🆕  Introducing Ketch data map updates: risk governance meets actionable insights

Wiretapping laws in the digital era: how to protect your brand

Learn how modern wiretapping laws affect website tracking and what steps your brand needs to take to stay compliant, avoid lawsuits, and respect customer choice.
Read time
7 min read
Last updated
December 10, 2024
Ketch is simple,
automated and cost effective
Book a 30 min Demo

Back in the day, "wiretapping" conjured images of shadowy figures with headphones listening in on private calls. Fast forward to the digital age, and suddenly, this vintage surveillance nightmare has made a comeback—only now it’s your website traffic in the crosshairs.

How did we get here? A brief primer on digital tracking

In the “olden days,” companies prioritized activities like focus groups, trade shows, and  tv/print advertising to sell products. Those days are behind us. The explosion of digital mediums for content consumption, and the nature of our digital lives, have given every brand two things: 

  1. A mountain of digital exhaust (data), and
  2. New ways to communicate with consumers.

Today, most brands prioritize data-driven, digital-first growth strategies to answer important questions about their consumers: 

  • Who are my customers?
  • How do people interact with my brand? 
  • How should I communicate with my customers?
  • How do I efficiently market to prospects? 

To collect this data, brands need to deploy technology—digital “trackers”—that monitor consumer behavior on its digital properties. These trackers include: 

  • JavaScript Tags: Adding simple JavaScript tags to the website that helps track user behavior and/or control website functionality (e.g. serve a privacy banner, or show a dynamic homepage).
  • Mobile SDKs: Implementing an SDK into each of the mobile apps to help track user behavior and/or control app functionality. 
  • Beacons / Pixels: Beacons and pixels are not as robust as JavaScript, but they are used for very specific and discrete data collection events (e.g. someone clicked the purchase button).
Fifteen years ago, websites ran with around 10 tags or trackers, a manageable count by most standards. Today, the average site has nearly 50 trackers ballooning into a complex ecosystem of third-party monitoring.

This explosion of tracking tags has led to thorny problems. Brands often struggle to keep tabs on tracker lifecycle: what’s no longer being used, what’s critical, what’s changed. Not to mention the reality known as “cookie piggybacking”—the common practice of third-party vendors ushering in more trackers via the tag placed on your website. 

In summary: brands must engage in this digital data collection to be competitive, but it’s not easy to manage. And that’s what the sharks are counting on—cue the “slip and fall” lawyers. 

1970s wiretapping laws, back in style

At Ketch, we’re seeing a major trending paint point in our conversations with brands: they are receiving threatening letters from plaintiffs lawyers claiming violation of wiretapping laws and asking for settlement.

Why? Lawyers are claiming that when a person navigates a website, it’s akin to having a conversation with that brand. And when pixels or tags fire during this exchange, it’s as if a third party (that pixel, tag, or tracker) is secretly “listening in” and capturing data without the user’s explicit consent. Originally drafted to safeguard private phone conversations from unauthorized eavesdropping, these 1960s/70s-era wiretapping laws are now being reinterpreted to encompass modern digital interactions. 

A couple examples of the old laws being repurposed by class action lawyers today: 

  • California Invasion of Privacy Act (CIPA): Originally enacted to protect against wiretapping in phone conversations, CIPA is now being cited in cases involving website tracking technologies. The claim? That the use of certain website tags constitutes unauthorized interception of electronic communications, thus infringing on a visitor’s right to privacy under California law.
  • The Video Privacy Protection Act (VPPA): Enacted in the late 1980s to shield individuals’ video rental records, the VPPA is now a hotbed for claims related to online video content. Lawyers claim that if a pixel on a webpage with a video sends viewing data to a third-party vendor, it violates the VPPA’s provisions.

While Massachusetts recently dismissed such wiretapping arguments, California remains fertile ground for these claims. Lawyers often seek settlements through arbitration, creating major work cycles for brands. When a brand settles one case, that doesn’t stop more from coming. 

Adding to the complexity, U.S. state attorneys general are closely observing these developments. Over half filed an amicus brief, signaling their interest in seeing how the higher courts judge this use of old laws for new tech. For brands, this is a major ongoing headache and risk to digital data collection; for regulators, this is another tool in the enforcement toolbox.

How are brands defending themselves? 

Facing these modern interpretations of legacy wiretapping laws, brands are struggling to come up with a comprehensive approach to defend against claims. Perhaps the biggest challenge is reconciling a solution with these claims, with the other privacy requirements at hand:

  • Wiretapping laws
  • Deceptive conduct
  • U.S. consumer privacy laws 

‍

‍

Is a “GDPR everywhere” approach a good solution? 

One possible tactic is the use of GDPR-style opt-in banners, not required under current U.S. law. California, for instance, only mandates that websites offer an opt-out option. So why go the extra mile? For some brands, the idea of opt-ins seems like a strong defense, reinforcing consumer trust and minimizing the risk of legal challenges. However, this strategy has pitfalls. Here’s why a blanket approach may not be the best fit:

  • Regulatory complexity: The U.S. privacy landscape is a tangle of state-specific laws. For example, California’s CCPA mandates opt-out mechanisms, whereas other states have varying levels of requirements. Implementing a universal opt-in standard means wrestling with laws that don’t demand it and investing resources in a potentially unnecessary solution.
  • Competitive imbalance: Brands that pivot to a full opt-in model could find themselves losing ground. Competitors who stick to opt-out structures may gain an advantage by collecting richer user data and maintaining higher marketing performance.
  • Bigger promises to consumers = bigger risks: When brands present opt-in banners, they are making implicit commitments to their consumers. These promises can quickly become liabilities if not supported by robust backend systems. If the technology behind the site fails to align with the opt-in framework, brands might face scrutiny from regulators or claims of misleading practices.

Brands also invite more risk if the information conveyed in the banner is limited to one type of technology (like cookies—ah, the infamously incomplete cookie banner) or is inconsistent with the brand’s practices or statements in its privacy policy. Most digital advertising strategies involve other types of data sharing including persistent IDs and sharing through APIs. A cookie banner notice alone can misrepresent what the brand is doing and what the choice represents, leading to greater pitfalls.

What brands can do right now to minimize wiretapping claim risk 

Brands need a balanced strategy that tackles compliance head-on while maintaining business viability. To safeguard against wiretapping lawsuits and build trust, here’s what companies should focus on:

1. Transparent notices

Inform users clearly about tracking practices. For example, a notice might read:

“We and our vendors use technology that collects data about your use of our site so we can improve and personalize our products and services, for analytics and marketing, and to fulfill your requests. We may also share this information with marketing vendors, social media companies, and analytics partners.  < Privacy Policy <link>, “Your Privacy Choices” <link>. By using our website, you acknowledge and agree to our Terms of Use <link>”

‍While this won’t satisfy every legal scenario, it establishes a baseline of user awareness that’s crucial for risk mitigation.

2. Enforce opt-outs

A notice or consent banner is only as good as its enforcement. Brands must ensure that backend systems align with opt-out requests to avoid accusations of deceptive conduct or non-compliance. The consumer’s choices must be upheld consistently and reliably.

If you’ve promised not to track someone, you need to be able to prove that no tags or cookies outside of the “strictly necessary” category are activated. The right tools and best practices can help you uphold this promise. From a tech perspective, this looks like: 

  • Accurate cookie and tag categorization, according to privacy purposes
  • Integration between your TMS (tag management system) and CMP (consent management platform)
  • Orchestration with other ways that you share or make personal information available to partners, usually in connection with your digital advertising strategies. Remember, there’s more to trackers than cookies alone!

For more on this topic, check out our guide to website tag and cookie management. 

3. Define ownership

One of the less talked-about hurdles is internal chaos—figuring out who within the organization is responsible for updating site tags and privacy controls. A disjointed approach increases the risk of inconsistencies that could spark legal trouble. Brands need a clear ownership structure to keep updates aligned with privacy policies.

The Bottom line

Brands should brace themselves for ongoing legal challenges. Satisfying one lawsuit or regulatory inquiry doesn’t grant immunity from future scrutiny. The road to compliance is continuous, demanding vigilance, strategic innovation, and an agile response to legislative shifts. 

While wiretapping laws may feel like a relic from a bygone era, their modern-day interpretation serves as a stark reminder: data privacy regulations are constantly evolving. Brands that approach these challenges proactively—not just reacting to today’s lawsuits but anticipating tomorrow’s standards—will be best positioned to navigate the complexities of digital compliance and earn the trust of privacy-conscious consumers.

‍

Read time
7 min read
Published
November 5, 2024
Need an easy-to-use consent management solution?

Ketch makes consent banner set-up a breeze with drag-and-drop tools that match your brand perfectly. Let us show you.

Book a 30 min Demo

Continue reading

Product, Privacy tech, Top articles

Advertising on Google? You must use a Google certified CMP

Sam Alexander
3 min read
Marketing, Privacy tech

3 major privacy challenges for retail & ecommerce brands

Colleen Barry
7 min read
Marketing, Privacy tech, Strategy

Navigating a cookieless future with Google Privacy Sandbox

Colleen Barry
7 min read
Get started
with Ketch
Begin your journey to simplified privacy operations and granular data control across the enterprise.
Book a Demo
Ketch was named top consent management platform on G2