From Analytics to “Interception”: How Website Tracking Became a Wiretap Problem—and What Companies Should Do About It
There is a certain irony in watching a statute designed to prevent clandestine eavesdropping on telephone calls become one of the most aggressively deployed tools against ordinary website functionality.
[…Keep reading]
Vibe Coding vs. SBOM: One Builds Fast. The Other Tells You What You Just Built
There is a certain irony in watching a statute designed to prevent clandestine eavesdropping on telephone calls become one of the most aggressively deployed tools against ordinary website functionality. The federal Wiretap Act—codified as part of the Electronic Communications Privacy Act (“ECPA”), 18 U.S.C. §§ 2510–2522—was never intended to regulate marketing pixels, session replay scripts, or real-time bidding infrastructure. Yet that is precisely what is happening.Plaintiffs are increasingly reframing the architecture of the modern web as a form of unlawful interception. Courts, in turn, are increasingly willing to entertain the theory. What began as a handful of cases has now matured into a nationwide litigation wave, with decisions emerging from multiple circuits and districts that—while not uniform—reflect a clear doctrinal trajectory.
The Recharacterization of the Web as a Communication Channel
At the core of these cases is a deceptively simple move. A user’s interaction with a website—clicking a link, searching for a provider, entering information into a form—is characterized as an “electronic communication.” Once that premise is accepted, everything else follows.The statute prohibits the intentional “interception” (acquisition of the contents) of such communications. 18 U.S.C. § 2511(1)(a). It defines “contents” broadly to include “any information concerning the substance, purport, or meaning of that communication.” 18 U.S.C. § 2510(8).What plaintiffs argue—and what courts are increasingly accepting—is that tracking technologies embedded in websites are not passive observers. They are devices that acquire the contents of communications in real time and transmit them elsewhere. That, they say, is interception.Courts have repeatedly entertained this framing. In Hannant v. Culbertson Memorial Hospital Foundation, No. 4:24-cv-04164-SLD-RLH (C.D. Ill. Mar. 19, 2026), the court allowed ECPA claims to proceed where tracking pixels allegedly captured and disclosed patient interactions with a hospital website. Similarly, in McClain v. Capital Vision Services, LLC, No. 25 CV 7675 (N.D. Ill. Mar. 13, 2026), the court held that allegations that Google Analytics transmitted patient-specific eye care information were sufficient to state a claim under § 2511.
How Tracking Technology Actually Works
To understand why this argument has traction, one has to understand the technology—not in marketing terms, but in network terms.When a user loads a webpage, the browser executes code from multiple sources. A tracking pixel—often a small script or invisible image—triggers a request to a third-party server, transmitting information such as the page URL, device identifiers, and sometimes user-provided data. More advanced tools like session replay software record granular interaction data, including clicks, keystrokes, and navigation paths.Analytics platforms such as Google Analytics or Adobe Analytics aggregate this data to provide insights into user behavior. Meanwhile, advertising technologies—such as Meta Pixel or LinkedIn Insight Tag—transmit user interactions into broader data ecosystems, where they are combined with other data to create detailed behavioral profiles.In B.N. v. Oregon Reproductive Medicine, LLC, No. 3:25-cv-00202-IM (D. Or. Apr. 3, 2026), the court described how a fertility clinic’s use of the LinkedIn Insight Tag allegedly captured IVF-related page visits, consultation scheduling, and form submissions tied to identifiable users. The court concluded that these allegations plausibly described the interception of the “contents” of communications.Similarly, in Semien v. PubMatic Inc., No. 25-cv-03164-SI (N.D. Cal. Jan. 27, 2026), plaintiffs alleged that a data broker’s pixel tracked users across multiple websites, aggregated the data, and used it to build cross-platform advertising profiles. The case highlights that liability theories are no longer confined to website operators, but extend to adtech intermediaries themselves.
Why Courts are Letting These Cases Proceed
The success of these claims turns on several converging doctrinal developments.First, courts are expanding what counts as “contents.” In earlier cases, courts distinguished between content and routing information. But where a URL or interaction reveals substantive information—such as a medical condition or treatment inquiry—courts increasingly find that it conveys the “meaning” of a communication. See, e.g., B.N., supra; McClain, supra. Courts are increasingly rejecting the distinction between where you are going (non-content info) and what you are doing (content information). If we look at a phone call, the distinction is between the numbers dialed (non-content) and what you say on the phone. For texts or emails, header info is non-content, and content is, well, content. The problem is, with these tracking cookies or pixels, its hard to make a hard line. The more the information invades privacy, the more it is likely to be seen as “content.” If a person calls a pregnancy center multiple times, we can infer that they are pregnant. Merely calling an AIDS clinic can create an inference of a diagnosis. Tracking cookies that track visits to sites related to cancer treatment can infer a diagnosis. The real problem is that casual users don’t know what data is being collected and how it is being used, or to whom it is being disclosed.Second, courts are narrowing the scope of the “party” defense. The Wiretap Act permits interception where one party to the communication consents. 18 U.S.C. § 2511(2)(d). Website operators argue that they are parties to user interactions on their own sites, and that makes sense. When you visit a website, you establish a connection between you and the website. But the wiretap statute contains an important limitation: It is illegal to “obtain the contents” of a communication — even your own communication — if you do so “for the purpose of committing any criminal or tortious act.”In healthcare cases, plaintiffs have invoked HIPAA as the predicate unlawful act. Courts have increasingly accepted that theory. In B.N., the court held that alleged violations of HIPAA’s prohibition on unauthorized disclosure of protected health information, 42 U.S.C. § 1320d-6, could satisfy the crime-tort exception. Likewise, in McClain, the court rejected arguments that commercial motivation negates unlawful purpose, allowing the claim to proceed. The plaintiff, however, would have to show that the dominant purpose for the collection of the information was to commit a crime or a tort.In Adair v. Cigna Corporate Services, LLC, Civil Action No. 25-2384 (E.D. Pa. Feb. 4, 2026), plaintiffs alleged that tracking technologies embedded in both public webpages and authenticated patient portals captured and transmitted sensitive health-related interactions. The court relied in part on regulatory guidance from the U.S. Department of Health and Human Services, which states that disclosures of protected health information to tracking vendors for marketing purposes without authorization are impermissible. See U.S. Dept of Health & Hum. Servs., Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates (June 26, 2024).Third, courts are increasingly skeptical of the argument that these technologies are merely neutral tools. The economic reality—that the data is used for profiling, targeting, and monetization—undermines the notion that the interception is incidental. In short, the wiretap law is designed to protect privacy – and courts are finding that what companies call “data analytics” is often a privacy violation.
Where Defendants Still Prevail
Despite these developments, not all cases survive. Courts continue to impose limits, particularly where the alleged data collection is less sensitive or where the connection to interception is attenuated.In Popa v. Microsoft Corp., 153 F.4th 784 (9th Cir. 2025), the Ninth Circuit held that the collection of non-sensitive browsing data did not constitute a sufficiently concrete injury to confer Article III standing. Similarly, courts have distinguished between third parties that act as mere service providers and those that independently exploit data. In Lisota v. Heartland Dental, LLC, No. 25 CV 7518 (N.D. Ill. Jan. 13, 2026), the court applied the “ordinary course of business” exception to dismiss claims arising from call analysis software used to facilitate communications.These decisions suggest that context matters: The sensitivity of the data, the role of the third party, and the purpose of the collection all influence the outcome.
Practical Advice: Reducing Risk in a Post-Pixel World
For companies, the lesson is not that tracking must cease, but that it must be governed with the same rigor as any other data processing activity.The first imperative is data minimization. Organizations should examine whether their tracking technologies collect information that reveals sensitive attributes—particularly health, financial, or similarly protected data—and eliminate or restrict such collection where possible.Second, companies must understand their vendors. Third-party scripts should not be treated as black boxes. Contracts should limit data use, prohibit downstream sharing, and require compliance with applicable laws. Technical configurations should be reviewed to ensure that unnecessary data is not transmitted.Third, consent must be meaningful. The wiretap statute excludes “interceptions” where the impacted person has “consented” to the interception. But the consent must be clear and unambiguous. Generic disclosures buried in privacy policies are increasingly inadequate. Where sensitive data is involved, companies should consider obtaining explicit, informed consent that clearly describes what data is collected and how it will be used. It’s a privacy statute masquerading as a wiretap law.Fourth, tracking should be context-specific. Technologies that may be acceptable on public-facing pages may be inappropriate on authenticated portals, patient interfaces, or transaction pages. Segmentation of environments can significantly reduce risk. Monitoring external contacts may be different from monitoring internal movements.Fifth, organizations should integrate tracking technologies into their broader governance frameworks. That includes maintaining inventories of tracking tools, conducting privacy impact assessments, and aligning practices with regulatory guidance.Finally, companies should ensure that their policies accurately reflect their practices—and that those practices can withstand scrutiny. Overbroad disclosures or inconsistencies between stated and actual practices can exacerbate liability. Collect only what you need and use it only for the reasons that you have stated. And those reasons must be legitimate. And delete it when no longer needed. The problem is, this data is valuable and useful for data mining by AI. Which presents an entirely different kettle of fish.
Conclusion: A Statute Reimagined
What we are witnessing is not merely creative pleading. It is the reinterpretation of a legacy statute in light of modern technology.The Wiretap Act was designed for an era of discrete, point-to-point communications. The internet is a continuous, multi-party data ecosystem. Courts are increasingly bridging that gap by expanding the concept of interception to include routine tracking.Whether that approach ultimately holds at the appellate level remains to be seen. But for now, the direction is clear.Tracking technologies are no longer invisible infrastructure. They are legally consequential mechanisms of data acquisition.And in that environment, every pixel carries not just information—but risk.
About Author
![[un]prompted 2026 – The Al Security Larsen Effect: How To Stop The Feedback Loop](https://securityboulevard.com/wp-content/uploads/2018/01/TwitterLogo-002.jpg)
