When it comes to the third-party collection of data via JavaScript embedded in a website’s HTML code (what plaintiffs like to call “Trackers”), the law is clear as mud. Some statutes, like California’s Comprehensive Computer Data Access and Fraud Act (“CDAFA”), are effectively unintelligible, at least as applied to commercial data collection. Others can be understood but are subject to divergent interpretations. In fact, as I write this, there are numerous pending appellate-court cases that, depending on their outcome, could either greatly expand or greatly limit the scope of these statutes. For example:
Salazar v. Paramount Global: The United States Supreme Court will determine whose information the Video Privacy Protection Act (“VPPA”) protects.
Goulart v. Cape Cod Healthcare, Inc.: The First Circuit will decide what conduct satisfies the Electronic Communications Privacy Act’s (“ECPA”) crime/tort exception to the ECPA’s one-party consent rule.
Variety Media, LLC v. Superior Court: California’s Second District Court of Appeal will decide whether Section 638.51 (pen register/trap and trace) of the California Invasion of Privacy Act (“CIPA”) applies to the internet.
This uncertainty makes it extremely difficult for companies to develop and implement effective mitigation practices. Put simply, companies cannot avoid unlawful conduct unless and until they know what is, in fact, unlawful.
Not all aspects of these laws are in flux. though. Courts have almost unanimously found that wiretapping claims, either under the ECPA or CIPA, require some kind of “interception.”
“The [ECPA]…prohibits…‘interceptions’ of electronic communications.” Konop v. Hawaiian Airlines, Inc., 302 F.3d 868, 876 (9th Cir. 2002).
“The second clause of [CIPA] section 631(a) requires that messages be intercepted while in transit.” Licea v. Am. Eagle Outfitters, Inc., 659 F. Supp. 3d 1072, 1084 (C.D. Cal. 2023).
Courts also largely agree, albeit based on a questionable understanding of how these technologies work, that “simultaneous[ly] duplicat[ing]” and transmitting an online communication to a third party can constitute an “interception.” Mitchell v. Sonesta Int'l Hotels Corp., No. CV 24-2603-GW-SSCX, 2024 WL 4471772, at *8 (C.D. Cal. Oct. 4, 2024), adopted as modified, No. CV 24-2603-GW-SSCX, 2024 WL 4474491 (C.D. Cal. Oct. 4, 2024).
This limited consensus makes clear that an actionable wiretapping claim requires three things:
Content: the transmission to the third party must “duplicate” the transmission to the intended recipient;
Timing: the duplicated transmission must be sent at the same time the intended transmission is sent; and
Third Party: the duplicated transmission must be sent directly to the third party.
Knowing these three elements, a company’s goal should be to negate one or more of them. That is where creative technical solutions come into play. For example:
Deferred Scripts: In most instances, there is no reason why third-party scripts or, in plaintiffs’ terms “trackers”, cannot be delayed. Even a half-second delay between when a site visitor triggers an event (i.e., clicks on a link) and when the third-party script fires could be sufficient to negate the “simultaneous” requirement.
Server-Side Tracking: Without getting into the technical specifics, server-side tracking inserts an intermediary (i.e., the site’s server) between the user and the third party. It also allows the site operator greater control over what is and is not provided to the third party. Put another way, no duplication, no simultaneous transmissions, no direct communication with the third party.
The impact of deferred scripts on wiretapping claims has not been litigated yet, but it should be soon. As to server-side tracking, at least one court has found that, when implemented, there likely can be no wiretap. See Smith v. Rack Room Shoes, Inc., No. 24-CV-06709-RFL, 2026 WL 183852, at *3 (N.D. Cal. Jan. 23, 2026) (finding that plaintiff had failed to allege “in transit” “interception” based on defendant’s alleged use of server-side tracking).
Further, at least one court has found that CIPA Section 632 (unlawful recording) requires “in transit” interception, as well. There, Judge Lin held that “CIPA's eavesdropping provisions, Cal. Penal Code §§ 632(a)… similarly concern[s] the contents of ‘confidential’ communications when in transit.” In re Meta Android Priv. Litig., No. 25-CV-04674-RFL, 2026 WL 1279416, at *7 (N.D. Cal. May 11, 2026) (emphasis added). If that is true, then deferred scripts and/or sever-side tracking could help mitigate the risk of claims under not only California and federal wiretapping statutes, but also under California’s eavesdropping provision.
The overlap between technology and law is growing rapidly. Trying to keep the two areas separate is an act in futility. While technology can create massive legal exposure, it can also help to reduce it. My job is to minimize the former by leveraging the latter.
/Passle/69ce4c141e42eea3bd4c2856/SearchServiceImages/2026-05-24-20-34-42-980-6a1360e2861b745dbadccbab.jpg)
/Passle/69ce4c141e42eea3bd4c2856/SearchServiceImages/2026-05-12-18-56-30-358-6a0377de8f76c0fb588b7d87.jpg)
/Passle/69ce4c141e42eea3bd4c2856/SearchServiceImages/2026-05-06-23-31-17-956-69fbcf45e920942e6ce23867.jpg)
