Why the Federal Wiretap Act Matters for Website Privacy
Many plaintiff attorneys assume that website tracking litigation is a California-only practice area. The California Invasion of Privacy Act (CIPA) dominates the headlines, and for good reason: its per-violation statutory damages, broad applicability to common trackers, and active plaintiff bar have produced a steady stream of filings. But this California-centric focus leaves a significant nationwide opportunity on the table.
The Federal Wiretap Act (18 U.S.C. §2511) provides a parallel cause of action for the same tracking behaviors that violate CIPA—with three critical advantages:
- Geographic reach: The federal statute applies in all 50 states. A plaintiff in Texas, New York, or Florida can bring a Federal Wiretap Act claim against a website deploying session replay tools or tracking pixels, without any connection to California.
- Higher minimum damages: The Federal Wiretap Act provides $10,000 minimum statutory damages per violation under §2520, compared to CIPA's $2,500 minimum under §637.2.
- The crime-tort exception: Under §2511(2)(d), the one-party consent defense is stripped away when the interception is done for the purpose of committing a criminal or tortious act—a provision that transforms state-law wiretapping violations into federal claims.
The opportunity: Deliberize's scanner evaluates Federal Wiretap Act exposure alongside CIPA for every site in the case database. Of the 560+ sites scanned, the majority deploy trackers that create parallel federal liability—extending potential claims beyond California to every jurisdiction in the country.
The Federal Wiretap Act (18 U.S.C. §2510–2522)
The Federal Wiretap Act was originally enacted as Title III of the Omnibus Crime Control and Safe Streets Act of 1968, at a time when Congress was primarily concerned with telephone wiretapping and government surveillance. The statute was substantially updated by the Electronic Communications Privacy Act (ECPA) of 1986, which expanded its scope to cover electronic communications—including data transmissions, email, and internet traffic.
The core prohibition is in §2511(1)(a): it is unlawful for any person to intentionally intercept, endeavor to intercept, or procure another person to intercept any wire, oral, or electronic communication. The statute defines "electronic communication" broadly to include any transfer of signs, signals, writing, images, sounds, data, or intelligence transmitted in whole or in part by wire, radio, electromagnetic, photoelectronic, or photo-optical system. Modern web traffic falls squarely within this definition.
Unlike CIPA, which is a criminal statute with a civil remedy bolted on, the Federal Wiretap Act was designed from the outset with a robust private right of action under §2520. Any person whose electronic communication is intercepted in violation of the statute may bring a civil action against the interceptor. The remedies are substantial:
- Statutory damages: The greater of $100 per day for each day of violation or $10,000—establishing a $10,000 floor regardless of actual harm
- Actual damages: If provable and greater than the statutory minimum
- Punitive damages: Available in appropriate cases for willful or intentional violations
- Attorney's fees: Reasonable attorney's fees and other litigation costs
- Equitable relief: Preliminary and other equitable or declaratory relief as the court deems appropriate
Key Definitions
Three statutory definitions are critical to website tracking claims:
- "Intercept" (§2510(4)): The aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device. Courts have interpreted "acquisition" to include automated, programmatic capture—precisely how tracking scripts operate.
- "Contents" (§2510(8)): Any information concerning the substance, purport, or meaning of a communication. This definition is central to the distinction between content interception (session replay) and metadata collection (tracking pixels).
- "Electronic communication" (§2510(12)): Any transfer of signs, signals, writing, images, sounds, data, or intelligence transmitted by wire, radio, electromagnetic, photoelectronic, or photo-optical system. HTTP requests, form submissions, search queries, and page interactions all qualify.
How It Applies to Website Tracking
The application of the Federal Wiretap Act to website tracking technologies parallels the CIPA analysis but with important differences in how the elements map.
Session Replay: Content Interception
Session replay tools—Hotjar, FullStory, Microsoft Clarity, LogRocket, and others—intercept the contents of electronic communications between the user and the website. When a user types a search query, fills out a form, enters payment information, or navigates through pages, the session replay tool captures the full substance of that interaction: every keystroke, mouse movement, scroll position, and page element rendered in the browser.
This is a textbook interception under §2511. The third-party replay vendor acquires the contents of the user's communication with the website server, using an electronic device (the replay JavaScript), without the user's knowledge or consent. The fact that the interception is automated and programmatic does not remove it from the statute's reach—Congress wrote §2510(4) to cover acquisition "through the use of any electronic, mechanical, or other device," which encompasses software.
Tracking Pixels: Electronic Communication Metadata
Tracking pixels (Meta Pixel, TikTok Pixel, Google Ads, LinkedIn Insight Tag, Snapchat Pixel, Pinterest Tag) transmit data about the user's interaction with the website to a third-party server. The legal question is whether this data constitutes the "contents" of an electronic communication or merely metadata.
The stronger argument for plaintiffs: when a tracking pixel transmits the URL a user visited (which may contain search terms, product names, or other substantive information), along with the user's device fingerprint, IP address, and behavioral data, it is transmitting the substance of the user's browsing communication. A URL like /search?q=bankruptcy+attorney+near+me reveals the content of what the user was communicating to the website—not merely the fact that a communication occurred.
The Party-to-the-Communication Question
The critical legal question in website tracking cases under the Federal Wiretap Act is: who is a "party to the communication"?
When a user visits a website, the primary communication is between the user's browser and the website's server. Third-party tracker vendors—Meta, Google, Hotjar, FullStory—are not parties to that communication. They are third parties who receive data about the communication through scripts injected into the website's code. If the tracker vendor is not a party to the communication, it cannot claim the one-party consent exception under §2511(2)(d).
The website operator might argue it consented to the tracking on the user's behalf, but the website operator cannot consent for the user. One-party consent requires that one of the actual parties to the communication has given consent. The website operator can consent to its own communications being intercepted, but it cannot waive the user's right not to have their side of the communication captured by a third party.
Key distinction: Even in one-party consent jurisdictions, the Federal Wiretap Act's protections apply because the interceptor (the tracker vendor) is typically not a party to the communication between the user and the website. This makes the one-party/two-party consent distinction less relevant than it appears—and the crime-tort exception makes it irrelevant entirely.
The Crime-Tort Exception
The crime-tort exception is the most powerful—and most underutilized—weapon in the website tracking plaintiff's arsenal.
Under 18 U.S.C. §2511(2)(d), one-party consent is a defense to a wiretap claim only if the communication is intercepted by a person who is a party to the communication, or with the prior consent of one of the parties, and the interception is not done for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or any state.
This exception creates a devastating syllogism for defendants:
- The website deploys a tracker that intercepts user communications and transmits data to a third party.
- That interception violates a state wiretapping or privacy statute (e.g., CIPA §631, Florida's Security of Communications Act, Illinois Eavesdropping Act).
- Because the interception itself is a criminal or tortious act under state law, the one-party consent defense under §2511(2)(d) is unavailable at the federal level.
- With the consent defense gone, the interception violates the Federal Wiretap Act, triggering $10,000 minimum damages.
In other words, a CIPA violation can bootstrap a Federal Wiretap Act claim. The state-law violation strips the consent defense, and the federal statute provides an independent cause of action with higher damages. This is not double-counting—it is two separate statutes addressing two separate harms, one state and one federal.
The crime-tort exception is particularly potent in the website tracking context because the very act of deploying a tracker that operates without user consent is precisely the kind of "tortious act" the exception was designed to capture. If a session replay tool violates CIPA §631 by intercepting communication contents without consent, that violation simultaneously eliminates the consent defense under the federal statute.
Strategic Implications
The crime-tort exception means that attorneys do not need to choose between CIPA and the Federal Wiretap Act. They should plead both. The CIPA claim establishes the underlying tortious act, and that tortious act in turn strips the federal consent defense. This creates a self-reinforcing litigation structure where each claim strengthens the other.
Damages Comparison: Federal Wiretap Act vs. CIPA
Understanding the damages framework for each statute is essential for case evaluation and settlement leverage. The Federal Wiretap Act provides significantly higher per-violation damages, while CIPA offers broader theory coverage.
| Factor | CIPA | Federal Wiretap Act |
|---|---|---|
| Minimum statutory damages | $2,500 per violation | $10,000 per violation |
| Maximum statutory damages | $5,000 per violation | $10,000 (or actual damages if greater) |
| Punitive damages | Yes (willful violations) | Yes (willful or intentional violations) |
| Attorney's fees | Yes | Yes |
| Geographic scope | California only | All 50 states |
| Statute of limitations | 1 year (some courts allow 3) | 2 years |
| Class action potential | CA visitors to defendant's site | All U.S. visitors to defendant's site |
| Consent defense | Two-party consent (CA law) | One-party consent (but crime-tort strips it) |
The practical impact of these differences is enormous. Consider a website with 500,000 monthly U.S. visitors deploying a session replay tool without consent. Under CIPA alone, the putative class is limited to California visitors—perhaps 15% of traffic, or 75,000 people. At $2,500 per violation, the theoretical exposure is $187.5 million. Adding the Federal Wiretap Act claim expands the class to all 500,000 U.S. visitors at $10,000 each—$5 billion in theoretical exposure. These numbers are not realistic recovery expectations, but they are realistic leverage in settlement negotiations.
Stacking CIPA and Federal Wiretap Act Claims
Attorneys should plead both CIPA and Federal Wiretap Act claims wherever applicable. The two statutes are not duplicative—they address different sovereigns' interests and provide independent remedies. Stacking them provides several strategic advantages:
Expanded Putative Class
A CIPA-only class is limited to California residents or visitors. Adding the federal claim expands the class to all U.S. visitors. This dramatically increases the class size, the total damages exposure, and the settlement value of the case. For a defendant operating a national e-commerce site, the difference between a California-only class and a nationwide class can be an order of magnitude.
Multiple Damages Theories
CIPA damages ($2,500–$5,000) and Federal Wiretap Act damages ($10,000 minimum) are separate and cumulative. A single tracker deployment that violates both statutes exposes the defendant to both damages calculations for the overlapping class members (California visitors) and federal-only damages for non-California visitors.
Federal Court Jurisdiction
The Federal Wiretap Act provides federal question jurisdiction under 28 U.S.C. §1331. Plaintiffs can file in federal court without relying on diversity jurisdiction, and supplemental jurisdiction under §1367 allows the CIPA claims to be heard alongside the federal claims. Some plaintiff firms prefer federal court for website tracking cases due to more favorable discovery procedures and nationwide service of process.
Non-California Defendants
Perhaps most importantly, the Federal Wiretap Act reaches defendants who have no connection to California. A Florida-based retailer whose website deploys Hotjar is not reachable under CIPA unless California visitors can establish standing. But the same retailer is reachable under the Federal Wiretap Act by any U.S. visitor whose communications were intercepted. This dramatically expands the universe of potential defendants.
Practice tip: When evaluating a potential target, always check both the CIPA score and the Federal Wiretap Act analysis in the Deliberize case database. A site that scores moderate under CIPA may present a strong federal claim, particularly if the defendant is based outside California or operates a high-traffic national site.
State Wiretap Act Overlays
Beyond CIPA and the Federal Wiretap Act, many states have their own wiretapping and eavesdropping statutes that can be layered onto website tracking claims. These state statutes are particularly valuable in two-party consent states, where all parties to a communication must consent before it can be intercepted or recorded.
The following states have wiretapping statutes that may apply to website tracking, with damages provisions or private rights of action:
Florida — §934.10
Two-party consent. Civil damages under Security of Communications Act. $1,000 minimum or actual damages per violation.
Illinois — 720 ILCS 5/14
Two-party consent for eavesdropping. Plus BIPA (740 ILCS 14) for biometric data: $1,000–$5,000 per violation.
Maryland — Cts. & Jud. Proc. §10-410
Two-party consent. Civil action for actual damages, punitive damages, and attorney's fees.
Massachusetts — G.L. c. 272 §99
All-party consent. One of the strictest wiretap statutes in the country. Civil remedies under c. 214 §1B.
Pennsylvania — 18 Pa.C.S. §5725
Two-party consent. Civil cause of action with actual damages plus $100/day for each day of violation or $1,000, whichever is greater.
Washington — RCW 9.73.060
Two-party consent. Civil remedies include actual damages plus statutory damages of $100/day per violation.
In two-party consent states, the website operator's consent to tracking does not satisfy the statutory requirement—the user must also consent. This means that the same session replay tool or tracking pixel that creates CIPA and Federal Wiretap Act liability in California also creates state wiretap liability when users in these states visit the website.
For attorneys in non-California jurisdictions, the combination of the Federal Wiretap Act and their own state's wiretap statute provides a complete litigation framework without any reliance on CIPA. Florida plaintiff firms, for example, can bring Federal Wiretap Act claims stacked with Florida §934.10 claims against any website deploying unconsented tracking technologies to Florida visitors.
Identifying Federal Wiretap Violations
Deliberize's scanner evaluates Federal Wiretap Act exposure alongside CIPA for every site in the database. The same 55 tracker signatures that trigger CIPA liability are analyzed through the federal lens, with particular attention to the factors that distinguish strong federal claims from weaker ones.
Strongest Federal Claims
The trackers that create the highest federal exposure are those that intercept the contents of communications—the same distinction that drives §631 wiretapping claims under CIPA:
| Tracker Category | Federal Theory | Strength |
|---|---|---|
| Session Replay (Hotjar, FullStory, Clarity, etc.) | Content interception — §2511(1)(a) | Strongest |
| AI Chatbots (OpenAI widget, Ada, Dialogflow) | Content interception of confidential communications | Strongest |
| Chat Widgets (Intercom, Drift, Zendesk) | Content interception of conversational data | Strong |
| Tracking Pixels (Meta Pixel, TikTok, LinkedIn) | Electronic communication interception | Moderate to Strong |
| Analytics (GA4, Mixpanel, Amplitude) | Metadata collection | Moderate |
What the Scanner Evaluates
For each scanned site, the Federal Wiretap Act analysis examines:
- Content vs. metadata: Whether the intercepted data constitutes the "contents" of a communication (§2510(8)) or merely addressing/metadata information. Content interception triggers stronger claims.
- Third-party transmission: Whether the intercepted data is transmitted to a server controlled by a party other than the website operator. Third-party transmission negates one-party consent arguments.
- Crime-tort applicability: Whether the same tracking behavior violates CIPA or another state wiretap statute, which would strip the one-party consent defense via the crime-tort exception.
- Consent posture: The same four-level consent analysis applies—NO_CONSENT, CONSENT_BYPASSED, CONSENT_INEFFECTIVE, and CONSENT_PRESENT—each with different implications for the federal claim.
The case database displays Federal Wiretap Act exposure as part of each site's comprehensive analysis, alongside CIPA scoring, statutory damages estimates, and consent defense evaluation. Attorneys can filter sites by federal exposure level to identify the strongest nationwide claims.
560+ sites scanned for Federal Wiretap Act exposure
Every site in our database includes federal wiretap analysis alongside CIPA scoring. 55 tracker signatures, nationwide class potential, $10,000 minimum damages per violation.
Browse the Case DatabaseFurther Reading
- CIPA Litigation Guide — Deep dive on Cal. Penal Code §§631, 632, and 638.51 applied to website tracking
- Tracker Detection Guide — How Deliberize identifies and classifies 55 tracker signatures
- Statutory Damages Calculator — Estimate per-violation exposure under CIPA and Federal Wiretap Act
- Consent Defense Analysis — How consent status affects standing and damages
- Sample Report — See a full litigation research memo with Federal Wiretap Act analysis
- Privacy Claim Checker — Check whether a specific website appears in our scan database
Deliberize LLC is a technology company, not a law firm, and does not provide legal advice. All reports and analysis are investigative tools that require independent review by a licensed attorney.