The Federal Wiretap Act and the Crime-Tort Exception

A growing trend of class-action lawsuits are utilizing the Federal Wiretap Act’s “crime-tort exception” to hold website operators accountable for intercepting and disclosing the sensitive information of their users. 

Website operators are routinely brought to court for intercepting the private communications of their website visitors with pixels, cookies, and other online-tracking software in violation of state wiretapping laws. Typically, these cases arise under “two-party consent” statutes such as the California Invasion of Privacy Act (CIPA), Pennsylvania Wiretapping and Electronic Surveillance Control Act (WESCA), and Florida Security of Communications Act (FSCA). These statutes require that all parties to the communication consent to the interception. 

Recently, there has been a growing trend of lawsuits under the Federal Wiretap Act (Electronic Communications Privacy Act, or ECPA) for this same conduct. The Federal Wiretap Act prohibits the intentional interception of electronic communications, but typically does not apply if one party has consented to the interception. However, the crime-tort exception provides an important caveat: consent does not apply if the interception is done for the purpose of committing a crime or tort. The Federal Wiretap Act has a private right of action and statutory damages of the greater of $10,000 or $100 per day for each day of the violation.

A growing number of courts have recognized circumstances in which the interception of website visitors’ communications in furtherance of a criminal or tortious purpose can create liability under the Federal Wiretap Act. Given this trend, it is likely that privacy attorneys will continue pursuing nationwide, class action claims against website operators who intercept their users’ communications without consent. 

Stein and HIPAA cases

A person is not liable for intercepting a communication to which it is a party, unless it does so “for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.” 18 U.S.C. § 2511(2)(d).  Assuming that website operators are parties to online communications and consented to interception by third-party advertisers, the critical question in Federal Wiretap Act cases is whether the crime-tort exception applies. Far and away the most common application of this exception is medical websites that disclose users’ protected health information (PHI) in violation of HIPAA. 

A leading case on this issue is Stein v. Edward-Elmhurst Health, No. 23-CV-14515, 2025 WL 580556 (N.D. Ill. Feb. 21, 2025). In Stein, the defendant allegedly placed the Meta Tracking Pixel on its website, which secretly intercepted users’ medical communications. Plaintiffs alleged that this activity violated the Federal Wiretap Act and was also a violation of HIPAA that implicated the crime-tort exception. 

The defendant argued that it had not violated the Federal Wiretap Act because the defendant “did not intercept the communications for the purpose of committing a crime or tort. Instead, the complaint alleges [defendant] intercepted the communications to make money.” Id. at *5 (emphasis added). The court rejected that argument, holding that “the statute gives no hint that conduct falls outside the reach of the statute if a person acted based on financial motivations.” “The statute does not exclude conduct simply because someone acted with a financial purpose.” The court held that the alleged disclosures of protected health information to Meta in violation of HIPAA were “enough to get around the ECPA's one-party consent rule, because the crime-tort exception applies.” Id. at *6. 

Similar to Stein, many courts who have recently confronted this issue have held that violations of HIPAA through the interception of medical information on third-party websites are sufficient to state a Federal Wiretap claim. To be sure, other courts have required a greater separation between the interception and the “purpose” of committing a crime-tort. See Goulart v. Cape Cod Healthcare, Inc., No. CV 25-10445-RGS, 2025 WL 1745732, at *4 (D. Mass. June 24, 2025) (rejecting Federal Wiretap claim where there were no plausible allegations that violating HIPAA was the “primary motivation” of the defendant). 

We expect to see more courts address this issue and adopt the reasoning of Stein that “the existence of a financial motivation is not a get-out-of-liability-free card.” See 2025 WL 580556, at *6. Additionally, significant class settlements are beginning to be approved across the country from early Federal Wiretap cases utilizing the crime tort exception. See, e.g., Smith v. Loyola University Medical Center, No. 1:23-cv-15828 (N.D. Ill.) ($2.6 million); Kane v. University of Rochester, No. 6:23-cv-06027 (W.D.N.Y.) ($2.85 million), and Cooper v. Mount Sinai Health System, Inc., No. 23-cv-9485 (S.D.N.Y.) ($5.2 million).

Beyond Health Data and HIPAA 

While most Federal Wiretap Act claims to date have centered on healthcare data sharing and HIPAA violations, the crime-tort exception opens the door to a much broader range of privacy claims. 

Darrow is continuously exploring how emerging technologies intersect with evolving interpretations of the Federal Wiretap Act. Our legal intelligence analysts identify where violations like these may be hiding across industries beyond HIPAA, and into the next frontier of privacy litigation.

As courts continue to clarify the contours of this exception, several promising areas are emerging for plaintiffs and privacy attorneys:

• ‍Financial data: The unauthorized disclosure of consumer financial information, such as credit card details, transaction histories, or account activity, to third-party advertisers or analytics providers could implicate the Federal Wiretap Act when done without consent or in violation of consumer protection laws or financial regulations.‍
• Employment contexts: Employers who intercept or monitor employee communications without proper consent may also fall within the Act’s reach, particularly when such monitoring exceeds legitimate business interests or violates employees’ privacy.‍
• Consumer tracking: The increasing use of pixels, cookies, and behavioral analytics tools raises new questions about the interception of biometric, location, or browsing data under deceptive or undisclosed circumstances. As these technologies evolve, so too will opportunities to test the limits of the crime-tort exception in digital environments beyond healthcare.

This Might Interest You:

• Defining Interception: Wiretap Laws in the Digital Age
• Driver Privacy in California: Lessons from CETCPA Litigation
• The Right of Publicity: What Plaintiffs Attorneys Should Know