What Happened
A rapidly expanding wave of class action litigation is targeting website operators over routine tracking technologies like Google Analytics, Meta pixels, and session-replay tools, with plaintiffs alleging these constitute illegal "eavesdropping" under state and federal wiretapping laws.[1][2] Nearly 4,000 digital wiretapping lawsuits have been filed since mid-2022, with cases surging from hundreds annually to over 2,000 in recent years.[3][4] Statutory damages can reach $5,000 per website visitor, creating massive liability exposure even for small businesses and B2B companies.[2]
Who's Involved
Plaintiffs' attorneys are bringing claims under the Federal Wiretap Act and state statutes like California's Invasion of Privacy Act (CIPA), targeting website operators across nearly every industry—from healthcare (evidenced by a recent case against Blue Cross Blue Shield of Michigan) to consumer-facing businesses nationwide.[1][3] Technology vendors named in complaints include Google, Meta, Microsoft, LinkedIn, and TikTok as recipients of transmitted user data.[2] Small and medium-sized businesses (SMBs) are disproportionately exposed, as roughly 18% operate tracking technologies without visible user consent.[4]
Basic Context
These wiretapping statutes were originally designed to prevent unauthorized phone interception and industrial espionage but are now being reinterpreted to cover automatic data sharing with third-party vendors.[2] The litigation surge accelerated as plaintiffs refined theories and expanded geographically beyond California into Florida, Pennsylvania, Massachusetts, and Michigan.[3] Many claims are strategically weak but designed to force settlements through litigation threats, creating what legal experts describe as a "cottage industry" of demands.[2]
Why It's Newsworthy
Businesses face compounding compliance risks as wiretapping laws intersect with 20 state privacy laws enacted as of early 2026, each with misaligned consent standards.[1] The combination of scalable liability, hidden risks, and insurance challenges represents a fundamental shift in privacy litigation from data breaches to routine business practices—creating urgent pressure on organizations to reassess standard website infrastructure.[1][4]