Back in the day, "wiretapping" conjured images of shadowy figures with headphones listening in on private calls. Fast forward to the digital age, and suddenly, this vintage surveillance nightmare has made a comeback—only now it’s your website traffic in the crosshairs.
In the “olden days,” companies prioritized activities like focus groups, trade shows, and tv/print advertising to sell products. Those days are behind us. The explosion of digital mediums for content consumption, and the nature of our digital lives, have given every brand two things:Â
Today, most brands prioritize data-driven, digital-first growth strategies to answer important questions about their consumers:Â
To collect this data, brands need to deploy technology—digital “trackers”—that monitor consumer behavior on its digital properties. These trackers include:Â
Fifteen years ago, websites ran with around 10 tags or trackers, a manageable count by most standards. Today, the average site has nearly 50 trackers ballooning into a complex ecosystem of third-party monitoring.
This explosion of tracking tags has led to thorny problems. Brands often struggle to keep tabs on tracker lifecycle: what’s no longer being used, what’s critical, what’s changed. Not to mention the reality known as “cookie piggybacking”—the common practice of third-party vendors ushering in more trackers via the tag placed on your website.Â
In summary: brands must engage in this digital data collection to be competitive, but it’s not easy to manage. And that’s what the sharks are counting on—cue the “slip and fall” lawyers.Â
At Ketch, we’re seeing a major trending paint point in our conversations with brands: they are receiving threatening letters from plaintiffs lawyers claiming violation of wiretapping laws and asking for settlement.
Why? Lawyers are claiming that when a person navigates a website, it’s akin to having a conversation with that brand. And when pixels or tags fire during this exchange, it’s as if a third party (that pixel, tag, or tracker) is secretly “listening in” and capturing data without the user’s explicit consent. Originally drafted to safeguard private phone conversations from unauthorized eavesdropping, these 1960s/70s-era wiretapping laws are now being reinterpreted to encompass modern digital interactions.Â
A couple examples of the old laws being repurposed by class action lawyers today:Â
While Massachusetts recently dismissed such wiretapping arguments, California remains fertile ground for these claims. Lawyers often seek settlements through arbitration, creating major work cycles for brands. When a brand settles one case, that doesn’t stop more from coming.Â
Adding to the complexity, U.S. state attorneys general are closely observing these developments. Over half filed an amicus brief, signaling their interest in seeing how the higher courts judge this use of old laws for new tech. For brands, this is a major ongoing headache and risk to digital data collection; for regulators, this is another tool in the enforcement toolbox.
Facing these modern interpretations of legacy wiretapping laws, brands are struggling to come up with a comprehensive approach to defend against claims. Perhaps the biggest challenge is reconciling a solution with these claims, with the other privacy requirements at hand:
‍
‍
One possible tactic is the use of GDPR-style opt-in banners, not required under current U.S. law. California, for instance, only mandates that websites offer an opt-out option. So why go the extra mile? For some brands, the idea of opt-ins seems like a strong defense, reinforcing consumer trust and minimizing the risk of legal challenges. However, this strategy has pitfalls. Here’s why a blanket approach may not be the best fit:
Brands also invite more risk if the information conveyed in the banner is limited to one type of technology (like cookies—ah, the infamously incomplete cookie banner) or is inconsistent with the brand’s practices or statements in its privacy policy. Most digital advertising strategies involve other types of data sharing including persistent IDs and sharing through APIs. A cookie banner notice alone can misrepresent what the brand is doing and what the choice represents, leading to greater pitfalls.
Brands need a balanced strategy that tackles compliance head-on while maintaining business viability. To safeguard against wiretapping lawsuits and build trust, here’s what companies should focus on:
Inform users clearly about tracking practices. For example, a notice might read:
“We and our vendors use technology that collects data about your use of our site so we can improve and personalize our products and services, for analytics and marketing, and to fulfill your requests. We may also share this information with marketing vendors, social media companies, and analytics partners. < Privacy Policy <link>, “Your Privacy Choices” <link>. By using our website, you acknowledge and agree to our Terms of Use <link>”
‍While this won’t satisfy every legal scenario, it establishes a baseline of user awareness that’s crucial for risk mitigation.
A notice or consent banner is only as good as its enforcement. Brands must ensure that backend systems align with opt-out requests to avoid accusations of deceptive conduct or non-compliance. The consumer’s choices must be upheld consistently and reliably.
If you’ve promised not to track someone, you need to be able to prove that no tags or cookies outside of the “strictly necessary” category are activated. The right tools and best practices can help you uphold this promise. From a tech perspective, this looks like:Â
For more on this topic, check out our guide to website tag and cookie management.Â
One of the less talked-about hurdles is internal chaos—figuring out who within the organization is responsible for updating site tags and privacy controls. A disjointed approach increases the risk of inconsistencies that could spark legal trouble. Brands need a clear ownership structure to keep updates aligned with privacy policies.
Brands should brace themselves for ongoing legal challenges. Satisfying one lawsuit or regulatory inquiry doesn’t grant immunity from future scrutiny. The road to compliance is continuous, demanding vigilance, strategic innovation, and an agile response to legislative shifts.Â
While wiretapping laws may feel like a relic from a bygone era, their modern-day interpretation serves as a stark reminder: data privacy regulations are constantly evolving. Brands that approach these challenges proactively—not just reacting to today’s lawsuits but anticipating tomorrow’s standards—will be best positioned to navigate the complexities of digital compliance and earn the trust of privacy-conscious consumers.
‍