Wiretap lawsuits have become very prevalent in the last few years, much to the chagrin of businesses that operate online. By dusting off Cold-War era laws like the California Invasion of Privacy Act (CIPA) and applying them to modern websites, plaintiff’s attorneys have essentially created a new area of privacy law (and have made quite a bit of money doing it).

As courts continue to struggle with how to apply pre-internet laws to the vast information-sharing ecosystem that is 21st century eCommerce, it’s tough to know where the boundaries lie. Technologies such as chat boxes and advertising trackers have long been a target for CIPA litigation, but it’s starting to look like even the use of Google Analytics—one of the most ubiquitous web technologies around—could be a liability risk for businesses.

Wiretap Lawsuits in a Nutshell

Wiretap laws like CIPA prohibit anyone from intercepting the “contents of a communication” while in transit over a wire, line, or cable without the consent of all parties. While the parties themselves cannot be said to have intercepted their own communications, they can be held liable for “aiding and abetting” a third party in doing so.

Here is a common scenario that has been considered “wiretapping” for CIPA purposes: An eCommerce website uses tracking pixels on its website, which share information on visitors’ browsing behavior with ad networks in order to deliver targeted advertising on other sites. The browsing behavior tracked by the pixels can be considered “contents of a communication” that are being intercepted by third-party ad networks. Because the business configured its site to automatically install these pixels on users’ devices, they have aided and abetted the ad network in the interception.

Read more about wiretap lawsuits.

Google Analytics

Plaintiffs are pushing for broader and broader interpretations of what is considered a violation of CIPA and other wiretap laws. A 2024 court case in California decided that even using Google Analytics on a website can open a business up to liability.

In M.G. v. Therapymatch, the defendant was an online platform that helped consumers find mental health professionals who matched their needs. On its site, the defendant used Google Analytics to track and analyze user interactions; the Google Analytics account was also set up to share information with Google in order to improve its products and service. According to the allegations, Google was able to track sensitive data about users, including what information they had entered into online forms regarding their mental health.

The court determined that the information being collected by Google Analytics should be considered “contents of a communication” and that Google was illegally intercepting those communications.

M.G. v. Therapymatch is just a single district court decision, but considering the ubiquity of Google Analytics on commercial websites, businesses should take notice. Plaintiff’s attorneys surely will.

What Can Businesses Do?

The best prevention against CIPA lawsuits is consent. 

There is some debate as to whether privacy policy disclosures may be sufficient for implied consent in some situations, but litigation involving cookies and pixels have become popular with plaintiffs because they are often set automatically on the user’s device when they first access the website. In other words, implied consent is not valid because the “wiretap” takes place before the user has time to make any decision about it.

For this reason, cookie consent banners are becoming more common on U.S. websites. Such banners have long been a fixture of privacy compliance in Europe. While U.S. privacy laws don’t actually require opt-in cookie consent, adding a cookie banner to your site can provide a significant degree of protection against wiretap lawsuits.

Not sure where to start? TrueVault offers a comprehensive compliance solution for privacy laws across the globe, including customizable, easy-to-implement cookie consent banners. 

Talk to our team to learn more.

‍

‍