What the Federal Wiretap Act Means for Your Website
How 18 U.S.C. Section 2511 applies to website tracking pixels and third-party data collection. Important reading for compliance officers and website operators.
In 1968, Congress passed the Federal Wiretap Act to stop government agencies from spying on phone calls. Fifty years later, courts are using that same law to sue websites for deploying tracking pixels. The connection is not obvious--but it's increasingly real, and it affects your data collection practices right now.
When Meta's pixel fires on your site, it intercepts data about your visitor. Courts call this an "electronic communication." The pixel captures it. It sends it to Meta's servers. According to a growing number of lawsuits, that sequence may violate 18 U.S.C. Section 2511. Your visitor never agreed to it. Your privacy policy might not mention it. And if you're in healthcare, financial services, or any sector handling sensitive data, regulators are paying very close attention.
What the Wiretap Act Actually Says
The statute is short and blunt: it's illegal to "intentionally intercept...any wire, oral, or electronic communication." Congress added one carve-out: both parties can consent to interception.
That consent exception is narrow. It doesn't mean your visitor consented by clicking "Accept" on a generic privacy policy. It doesn't mean they consented to visit your website. It means they consented to the specific act of having their communications intercepted by a specific party.
For fifty years, courts applied this law only to phone taps and criminal eavesdropping. Then digital communication exploded. In 2021, the Facebook class action forced courts to ask: when a pixel fires on a website, is that an "interception" under the statute? Most courts said yes.
How the Facebook Case Changed Everything
The mechanics are simple. Your visitor loads a page. Their browser sends a request to your server. If you have a Meta Pixel installed, that pixel fires automatically. It grabs data--the visitor's device, their clicks, their browsing history, their location. Then it sends all of it directly to Meta's servers.
Your visitor never agreed to that. They consented to visiting your website. They did not consent to Meta capturing their browsing data and linking it to their account.
The court in Facebook found that the pixel intercepts an "electronic communication." The data flows from the visitor's browser to Meta without notice or affirmative approval. The consent exception doesn't apply because the visitor never agreed to be intercepted by Meta.
After Facebook, other cases followed. Popa v. Harriet Carter Gifts made a similar argument. Courts in multiple circuits began accepting Wiretap Act claims against website operators. The theory stuck.
The Two-Part Test
The Wiretap Act applies if two things are true.
First: there is an intercept. A tracking pixel captures data as it flows from a visitor's browser to a third party. That data is an electronic communication. The pixel intercepts it. Google Analytics, Meta Pixel, TikTok Pixel, session replay tools--they all do this. The pixel is the intercept.
Second: there is no valid consent. This is where most websites fail. A privacy policy that says "we use analytics" is not consent to Meta intercepting visitor behavior. It's not consent to Google capturing search history. It's vague. It's not specific. It's not affirmative.
Courts have been skeptical of privacy policies as consent mechanisms. The Act requires consent to the specific interception by the specific party. A boilerplate privacy clause does not cut it. Especially if visitors don't actually read it. Or actively agree to it.
Session Replay Tools Are the Biggest Risk
Session replay tools--Hotjar, FullStory, Microsoft Clarity, Smartlook--record everything. Every keystroke. Every click. Every scroll. If a visitor types a password, a credit card number, or their social security number into a form, the session replay tool captures it. Then it sends it to the vendor's servers.
Courts have found that session replay tools intercept electronic communications. If a session replay tool captures sensitive data without explicit, affirmative consent, the Wiretap Act is likely implicated. In 2023, a major healthcare platform settled with state attorneys general specifically over undisclosed session replay collection of sensitive health data.
What Website Operators Need to Do
Compliance is not difficult. It requires discipline.
Audit every tracking tool on your website. List what each one collects. Document where the data goes. If you're not sure what a particular pixel does, disable it until you know.
Your privacy policy needs to identify specific tools. Not "we use analytics." Not "our marketing partners help optimize the site." Name the tool. Say what it collects. Say where the data flows.
For invasive tools--especially session replay--get affirmative consent. That means a checkbox the visitor has to tick. Not a pre-checked box. Not a buried option in a settings menu. Not a privacy policy footnote. Make them opt in.
Turn off data collection for sensitive fields. Most analytics platforms and session replay tools have masking features. Password fields. Credit card fields. Social security fields. Enable masking by default. Some tools let you disable replay on certain pages entirely. Do that for login and checkout pages.
Respect do-not-track signals if your jurisdiction recognizes them. It signals compliance commitment.
How Regulators and Courts Are Moving
The FTC is scrutinizing tracking pixel and session replay deployment, particularly at healthcare companies. In 2024, multiple district courts denied motions to dismiss Wiretap Act claims against website operators. The courts found the claims plausible. The Wiretap Act is now a legitimate legal theory in privacy litigation.
State attorneys general in California, New York, and Texas have opened investigations into healthcare platforms' tracking practices. The question is always the same: are they transmitting patient data to Meta or Google without consent? Several state AGs have alleged violations of both state consumer protection laws and the Wiretap Act.
The message is consistent: the Wiretap Act applies to website operators. It's not a historical statute about phone tapping. It's an active enforcement tool. If your site has tracking pixels or session replay, and if those tools send visitor data to third parties without clear, affirmative consent, the statute applies to you.
The path is simple. Know what you collect. Tell visitors clearly. Get their consent. Protect sensitive data. The rest is execution.