depends on specific implementation details.
The consent-obligation question behind these failure modes, whether a documented policy is legally required, is covered in when consent is legally required. The fix for all three failure modes is the same. Block the tracker's execution; do not just display a banner alongside it.
Will SB 690 or Court Rulings Make This Stop?
No relief is currently in force, and none is guaranteed before 2027 even if the pending bill passes. California Senate Bill 690 passed the Assembly Committee on Privacy and Consumer Protection on July 1, 2026. It is not yet law and remains subject to further amendment before any floor vote.
The bill has already narrowed substantially. An earlier draft would have created a broad "commercial business purpose" exemption from CIPA. That exemption was eliminated. The version that passed committee targets only Penal Code section 638.51, the pen-register theory. Enforcement of that provision would shift to the California Attorney General alone. That change removes the private right of action that currently drives demand letters under that theory. As currently drafted, the change would apply retroactively to section 638.51 claims filed within the two years before its effective date. The bill must still clear a full floor vote by both chambers before the legislature's August 31, 2026 deadline. Further amendments addressing the separate wiretapping theory under section 631 remain possible.
Court rulings offer defendants some relief but no closure. Popa v. Microsoft and the BPS Direct decision both narrow standing for browse-only claims. Neither forecloses claims where a plaintiff can point to sensitive data capture, and no California appellate court has squarely resolved the pen-register question. Businesses should not wait for either the legislature or the courts to resolve this. The trigger, a tracker firing before consent, is the only part of the mechanism within a business's direct control.
How to Stop the Machine: Get Consent Before Any Tracker Fires
The actionable moment in every website wiretapping lawsuit is the tracker firing before consent. The fix targets that exact moment, not the downstream legal theory.
To stop the trigger:
- Scan the entire site to find every tracker, including orphan pixels tied to deactivated apps or forgotten vendors.
- Block cookies, scripts, and iframes by default until a visitor makes an active choice.
- Release trackers only after the visitor gives prior, explicit consent, not implied or scroll-based consent.
- Keep a consent log that timestamps each visitor's choice as an audit record.
Each step closes one of the failure modes covered above. Scanning catches orphan pixels, and default blocking closes the pre-consent gap. Explicit consent removes the ambiguity plaintiffs exploit. A consent log gives a business its own evidence if a demand letter arrives.
Understanding the mechanism is the first step toward closing it. Consently scans a site for every tracker, including forgotten ones. It blocks cookies, scripts, and iframes by default until a visitor consents, and keeps a timestamped consent log as your own record. Scan your site and block trackers before they fire to see the mechanism working in reverse, with the pre-consent gap closed instead of exploited.
FAQs
Is website tracking illegal?
No. Tracking itself is legal. The claim in these lawsuits is that transmitting a visitor's data to a third party without prior consent violates decades-old wiretap or eavesdropping laws. Those laws were never written with websites in mind.
What is a website wiretapping demand letter and should I ignore it?
It is a pre-suit letter, often sent by FedEx, alleging illegal interception and demanding a settlement. Do not panic-settle and do not reflexively ignore it. Preserve any evidence referenced in the letter and consult counsel before responding.
How much can a website wiretapping lawsuit cost?
Statutory damages run $5,000 per CIPA violation, or three times actual damages, whichever is greater. The federal Wiretap Act adds $10,000 per violation, and the Video Privacy Protection Act adds $2,500 per violation. Because "per violation" can mean per visitor, exposure scales directly with traffic.
Can a small business outside California really be sued?
Yes. CIPA can reach any operator whose visitor is located in California. The federal Wiretap Act plus state copycat statutes extend exposure nationwide, regardless of where the business is based.
Does a cookie consent banner stop a wiretapping lawsuit?
Not by itself. If trackers fire before the visitor consents, the banner's presence does not prevent a claim. Plaintiffs' screenshots often show the banner still on screen at the moment the tracker transmitted data.
What is the difference between a wiretapping claim and a pen-register claim?
A wiretapping claim targets intercepting the content of a communication under CIPA section 631. A pen-register claim targets capturing routing or identifying data, such as an IP address, under CIPA section 638.51.
Does business insurance cover a website wiretapping lawsuit?
Sometimes. Some operators report a cyber-liability policy responding to these claims, but many general policies exclude privacy or wiretap claims. Check your specific policy and endorsements before assuming coverage.
Which website technologies trigger these lawsuits?
Ad pixels from Meta, LinkedIn, and TikTok, plus analytics platforms like Google Analytics. Session-replay recording tools, chat widgets, AI chatbots, and third-party cookies that transmit data before a visitor consents round out the list.

