The Florida wiretap theory aimed at your website

A wave of lawsuits is moving through Florida courts that recasts ordinary website tooling as wiretapping. The vehicle is the Florida Security of Communications Act, a 1969 statute originally aimed at hidden recording devices and tapped phone lines. The plaintiffs’ theory is that session replay scripts, live chat transcripts, and analytics packages “intercept” electronic communications between a visitor and a website, and that Florida’s two-party consent rule makes every uninformed visit a violation. The statute carries $500 in statutory damages per violation plus attorney’s fees, and on a site with meaningful traffic that math gets large quickly.

The legal theory is not strong on the merits. The cases that have reached substantive rulings have split, with some courts dismissing on standing grounds, some narrowing the definition of “interception” so that a website cannot intercept a communication to itself, and some letting the cases proceed past the motion to dismiss. The split is exactly what plaintiffs’ firms want, because the goal is not to win a trial. The goal is to file enough cases that defendants settle in the $15,000 to $50,000 range rather than pay six figures to litigate an unsettled question of statutory interpretation.

That dynamic shows up in similar form in other states. California’s CIPA cases targeting chat tools and pixels have generated parallel waves of demand letters. Pennsylvania has seen comparable filings under its wiretap act. The Florida flavor is distinct mainly because the statutory damages number is high enough to make the threat letters worth sending and because the Florida bar that brought the early ADA accessibility wave has redeployed its infrastructure to this new theory. The same firms, the same templates, different captions.

There are three practical responses that meaningfully reduce exposure without requiring you to tear out every tool. The first is consent. The defense that has been most effective in the cases that survived motions to dismiss is a banner that requires affirmative action before session replay, chat recording, or analytics scripts load. Not a cookie banner buried in a corner. A prominent dialog that the visitor either accepts or declines, with the tooling actually gated by the response. Privacy-policy disclosure tucked into a footer is not enough to win these cases, but explicit pre-engagement consent has been holding up.

The second is vendor posture. Many of these complaints name both the website operator and the vendor whose script is loaded. If your vendor for session replay or chat will not contractually represent that their product complies with state wiretap laws, or will not indemnify you against claims arising from the way their script captures input, that is a signal about who they expect to bear the litigation risk. Renegotiate, or replace the vendor.

The third is honest scoping. Look at every script loaded on every page and ask whether the data the script captures is actually used by anyone in the company. Session replay tools generate enormous volumes of data that, in most organizations, no one watches. Chat transcript archives sit untouched. The exposure is real and the business benefit is often theoretical. Removing tools that no one uses is the cleanest way to reduce your visitor count denominator and your litigation risk in one move.

The longer-term fix is legislative. California amended its wiretap statute to clarify that a party to a communication who notifies the other party of recording is not liable, and a similar amendment to Florida’s statute would end this litigation cycle in a single session. That has not happened yet, and there is no signal it will happen soon. Until then, the operating posture for a Florida-facing website is that every analytics script, every chat widget, and every replay tool is a potential plaintiff trigger, and the cost of doing nothing is higher than the cost of a one-afternoon consent and inventory review.