Insight

Civil actions associated with state wiretapping laws are on the rise. These actions include claims under California’s Invasion of Privacy Act of 1967 (“CIPA”) and Florida’s Security of Communications Act (“FSCA”). Under both laws, alleged violations often result from vague statutory definitions.

California CIPA Claims

Plaintiffs’ firms are targeting organizations, even those with minimal or no operations in California, with demand letters alleging that the organization’s website(s) are collecting and tracking users’ personal information without consent. The letters assert that such collection constitutes a violation of CIPA provisions governing pen registers and trap and trace devices.

Under CIPA, “a person may not install or use a pen register or a trap and trace device without first obtaining a court order.”[1] A person injured by a violation of this law can bring an action for $5,000 per violation, or three times actual damages.[2]

CIPA defines a “pen register” as a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication. CIPA defines a “trap and trace” device as a device or process that captures the incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing, or signaling information reasonably likely to identify the source of a wire or electronic communication, but not the contents of a communication.[3]

Most commercial websites use tracking cookies and pixels, which are small text files or embedded images that websites use to track and remember information about your website visit, such as login status, preferences, and browsing activity. They can also track how you use a website and, in some cases, help advertisers collect data about your interests across multiple sites. The demand letters often allege that certain cookies and pixels are forms of pen registers or trap and trace devices that require clear and conspicuous consent before they are utilized.

California passed CIPA in 1967, long before the creation of websites and the use of cookies and pixels. Courts have been inconsistent on whether CIPA applies to website claims. Some courts have dismissed these claims, holding that CIPA’s legislative intent was limited to telephonic communications, not internet websites.[4] Other courts have allowed cases to survive motions to dismiss.[5] This sometimes results in nonpublic settlements.

In response, the California legislature is considering revisions to CIPA. As currently drafted, the revisions include provisions that would remove private rights of action related to pen registers and trap and trace devices and restrict the right to bring such actions to the California Attorney General.[6] As written, parts of this law would apply retroactively to any case pending as of January 1, 2026[7], but it still has several steps to go before the changes become law.

Florida FSCA Claims

Even if California’s legislature successfully addresses the barrage of CIPA claims through the legislative process, organizations still need to be aware of and take action to protect themselves from claims under Florida’s FSCA. Under the FSCA, intercepting wire, oral, or electronic communications is prohibited unless all parties to the communication have given prior consent to such interception.[8]

Like California, Florida is seeing a surge of lawsuits alleging privacy violations based on the use of digital tracking technology on websites. Florida currently ranks second behind California in the number of lawsuits filed alleging privacy claims based on the use of digital tracking technology,[9] and, while no court has ruled definitively on the applicability of website tracking to FSCA claims, some of these cases are surviving motions to dismiss[10].

Under the FSCA, civil penalties include actual damages of $100 a day for each day of violation or $1,000, whichever is higher, along with the potential for punitive damages.[11] In some cases, plaintiffs’ attorneys are filing these actions in small claims court, where Florida has an $8,000 limit (not including costs, interest, and attorneys' fees).[12] This has created a burden on several businesses because, under Florida’s small claims rules, all parties (or their authorized representatives) must attend the pretrial conference. Failure to appear can result in a default judgment.[13]

How Businesses Can Prepare

While California and Florida are leading the way in digital tracking lawsuits, they are not alone. Other states, such as Illinois and Pennsylvania, are also seeing cases filed under state wiretapping laws.[14]

As a result, it is important that any organization operating a website take steps to mitigate the risk of being targeted by these types of demand letters and threatened litigation. Examples of steps organizations can take to mitigate risks under these laws include:

  • Understand What Your Websites Track: Organizations should understand the personal and other information their websites collect. Some information is necessary for the proper functioning of the website, while other information is used to understand who visits the website or may be shared with others. Organizations should consider performing a website audit to determine what is being collected via their website tracking technologies and eliminate unneeded data collections.
  • Be Transparent with Website Users Through a Cookie Policy and Cookie Banner: A cookie banner allows website visitors to decide whether they want their information collected, used, or shared. The cookie banner should include a link to the cookie and/or privacy policy, which explains what information is collected via cookies and other tracking technologies and how that information is used or shared.
  • Do Not Collect Nonessential Information Without Consent: Websites should not collect nonessential information via cookies and other tracking technologies until they have received affirmative consent from the website visitor. A website should not collect nonessential information immediately upon a visitor’s landing on a website.
  • Review the Website Terms of Use: A website’s terms of use contain the agreement between the organization (the “website operator”) and the website visitor. Organizations should regularly review their terms to verify that the terms remain in the organization’s best interests and that changes in the organization do not warrant revisions to the terms. For example, before selecting arbitration, jurisdiction, or venue provisions, the website operator should confirm that the provision serves its best interests.
  • Verify Published Privacy Policies Are Consistent with Other Policies: Organizations should review published privacy policies, cookie policies, and terms of use together to verify that they are consistent with each other. Inconsistencies can occur when one policy is updated but the others are not reviewed and revised in tandem.
  • Audit and Update for Compliance: For most organizations, digital information practices are constantly changing. Organizations can benefit from regularly reviewing and auditing their online policies to be sure they align with current website practices and state and federal regulations.

While these measures are not a guarantee against litigation, there are steps organizations can take to reduce the risk that the organization becomes a target. In addition to mitigating litigation risk, these measures can help organizations build and preserve trust with their customers and website visitors.

If an organization receives a demand letter or court summons, it should promptly consult legal counsel to assess its options and determine an appropriate response.

How We Can Help

If you would like assistance assessing your current practices or strengthening your website compliance posture, please contact any of the following:


[1]Cal. Penal Code § 638.51(a).

[2]§ 637.2(a).

[3]§ 638.50.

[4]Blaker v. NetScout Systems, Inc., No. 25STCV31283 (Cal. Super. Ct. May 27, 2026).

[5]Examples include Castro v. SBE Restaurant Group (Cal. St. Ct., Apr. 16, 2026) and Podraza v. Nourish, Inc., No. 3:2025cv50356, 2026 WL 1978255 (N.D. Ill. Apr. 20, 2026).

[6]Cal. S.B. 690, § 5.

[7] § 6.

[8]Fla. Stat. § 934.03.

[9]JD Supra, “Florida Federal Court Greenlights Nationwide Digital Wiretapping Claims: 5 Steps Businesses Should Take Now” (Jan. 19, 2026), (Available at https://www.jdsupra.com/legalnews/florida-federal-court-greenlights-9012721/).

[10]W.W. v. Orlando Health, Inc., No. 6:24-cv-1068-JSS-RMN (M.D. Fla. 2025), and Cobbs et al. v. PetMed Express, Inc., No. 9:25-cv-80458 (S.D. Fla. Apr. 2025).

[11]Fla. Stat. § 934.10(1)(b).

[12]Florida Small Claims Rule 7.010.

[13]Florida Small Claims Rule 7.090(b).

[14]Illinois Eavesdropping Act (720 ILCS 5/14-2) and Pennsylvania's Wiretapping and Electronic Surveillance Control Act (18 Pa. CS 5701).


YES! PLEASE SIGN ME UP TO RECEIVE EMAIL ALERTS FROM OTHER GUNSTER PRACTICE AREAS.

Gunster. Florida's Law Firm for Leaders.
As a full-service law firm, Gunster provides legal counsel to leading organizations and individuals from its 13 offices statewide. Established in 1925, the firm has expanded, diversified, and evolved, but always with a singular focus: Florida and its clients’ stake in it. A magnet for business-savvy attorneys who embrace collaboration for the greatest advantage of clients, Gunster’s growth has not been at the expense of personalized service but because of it. The firm serves clients from its offices in Boca Raton, Coral Gables, Fort Lauderdale, Jacksonville, Miami, Naples, Orlando, Palm Beach, Stuart, Tallahassee, Tampa, Vero Beach, and its headquarters in West Palm Beach. With more than 320 attorneys and consultants and 300 committed support staff, Gunster is ranked among the top 200 largest law firms by the National Law Journal and has been recognized as one of the Top 100 Diverse Law Firms by Law360. More information about its practices, industries, offices, and news is available at www.gunster.com.

Related Capabilities

Jump to Page

Gunster Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek
gazebo17