“State Wiretapping Laws Create Website Privacy Risks for Businesses Nationwide,” 7-1-2026
Businesses increasingly rely on website technologies to improve the online customer experience, including live chat features, analytics tools, cookies, and other tracking technologies. These same technologies, however, have become the target of a growing wave of lawsuits under state wiretapping and privacy statutes, particularly Florida’s Security of Communications Act (FSCA) and California’s Invasion of Privacy Act (CIPA).
Although these statutes predate the internet, they are increasingly being invoked in lawsuits challenging the use of these and other online technologies.
Because many businesses operate websites accessible nationwide, the potential impact of these statutes reaches far beyond their home states. Businesses located outside Florida and California may also face claims under these laws when residents of those states visit or interact with their public-facing websites.
Florida’s Security of Communications Act
The Florida Security of Communications Act (FSCA), Fla. Stat. § 934.03, is Florida’s wiretapping statute. Originally enacted to prohibit the unauthorized interception of telephone and other electronic communications, the law generally makes it unlawful to intentionally intercept, disclose, or use the contents of a wire, oral, or electronic communication without the consent of all parties to the communication. Florida is commonly referred to as an all-party consent state because, subject to certain exceptions, all parties to a communication generally must consent before it is intercepted or recorded.
Plaintiffs have increasingly argued that certain website technologies—including live chat features, chatbots, session replay tools, and some third-party tracking or analytics tools—may raise issues under the statute when they capture or transmit the contents of communications between website visitors and businesses without adequate notice or consent. Courts have reached differing conclusions based on the specific technology involved and the facts of each case. While some courts have dismissed these claims, others have allowed them to proceed beyond the pleading stage.
The result has been a significant increase in lawsuits against businesses operating consumer-facing websites. In recent months, Florida has seen a wave of lawsuits alleging that certain website chat features and AI-powered chatbots violate the FSCA by recording or transmitting customer communications without first obtaining the required consent. Many of these cases target common website technologies used by businesses across a wide range of industries, underscoring the growing litigation risk associated with online customer interactions.
California’s Invasion of Privacy Act
California has experienced a similar trend under the California Invasion of Privacy Act (CIPA). Two provisions are frequently invoked in website privacy litigation:
- Penal Code § 631, California’s wiretapping provision, generally prohibits unauthorized interception or reading of communications while they are in transit. Plaintiffs have argued that certain third-party website technologies unlawfully intercept communications between website users and businesses.
- Penal Code § 632 generally prohibits recording or eavesdropping on confidential communications without the consent of all parties. Although originally enacted before widespread internet communications, plaintiffs have sought to apply the statute to certain online chat and website communication technologies.
Many recent CIPA lawsuits similarly challenge the use of website technologies that collect, record, or transmit user communications or other website activity. Whether these technologies violate the law depends on the specific facts, including how the technology functions and whether users received appropriate notice or provided consent.
Nevertheless, CIPA has become one of the country’s most active sources of website privacy litigation.
Why Businesses Nationwide Should Pay Attention
The recent wave of website privacy litigation demonstrates that businesses do not need to be headquartered in Florida or California to be affected by these laws. Companies with publicly accessible websites should evaluate whether their online technologies, privacy disclosures, and consent practices appropriately address the risks posed by these evolving legal claims.
Businesses should consider reviewing:
- Live chat and chatbot platforms.
- Session replay and visitor-recording technologies.
- Third-party tracking and analytics tools.
- Advertising pixels.
- Cookie consent mechanisms.
- Website privacy notices and disclosures.
- Whether appropriate notice and consent mechanisms are in place before communications or user interactions are collected, recorded, transmitted, or shared with third-party technology providers, where applicable.
Key Takeaway
The recent surge in website privacy litigation illustrates how decades-old wiretapping statutes are being applied to modern website technologies. Although courts continue to evaluate these claims on a case-by-case basis, businesses should not assume that operating outside Florida or California eliminates potential exposure. Organizations with consumer-facing websites should review their website technologies, vendor relationships, and consent practices to help reduce litigation risk while supporting broader privacy compliance efforts.
Author:
Shera Anderson
Of Counsel
Richard J. Perr
Co-Managing Partner of Philadelphia Office,
Co-Chair of Financial Services & Institutions Practice Group
Monica M. Littman
Partner
Graeme Hogan
Partner
Dominic Borelli
Attorney
Kristen Ruotolo
Attorney
Samuel Sjosten
Attorney

