Since 2022, plaintiffs have filed a tsunami of class action lawsuits alleging violations of state and federal wiretap statutes based on the use of tracking technologies such as pixels and session replay tools. Plaintiffs and their counsel, often veterans of the data breach class action wars, see nothing but upside in this novel avenue of attack on often settled e-commerce technologies and market practices. First, the statutes themselves call for statutory damage awards, regardless of injury and often regardless of fault or even causation. Second, drawing on the considerable creativity of the plaintiffs’ class action bar, these new cases have creatively resurrected and repurposed decades-old wiretap statutes that were originally enacted to curtail eavesdropping on telephone lines and various other trap and trace tactics.

These vestiges of the Warren Court era and the resulting outcry over questionable police and law enforcement tactics are today enjoying a “second wind” as instruments of novel and expensive civil litigation directed at technologies and problems that never even existed when the laws were passed. These suits have sparked concern in companies that use tracking technologies on their website to share data with third parties, such as Google, Meta or TikTok. In these lawsuits, plaintiffs typically argue that the federal and state wiretap statutes encompass the improper tracking of a user’s interactions on a website without notice and consent. While the federal and state wiretap statutes originally only applied to telephones and person-to-person messages communicated through the use of wire or cables, with the advent of the internet, these statutes have now been amended to include electronic communications but still fall far short of comprehensive, intelligible and evenhanded regulation of privacy in the e-commerce sphere.

Deepening the problem, courts have varied, sometimes dramatically, on whether wiretap statutes can serve as the proper mechanism by which to hold companies accountable for tracking customer interactions and data without notice and consent. This volatility, particularly at the pleading stage, has impaired the ability of law-abiding companies to get their arms around this subject matter area and discern what the law permits and prohibits in the present day, on pain of high levels of potential exposure to statutory damages.

For example, courts in California have grappled with the scope and meaning of “trap and trace” devices under the state’s wiretap statute.¹ Some courts have focused on the “expansive language” of the “California Legislature’s chosen definition” of such devices to allow claims alleging that website tracking technologies amount to an unlawful “pen register” or a trap and trace device to proceed past the pleading stage.² Other courts have taken a broader approach, denying such claims on public policy grounds.³ The result has been inconsistent rulings on when an organization might be liable for its use of website tracking technologies.

The Rule of Lenity

But all is not lost. A recent decision by the Massachusetts Supreme Judicial Court (SJC) — Vita v. New England Baptist Hosp., No. SJC-13542, 243 N.E.3d 1185 (2024) — could provide hope to courts, companies and their defense counsel looking for a better framework. The Massachusetts SJC, recognizing the ambiguity in wiretap statutes and acknowledging that such statutes have both criminal and civil application, applied the rule of lenity.

The rule of lenity, also known as the rule of strict construction, is a principle typically used in the context of criminal law, stating that when a law is unclear or ambiguous, the court should apply it in the way that is most favorable to the defendant. When a statute has both civil and criminal applications, such as wiretap statutes, courts have held that the rule of lenity may apply.

In Vita, the plaintiff alleged that two hospitals violated the Massachusetts Wiretap Act by collecting and transmitting her browsing activities on the hospitals’ websites. The plaintiff argued that the collection of her interactions with the websites fell within the meaning of the “interception” of “wire communication” protected by the Wiretap Act. The Massachusetts SJC held, “[b]ased on our review of the text of the Wiretap Act and its legislative history, we cannot conclude with any confidence that the Legislature intended ‘communication’ to extend so broadly as to criminalize the interception of web browsing and other such interactions.”⁴ The court held that the statute, including amendments thereto, was meant to “prohibit new and evolving technological means of secret electronic eavesdropping on such person-to-person conversations or messaging.”⁵ The court found that the plaintiff’s allegations did not claim the interception of person-to-person conversations or messaging of the kind clearly within the Wiretap Act’s ambit. As stated by the court, “[b]rowsing and accessing the information published on a website is significantly different from having a conversation or sending a message to another person. . . . The user is also not engaging in a conversation but accessing published information and databases.”⁶ The court also held that Massachusetts case law has never extended the meaning of “communication” beyond person-to-person interactions. After reviewing the text of the statute, legislative history and case law, the Massachusetts SJC concluded that the statute was ambiguous. Since the statute was ambiguous, the court held that the rule of lenity applied (i.e., defendants were entitled to the benefit of any rational doubt). On this basis, the court dismissed Vita’s claims against the hospitals.

While the ruling in Vita is promising, some federal courts, when evaluating claims under CIPA and the Pennsylvania Wiretapping and Electronic Surveillance Control Act, have rejected the reasoning set forth in Vita, instead finding that there are “no ambiguities, let alone grievous ones, in the statutes,” and engaging in a “hyper-technical reading of the statute[s]” is inconsistent with the purpose of the statutes.⁷

What To Expect in 2025

Moving forward, we can expect defendants to use creative defenses to wiretap claims, such as the rule of lenity. We also anticipate a renewed focus on legislative history. For example, the California legislature enacted Assembly Bill (AB) 929 in 2015 to create a comprehensive framework governing the use of pen registers and trap and trace devices.⁸ Before 2015, California had not enacted a specific statute regulating California law enforcement’s use of pen registers and trap and trace devices. Even a cursory review of the AB 929 legislative history makes clear the amended law was intended to address this narrow issue and was never intended to regulate website tracking technology.⁹

Final Thoughts

While some defendants have achieved success in defeating claims for violation of wiretap acts in the web tracking context, there are still cases being regularly brought by plaintiffs. Companies should expect these lawsuits to continue, as more legal principles are being used to prosecute and defend these lawsuits. Companies that would like to continue to use web tracking tools on their websites should provide notice of the use of such technologies and obtain express consent from users.

[1] California Invasion of Privacy Act (CIPA), Cal. Pen. Code § 638.51.

[2] See Greenley v. Kochava: 684 F. Supp. 3d 1024 (S.D. Cal. 2023).

[3] See Licea v. Hickory Farms LLC, No. 23STCV26148, 2024 WL 1698147 (Cal. Super. Mar. 13, 2024).

[4] Vita, 243 N.E.3d at 1188.

[5] Id.

[6] Id. at 1199.

[7] Howard v. Lab’y Corp. of Am., No. 1:23-CV-00758, 2024 WL 4250677, at *8 (M.D.N.C. Aug. 8, 2024), report and recommendation adopted, No. 1:23-CV-758, 2024 WL 4326898 (M.D.N.C. Sept. 27, 2024); James v. Walt Disney Co., 701 F. Supp. 3d 942, 960 (N.D. Cal. 2023), motion to certify appeal denied, No. 23CV02500EMCEMC, 2024 WL 664811 (N.D. Cal. Feb. 16, 2024).

[8] Cal. Penal Code § 638.50-55.

[9] See Pen Registers: Authorized Use: Hearing on AB 929 Before the Assembly Comm. on Priv. and Consumer Protection, 2015-2016 Sess. 5 (Ca. 2015); Pen Registers: Authorized Use: Hearing on AB 929 Before the S. Public Safety Comm., 2015-2016 Sess. 1 (Ca. 2015)