There's a litigation wave moving through corporate America right now, and most of the businesses being hit never saw it coming. Plaintiffs' firms are filing suits, and sending thousands of demand letters, under state wiretapping statutes written in the late 1960s. The alleged violation is something running on nearly every credit union website in America: Google Analytics, Google Tag Manager, ad pixels, chat widgets, and marketing automation tags, deployed without a cookie consent banner.
Healthcare systems have been sued. Nike has been sued. Small agencies and family businesses have been sued. As an agency that builds and audits credit union websites for a living, we've watched this playbook up close, reviewed the complaints, and studied how these cases actually unfold. I'm not an attorney, and nothing here is legal advice. But credit union leaders deserve a plain-English briefing, because your website checks every box on the target profile.
The legal theory: Old wiretap laws, new targets
Two state statutes are driving most of this litigation.
The first is Florida's Security of Communications Act (Fla. Stat. Chapter 934), passed in 1969 to govern phone wiretaps. Florida is an all-party consent state, and the FSCA prohibits installing or using a "pen register" or "trap and trace device" without a court order. Pen registers were the physical machines law enforcement used to log the phone numbers a suspect dialed.
The second is the California Invasion of Privacy Act (Cal. Penal Code § 638.51), passed in 1967, with nearly identical pen register language.
Here's the creative leap plaintiffs' attorneys made: when a visitor loads a website, third-party scripts like Google Analytics capture "routing, addressing, or signaling information," including the visitor's IP address. The argument is that this makes a tracking cookie or pixel a modern-day pen register, installed on the visitor's browser without a court order and without consent.
That theory got real traction in Greenley v. Kochava, 684 F. Supp. 3d 1024 (S.D. Cal. 2023), where the court stated that software which identifies consumers, gathers data, and correlates that data through unique fingerprinting falls within CIPA's pen register definition. Greenley, along with Moody v. C2 Education Systems, opened the floodgates to a wave of cases targeting website tracking tools.
Florida followed. A 2025 ruling in W.W. v. Orlando Health, Inc. changed Florida's legal landscape when a federal court declined to dismiss wiretap claims over a hospital's tracking pixels. What started with healthcare providers has expanded to any consumer-facing website using common digital marketing tools.
These cases follow a remarkably consistent pattern, and understanding it is the difference between panic and a plan.
Step one: The scan
Before a suit is filed or a demand letter is sent, an automated tool scans the target website and documents every tag firing without a consent management platform. That scan becomes Exhibit A. The complaints we've reviewed list entirely ordinary marketing stacks: Google Analytics 4, Tag Manager, remarketing pixels, LinkedIn, HubSpot. Nothing exotic. Plaintiffs' firms are scanning websites at scale right now, and they don't care whether the owner has ever heard of the FSCA.
Step two: The math
Florida complaints are often pleaded with modest damages, sometimes capped low enough to stay in county or small claims court, where mounting a defense is impractical. But the FSCA's damages provision runs at $100 per day or $1,000, whichever is greater, and the statute allows recovery of attorney's fees and costs on top. Under California's CIPA, statutory damages reach $5,000 per violation. That fee-shifting and per-day structure is the engine of the entire business model.
Step three: The squeeze
Initial demands typically come in well above the pleaded damages, justified by the running per-day clock plus fees, and then drop when the defendant pushes back, because these firms' economics depend on volume and velocity, not on litigating any single case. The entire structure is calibrated to one reality: settling costs less than defending, even when the underlying legal theory is shaky. And the theory is genuinely shaky. In January 2026, an Orange County Superior Court judge rejected the Greenley reasoning entirely and dismissed pen register claims against an online business. But unsettled law doesn't slow demand letters. It fuels them, because defendants can't count on a quick dismissal.
This is also why prevention is so disproportionately valuable. A documented consent setup doesn't just reduce the odds of being targeted; it gives a business the evidence to make a demand letter go away before it becomes a filing.
Credit unions check every box on the target profile.
First, your websites run heavy marketing stacks. Analytics, ad pixels, chat widgets, session recording, marketing automation. Every tag is a potential allegation.
Second, you collect sensitive financial context. The Orlando Health line of cases shows courts are most receptive when the captured data reveals something substantive about the visitor. Someone browsing your debt consolidation or hardship assistance pages is exactly the fact pattern plaintiffs' firms look for.
Third, you serve members across state lines. A business doesn't need a branch in Florida or California to be sued there. These suits are routinely filed where the website visitor lives, not where the company operates. If your field of membership, indirect lending, or blog traffic reaches those states, you have exposure.
The gap between "marketing best practice" and "litigation target" closed faster than almost anyone in the industry tracked. Closing it back up is straightforward, and the irony of this entire litigation wave is how inexpensive prevention is. Here's the framework we now build into every credit union website we work on:
- Inventory every tag on your site. Run a scan and document every third-party script, pixel, and chat tool. Plaintiffs' firms are scanning your site whether you do or not. You want to see what they see, first.
- Deploy a consent management platform and block scripts until consent. We use and recommend CookieYes, which scans for tracking technologies, holds non-essential scripts until the visitor consents, and keeps an audit trail of every consent record. That audit trail matters as much as the banner: documented proof that scripts don't fire before consent is what gets demand letters withdrawn. A banner that displays while tags fire in the background is worse than useless. It's evidence the operator knew consent mattered and collected data anyway.
- Audit your sensitive pages first. Loan applications, financial wellness content, chat transcripts. Anywhere a member communicates something substantive about their finances deserves the strictest treatment.
- Loop in counsel and your insurance carrier. Ask whether your cyber policy covers wiretap and privacy claims. Many exclude them. And if a demand letter or complaint ever arrives, get counsel involved before responding. Speed matters, but so does not negotiating against yourself.
- Revisit quarterly. Marketing teams add tags constantly. A consent setup that was clean in January can be out of compliance by June.
The marketing technology on your website isn't going away, and it shouldn't. Analytics and remarketing are how credit unions compete with billion-dollar banks for member attention. But the rules around deploying that technology changed faster than the industry noticed, and the plaintiffs' bar built a business model in the gap.
We've studied this playbook closely, and we now build consent-first tracking into every credit union website we work on, because visibility and compliance have to grow together. If you're unsure where your credit union stands, get in touch with us and we'll run the same scan the plaintiffs' firms are running, before they do.
(For general informational purposes only. Laws and their interpretations vary by jurisdiction and circumstance, so please consult qualified legal counsel before implementing anything described above.)