Financial institutions and other consumer-facing companies, especially those with customers in multiple states, are facing a new wave of putative class action filings and demands alleging violations of certain state wiretap statutes. Plaintiffs’ lawyers are increasingly scrutinizing company websites to assert that common website tracking tools (e.g., analytics and advertising cookies and pixels) violate certain states’ “multiple-party consent” regimes under that state’s wiretap laws. Just last week three of our clients received demand letters with draft complaints even though none of those institutions had operations in these states.

The Emerging Theory

Plaintiffs allege that when a company (or its third-party vendors) “records” or “intercepts” online interactions, through session replay, chat features, cookies, pixels, or analytics tools, without obtaining the user’s consent, the company violates the state’s wiretap act typically where the individual resides. These claims are typically framed as unauthorized “recordings” of website communications.

The federal Wiretap Act and most state analogs require the consent of only one party to a communication, meaning a company’s own consent is sufficient. However, 13 states have adopted multi-party consent regimes that require all participants to consent before a communication can be recorded and typically carry statutory damage provisions per violation.

There are several key litigation risks that financial institutions need to be aware of, which are outlined below.

• Out-of-state exposure: Plaintiffs are targeting companies headquartered outside of multi-party consent states, arguing that accessibility of a website in those states is sufficient to establish jurisdiction.
• Expansive “recording” theories: Courts are being asked to extend traditional “wiretap” principles to modern web technologies, such as session replay software, analytics cookies and pixels, and chatbots.
• Vendor involvement: Claims often implicate third-party service providers (e.g., analytics, advertising, or data optimization vendors) as alleged co-“interceptors” of communications.

Defenses and Developing Law

There are substantial legal challenges to these theories of liability. Courts have questioned whether passive web tracking constitutes a “communication” within the meaning of wiretap statutes, whether any “interception” occurs in real time, and whether user consent is adequately obtained through privacy policy disclosures or cookie banners.  There are also jurisdictional challenges to the extent that a bank does not do business in or have customers in the state where the law was allegedly offended.

While the law continues to evolve, early and clear disclosure remains the most effective safeguard. Courts have been receptive to dismissal arguments where website users are presented with prominent consent notice. An example would be conspicuous banners or pop-ups that inform users of tracking technologies and link to a detailed privacy policy. Ideally, consent requirements are “persistent” meaning a consumer cannot advance the page without providing consent.

It is recommended that financial institutions take the following steps to ensure they do not have exposure.

• Review website consent mechanisms. Ensure that consent banners are prominently displayed upon landing, before tracking technologies activate.
• Inventory Third-Party Tracking Technologies. Identify third-party tracking technologies deployed on digital properties (e.g., from third-party and advertising companies).
• Monitor ongoing litigation. Courts in California, Pennsylvania, and Florida are actively considering motions that may clarify or limit these claims.
• Evaluate risk exposure. Assess whether your website’s accessibility to users in multi-party consent states could trigger potential claims.
• Ensure compliance with state privacy laws. These claims are being brought under older state surveillance laws.  Many states, including California, have recently adopted comprehensive privacy laws that require companies to provide detailed disclosures and an opportunity to opt-out of certain third-party tracking.  Any website consent mechanisms or other solutions adopted to mitigate the risk of these claims also should be vetted for compliance with applicable state privacy laws.