The Rise of “Wiretapping” Legal Claims: Business Websites Are Being Accused of Using “Trap and Trace” Devices

Published on: | by

If you own a business with a customer-facing website, you are likely already familiar with the wave of litigation surrounding Americans with Disabilities Act (ADA) compliance. But a new legal action is rising throughout California courts, and it targets a technology you probably use every day: standard website analytics and marketing software.

Business owners are receiving a new kind of complaint or demand letter—often sent via Federal Express—accusing them of deploying “illegal spyware” or pixel technology that violate the California Invasion of Privacy Act (CIPA).

These letters, frequently from firms like Pacific Trial Attorneys, don’t just allege that the business’ website is eavesdropping on chats; they claim the website is functioning as an illegal “trap and trace” device merely by collecting IP addresses or other data.

Here is what you need to know about this evolving threat and how to defend your business.

The Legal Theory: Websites as “Pen Registers”

For years, plaintiffs’ lawyers filed lawsuits under CIPA Section 631, arguing that website chatbots and session replay tools (like Hotjar or TrustedForm) constituted illegal “wiretapping.” While those cases continue, defense attorneys have had some success seeking dismissal from the courts.

In response, plaintiff firms have pivoted to CIPA Section 638.51. This section prohibits the installation of a “pen register” or “trap and trace device” without a court order or user consent.

  • What is a Pen Register? Historically, this was a physical device used by law enforcement to record the phone numbers dialed from a specific telephone line.
  • The Modern Argument: Plaintiffs now argue that software installed on your website (such as Google Analytics, Meta Pixel, or TikTok Pixel) functions as a digital “pen register” because it records “dialing, routing, addressing, or signaling information”—including the visitor’s IP address. A tracking pixel is a tiny, often invisible 1×1 image or code snippet embedded in websites used to track user behavior, such as page views, IP addresses, and interactions, for analytics, advertising, and retargeting purposes.

The “Spyware” Allegations

Demand letters currently circulating, such as those from Pacific Trial Attorneys, use alarming language. They often accuse businesses of:

  • Secretly deploying “spyware” that identifies anonymous visitors.
  • Installing a “trap and trace” device to harvest data.
  • Violating a visitor’s privacy simply by recognizing their device.

These letters frequently cite the recent case Shab v. Fandom, Inc. (N.D. Cal. Oct. 21, 2024), where a federal court allowed a class action to proceed, ruling that plaintiffs had plausibly alleged that third-party trackers counted as unauthorized pen registers. Another key case driving this trend is Greenley v. Kochava, which established that software “fingerprinting” users could be considered a process subject to CIPA restrictions.

Who Is Filing These Lawsuits?

While many firms operate in this space, a few have been particularly active in filing “trap and trace” and digital privacy complaints:

  • Pacific Trial Attorneys (Scott J. Ferrell): Known for sending “courtesy” demand letters via FedEx that threaten immediate litigation if a settlement isn’t reached.
  • Tauler Smith LLP: A firm frequently associated with CIPA claims regarding data collection and website privacy.
  • Swigart Law Group: Another filer in the digital privacy space with a history of targeting businesses for the use of standard tracking technologies.

How to Defend Your Business

If you receive a demand letter or are served with a lawsuit, do not ignore it. These are not “spam”; they are serious legal threats with statutory damages of $5,000 per violation. Statutory damages multiply quickly on a website with many potential violations.

However, these cases are defensible. Here are steps to take immediately:

  1. Audit Your Website’s “Tags”: Work with your IT team to inventory every third-party pixel or script running on your site (e.g., Meta, TikTok, Google, Drift). If you are using “de-anonymization” software (tools that match IP addresses to real names/emails), you are at higher risk.
  2. Review Your Consent Flow: The “trap and trace” statute has a key exception: it does not apply if the user consents. The most robust defense is a “clickwrap” agreement—a pop-up banner that requires a user to physically click “I Agree” to your privacy policy before the site loads any tracking scripts. Passive “browsewrap” links (links at the bottom of the page) are not as strong at protecting against these types of claims.
  3. Update Your Privacy Policy: Ensure your policy explicitly discloses the collection of IP addresses and the use of third-party tracking technologies.
  4. Consult Legal Counsel: These legal theories are new and unsettled. Arguments that worked six months ago may not work today. Seek legal counsel who understands the specific nuances of the latest case law and CIPA defense strategies.

 

For more information or help with ADA compliance, contact Stuart Tubis, Esq. at skt@jmbm.com or 415-984-9622.

by
Posted in: News
Published on:
Updated:

Comments are closed.