CIPA (California Invasion of Privacy Act) is a California wiretapping law that prohibits recording or intercepting communications without consent from all parties. Written decades ago for telephone tapping, plaintiffs now argue it applies to digital interactions on websites and mobile apps. The legal theory asserts that modern tracking technologies that transmit user interactions to third parties in real time without consent are engaging in unlawful interception under CIPA. Because the statute allows significant per-violation damages, it has become a popular basis for class-action lawsuits.

The Electronic Communications Privacy Act (ECPA) is a federal law that prohibits the unauthorized interception, disclosure, or use of electronic communications. It includes the Federal Wiretap Act and applies to communications such as website chats, form submissions, emails, and other online interactions. For businesses, risk arises when tracking tools, session replay software, chat widgets, or analytics scripts capture and transmit user communications to third parties without proper consent. Violations can lead to civil lawsuits, statutory damages, attorneys’ fees, and, in some cases, criminal liability.

Session replay is a technology that records and reconstructs a user’s interactions on a website or app. It captures clicks, scrolls, keystrokes, page changes, and sometimes form inputs, then recreates the session in a visual playback interface for analytics or troubleshooting. It is considered an interception because the data is often transmitted in real time to a third-party vendor. In lawsuits, plaintiffs argue that when a user’s interactions are duplicated and sent to an external service without clear consent, that vendor becomes an eavesdropper rather than a participant.

A website chat feature raises wiretap concerns when user messages are sent to a third party without clear disclosure and consent, and whether the vendor is a direct participant in the conversation or an outside interceptor. Clear disclosure, proper consent, and tight vendor controls are the core safeguards.

To avoid wiretap issues, provide clear notice before the chat begins and obtain affirmative consent where required, especially in two-party consent states like California. Ensure the vendor operates strictly as your service provider under a signed data processing agreement, with no independent use of the data. And limit retention and test the setup to confirm transcripts aren’t shared beyond the intended provider.

Think of two-party consent as all-party consent, since these states require consent from everyone involved before a communication can be recorded or intercepted. As of February 2026, the primary all-party consent states are: California, Florida, Illinois, Maryland, Massachusetts, Michigan (as interpreted by some courts), Montana, Nevada, New Hampshire, Pennsylvania, and Washington.

Plaintiffs in these states have argued that session replay tools, chat transcripts, and certain tracking technologies may constitute unlawful interception if consent is not clearly obtained.

Yes, some session replay cases have been dismissed, particularly at early stages, for lack of standing, insufficient factual allegations, or failure to show that a third party truly intercepted a communication under the statute. Other cases, however, have moved into discovery, and courts have allowed plaintiffs to proceed if there is a plausible allegation of real-time transmission of user interactions to external vendors without clear consent.

The federal Wiretap Act may apply. The statute prohibits intentional interception of electronic communications, and plaintiffs have invoked it in cases involving session replay tools, chat features, and other tracking technologies. However, lawsuits are more likely to rely on state wiretap laws because state statutes may offer clearer private rights of action or statutory damages. State courts have also been more active venues for these claims. But in practice, a single implementation can trigger both federal and state wiretap theories, depending on how data is captured, transmitted, and disclosed.

Vault distinguishes “contents” from metadata by analyzing what’s actually transmitted, not just which domains are contacted. Vault captures and inspects network requests and responses, including URLs, headers, query parameters, and request bodies. If a script sends user-generated text (chat messages, form inputs, typed keystrokes), page content (DOM text/HTML snippets), or detailed interaction streams that reconstruct what a user did or said, Vault can flag it as a potential content capture.

Yes. Disabling session replay does not mean you lose all analytics. Session replay captures detailed interaction streams that can reconstruct individual user sessions. Standard analytics, by contrast, focus on aggregated behavior — page views, referrers, device types, conversion events, bounce rates, and funnel progression. You can still measure traffic, engagement, and performance without recording keystrokes, chat transcripts, or granular interaction playback.

Action can begin immediately. Vault surfaces findings in real time or near real time, depending on how frequently scans are configured. When a serious issue is detected, such as unauthorized transmission of user-generated content, alerts can be routed directly to legal, security, or engineering teams. Because Vault identifies the specific script, endpoint, and data payload involved, remediation can be targeted. Teams can disable a tag, block a domain, adjust consent gating, or modify configuration without waiting for a full audit cycle.