Security_1200x600_GettyImages-2170887175

Welcome to Part Two of our series that examines the ECPA as a private right of action for privacy policy inaccuracies.  In Part One of this series, we examined how a wave of state-law wiretapping litigation — predominantly under California’s Invasion of Privacy Act (CIPA) — set the stage for a new and more expansive federal class action litigation threat.  After years of plaintiffs targeting websites that deploy tracking technologies such as pixels and cookies, a series of defense wins in 2025 (and pending legislative action) encouraged plaintiffs’ firms to seek alternative theories. They found one in the Electronic Communications Privacy Act (ECPA). 

The ECPA allows plaintiffs to sue in any state, and it can carry statutory damages of the greater of $100 per day of violation or $10,000.  To state a claim, however, a plaintiff must establish the “crime tort” exception applies to overcome the ECPA’s “one party” consent defense.  ECPA lawsuits were not unheard of prior to August 2025, but they typically focused on companies in regulated industries such as healthcare. 

Then, an August 2025 decision from the Northern District of California opened the door to potential ECPA claims against any company with a privacy policy.  In rejecting a defendant’s motion to dismiss, that court held that alleged misrepresentations in a company’s own privacy policy or other privacy disclosures could supply the predicate tort under the ECPA’s crime-tort exception (the ECPA Privacy Policy Order).  That ruling established a replicable formula:  the transfer of personal information using so-called tracking technology à an allegedly inaccurate privacy policy or consent banner à the resulting invasion of visitors’ reasonable privacy expectations à a viable federal wiretapping claim and potential statutory damages.  Dozens of complaints have followed. 

In this post, we build upon our overview of the ECPA and the August 2025 decision that opened a new avenue for ECPA-plaintiffs. We look at how ECPA complaints have changed since that August 2025 decision and the different flavors of alleged misrepresentations in privacy policies and other privacy disclosures asserted in these filings.  We conclude with steps companies can take to mitigate the litigation risk posed by ECPA claims.

1. What Has Happened Since the August 2025 ECPA Privacy Policy Order

The ECPA Litigation Surge

We have been systematically using AI to track new ECPA complaints since the ECPA Privacy Policy Orderto better understand the scope and direction of the ECPA litigation wave. Our analysis of 197 ECPA complaints filed between September 2025 and March 2026 reveals several important patterns regarding privacy disclosure-based ECPA lawsuits.  First, the volume and consistency of number of lawsuits alleging ECPA claims has grown significantly between September 2025 and March 2026:  doubling, tripling, and in some months even quadrupling the number of ECPA complaints filed in those same months last year:

While the August 2025 ECPA Privacy Policy Order is certainly not solely responsible for this surge, it is obviously a driving force.  From the chart below we see that ECPA complaints began ramping up between May and August 2025.  During that timeframe, a single firm filed 45 ECPA cases and  thirty (30) of those complaints — 67% —alleged privacy policy misrepresentations.  On the heels of a temporary filing dip in October and November 2025, ECPA filings began to take off:

In fact, the 46 lawsuits filed in March 2026 represent the second highest number of ECPA-related filings since January 2022.  The next three highest ECPA complaint filing months occurred between September 2025 and February 2026.  

Whether this wave continues or recedes will depend on whether and how many different plaintiffs’ firms start bringing claims.  Once again, the data suggests we could see a continued increase in ECPA filings as new class action firms outside California start filing complaints.  Between September 2025 and March 2026, a relatively small number of class action plaintiffs’ firms filed most of the ECPA complaints:

FirmsNumber of ECPA Complaints FiledPercentage of all filings
Top 2 firms70 of 19735.5%
Top 5 firms104 of 19752.8%
Top 10 firms122 of 19761.9%
All other firms75 of 19738.1%

Most of the top 5 firms are the “usual suspects” that have been filing wiretapping claims for years.  What is more interesting is the Top 10 firms.  Prior to the ECPA Privacy Policy Order in August 2025, most tracking technology litigation was filed in California under CIPA.  This required plaintiffs’ firms to have a California presence or be associated with local counsel.  With the shift to nationwide litigation allowed by the ECPA, however, we are seeing complaints filed outside California as plaintiffs’ firms test how other courts react to these theories.  While the top 4 filing firms are stationed in and focus on California, the remaining top six firms in the top 10 are headquartered elsewhere, including New York, Arkansas and Minnesota.

Breaking Down Plaintiffs’ ECPA Allegations

While the big picture is interesting, using AI we carefully analyzed the specific allegations of these ECPA complaints for additional details and insights.  To capture and understand the plaintiffs’ filing patterns, we categorized the crime-tort predicates for ECPA lawsuits filed during the post-August 2025 time frame into three tiers. 

Tier 1 ECPA lawsuits that allege a privacy policy or other misrepresentation forms an independent basis for application of the ECPA crime-tort exception. 

To distinguish between the type of purported misrepresentations alleged by plaintiffs, we further broke Tier 1 down into five sub-tiers.  Complaints in Tier 1.1 allege a misrepresentation in the privacy policy alone.  Those in Tier 1.2 allege the presence of a consent banner that did not operate properly such that the website tracked users after the user opted out thereby misrepresenting what information would be transferred through trackers.  Tier 1.3 is a combination of 1.1 and 1.2, where the complaint alleges both a privacy policy misrepresentation and a “broken banner.”  Tiers 1.4 and 1.5 are similar to Tiers 1.1 and 1.2, but also include allegations of statutory violations such as HIPAA that were seen prior to the August 2025 ECPA Privacy Policy Order.

Teir 2 ECPA lawsuits don’t allege a misrepresentation to support application of the crime-tort exception, but rather typically allege statutory violations as the predicate for ECPA crime-tort claims (e.g. HIPAA).

Tier 3 ECPA lawsuits that do not fit into Tier 1 or Tier 2.

TierNameDescriptionNumber
1.Misrepresentation AllegedComplaints alleging misrepresentation in privacy policy, cookie policy, or consent banner as basis for crime-tort predicate112 (56.9%)
1.1Privacy Policy Misrepresentation OnlyComplaint alleges misrepresentations in the privacy policy or other privacy disclosures  satisfy the “crime tort” exception required to state an ECPA claim.  No alleged statutory violations.  No broken banner allegations.21
1.2Broken Banner OnlyComplaint alleges the consent management process did not work as represented.  Broken/misleading consent banner → invasion of privacy (“IoP”) as sole crime-tort predicate. No Privacy Policy language quoted.28
1.3Privacy Policy Misrepresentation + Broken BannerComplaint alleges both a privacy policy misrepresentation and a “broken banner.” 9
1.4Broken Banner + Statutory ViolationComplaint alleges a “broken banner” and statutory violations (e.g. HIPAA, CMIA, GLBA, etc.).    No separate privacy policy misrepresentation alleged or quoted in the complaint.4
1.5Privacy Policy Misrepresentation + Statutory ViolationComplaint alleges both a privacy policy misrepresentation plus statutory violations (e.g. HIPAA, CMIA, GLBA, etc.).   No broken banner allegation.50
2.No MisrepresentationECPA claims that do not allege misrepresentations69 (35.0%)
 ECPA + Statutory/IoP — No MisrepresentationCrime-tort predicate rests on statutory violations and/or general invasion of privacy claims   No privacy policy misrepresentation or broken banner alleged.69
3.Structural OutliersNonstandard paradigms — suing tracker vendor directly, novel theories, non-website contexts, etc.16 (8.1%)
 Total ECPA Complaints Classified 197

In summary:

  • Of the 197 ECPA lawsuits filed since September 2025, 112 lawsuits (or 57%) alleged a privacy misrepresentation (privacy policy and/or broken banner) as an independent predicate for the ECPA crime-tort exception;    
  • Of those 112 complaints, 80 (or 71%) alleged, in whole or part, a privacy policy misrepresentation as an independent basis for the ECPA crime-tort exception; and
  • Of those 112 complaints, 58 (or 52%) cases alleged a privacy misrepresentation (privacy policy and/or broken banner) as an independent claim, without any independent statutory violation alleged.

What Do These Numbers Tell Us?

There are several key takeaways from this data. 

The privacy policy/misrepresentation theory is real and growing.  These numbers suggest that class action plaintiffs’ firms are relying more heavily on alleged privacy misrepresentations to support ECPA claims. And it appears the target base is increasing because plaintiffs’ firms can now go after a larger population of defendants in multiple jurisdictions that don’t operate in regulated industries like healthcare. 

In fact, during the September 2025 to March 2026 timeframe, an alleged privacy misrepresentation and corresponding intrusion upon seclusion claim was used as the ECPA crime-tort predicate nearly as much as HIPAA:

The geographic footprint is widening for tracking technology litigation.  The lack of geographic constraints may also serve as an accelerant for ECPA cases.  Because the ECPA is a Federal law, an ECPA lawsuit can be filed in any state and is not limited to the 12 states that have all-party consent wiretapping laws.  While California filings still dominate because plaintiffs often allege both CIPA and ECPA claims, class action lawyers in other states are becoming more active.

Healthcare ECPA cases have not stopped — they have layered. Sixty-eight ECPA complaints during the period alleged privacy policy misrepresentations in addition to statutory violations like HIPAA and CMIA as additional crime-tort predicates.  These cases are predominantly against hospitals and health systems.  In short, privacy misrepresentation allegations provide plaintiffs with another independent tool to go after regulated entities. Considering that ECPA claims based on HIPAA are often allowed to proceed past a motion to dismiss, there is a risk that courts will deny motions to dismiss based on HIPAA and privacy misrepresentations, which could provide favorable caselaw for future ECPA claims based solely on privacy misrepresentations.

Alleged Consent banner-related misrepresentations are a distinct, but common variant. Forty-one of the ECPA complaints filed since September 2025 allege misrepresentations stemming from a “broken” consent banner.  Here website owners represent that website visitors can opt out of the deployment of tracking technologies, but the consent banner and process does not actually work as described.  The formula, however, is similar:  consent banner promises to refrain from sharing personal information through tracking technologies creates an expectation of privacy, which is allegedly dashed when the visitor’s choice is not honored.  This theory can be especially challenging for website owners who may not know their banner is not operating properly, which unfortunately is not uncommon based on our experience.

California class action firms are now leading with ECPA. This is perhaps the most significant trend. Plaintiffs’ firms that built their practices on CIPA litigation are now leading with ECPA claims in demand letters and complaints. In some demand letters we have reviewed, CIPA is not alleged at all.  In many complaints, ECPA claims are listed as the first cause of action and much of the allegations are dedicated to establishing predicates for application of the crime-tort exception, including alleged privacy policy and other misrepresentations. 

2. The Different Flavors of Privacy Disclosure Misrepresentation Allegations

Our review of the 112 complaints categorized as Tier 1 above shows not all privacy disclosure-based ECPA claims look the same.  From our review of the complaint corpus, we have identified several recurring categories of alleged misrepresentation:

1. The “No PII” Cases. This is the allegation that led to the ECPA Privacy Policy Order.  The privacy policy in these cases state that cookies or tracking technologies “do not collect personally identifiable information” or only disclose nonpersonal or de-identified data through trackers.  The complaint then alleges pixels, tags, software development kits (“SDKs”), or similar technologies do, in fact, collect and transmit PII — including unique identifiers, hashed emails, IP addresses, device fingerprints, and browsing history linked to user profiles.

2. The “No Third-Party Sharing” Cases. The privacy policy states that personal information will not be “shared with” or “disclosed to” third parties, or will only be shared in specified circumstances. The complaint alleges that tracking technologies transmit data to third parties for those entities’ own commercial purposes — beyond or in contradiction of any disclosed purpose.

3. The “Bait and Switch” Cases. The focus here is on marketing-oriented privacy policy statements concerning “respect”, “valuing” and “understanding the importance” of visitors’ privacy. This variant alleges that by making such statements, the defendant promises privacy protection while secretly deploying, for example, a data broker’s tracking pixel that funnels visitor data into an identity graph used for cross-site profiling, real-time bidding and other targeted marketing. 

4. The “Broken Banner” Cases. Here, the website’s consent banner or other disclosures represent that users can opt out of (or refrain from opting into) certain nonessential tracking technologies (e.g., “Reject All” or toggles for “Targeting Cookies”).  For a variety of reasons, the consent process or software does not function as described.  These failures can arise from a variety of factors, including misclassification of tracking technologies, misconfiguration (e.g,. pixels and scripts not properly placed under the consent manager’s umbrella), timing issues and failures of the consent management tool itself.

5. The “Scope Mismatch.” The privacy policy accurately describes some data collection but fails to disclose the full scope — for example, acknowledging the use of “analytics cookies” but failing to disclose that those cookies enable cross-site tracking or identity resolution through data brokers.

6.  The security or protection promise.  Privacy policy disclosures indicating that visitors’ personal information is secure, or will be protected by the website owner, which lead to allegations of unauthorized disclosures of personal information when user consent is not obtained for the deployment of tracking technologies.

3. What You Can Do Now

The privacy misrepresentation-crime tort exception formula depends on an alleged gap between what a company says in its privacy disclosures and what its tracking technologies actually do.  The existence of such gaps is understandable —  it is difficult to describe complex and ever-evolving data processing activities. Moreover, privacy policies were not intended to be read with the precision of a legal contract;  they are supposed to use plain language that visitors can understand.  Add in that trackers and associated activity occurring on a website change frequently and are difficult to monitor.  That can make it difficult to precisely describe what is happening and manage consent processes. 

However, the gap exploited by plaintiffs is something companies can take steps to close. Addressing it both reduces the likelihood of being targeted by class action plaintiffs, and creates defensible positions if a claim is filed.

Below are some ways you can make your company less of a target and mitigate ECPA-related litigation risk. 

1. Know what is on your website. Conduct a comprehensive technical scan of your website to identify every third-party tracking technology currently deployed — pixels, tags, SDKs, session replay tools, cookie-syncing scripts, and data broker integrations.  Many companies do not have a complete inventory, especially when marketing teams deploy tracking technologies without legal oversight. If you just scan the front page of your site, you are likely to miss a lot.  Remember, even if you don’t scan your site, plaintiffs’ lawyers and regulators will, and then they can file suits based on their findings.  Ignoring the issue does not make it disappear.

2.  Determine what you need.  Is your organization actually getting any value out of the advertising or analytics tracking technology deployed?  Are any of the tracking technologies on your site “legacy” trackers that nobody knows about or uses?  If you don’t need particular tracking technologies, remove them. 

3. Your privacy policy is not a marketing document.  Resist the urge to say privacy is respected, valued, or important to you.  Those assurances are assumed — and vague feel-good language in a legal document can create exposure without providing any real benefit.  Stick to the facts.

4. Do not say “no PII” unless you mean it. For years, some companies have differentiated between “personally identifiable information” or “non-personal information” and personal information.  These labels are very difficult to apply and they may not be accurate as these concepts evolve.  If your tracking technologies transmit hashed emails, IP addresses, device fingerprints, customer IDs, or any other data that can be linked to an individual — directly or through identity resolution — do not represent that cookies or other tracking technologies “do not collect personally identifiable information.” This is the single most common allegation in the complaints we have reviewed.  The same rationale applies to representations around “anonymized” or “de-identified” data use.  At the end of the day, for many advertising-focused trackers, serving personalized ads to the correct individual is the entire point of the service.  Even if the website owner cannot or would have trouble identifying an individual, if a third party can, most regulators and plaintiffs’ lawyers argue that personal information is involved.

5. Do not say “no third-party sharing” if you are running tracking technologies. If you deploy the Meta Pixel, you are sharing data with Meta. If you use Google Analytics, you are sharing data with Google. Your privacy policy should accurately describe these relationships and the categories of data shared.

6. Ensure your consent banner is working properly. If your consent management tool offers users the ability to reject certain tracking technologies, that functionality must actually work. A “Reject All” button that does not prevent tracking technologies from firing is another plaintiffs’ exhibit. A broken consent process can form the basis of wiretapping (state and federal) and fraud claims.  Key considerations include checking: the timing between data transfers through third party trackers and a site visitor’s opt-out, classification of trackers, configuration of tag managers, and configuration of third party consent management software.

7. Narrow the gap between policy and practice. The goal is alignment: your privacy policy should accurately describe your data practices.  Given these ECPA cases, this is especially true for any representations related to tracking technologies and related data transfers and processing activities. If you cannot bring your policy language into alignment with what your tracking technologies do, again consider whether you need all of the tracking technologies — or whether you can reconfigure them to match your policy.

8. Implement scanning and governance to monitor the moving target.  The steps discussed above are moving targets, and a company’s legal and compliance teams are often the last to know what is going on with their organizations’ websites and apps.  Marketing, IT, and product teams often implement new, or modify existing, tracking technologies.  A misclassification or misconfiguration during a change can eviscerate the primary defense of these claims: consent.  Moreover, the tracking technologies themselves may be changed by their third-party owners, which can also result in legal issues for website owners.  Organizations need an established governance process for regularly monitoring their websites (typically through scanning) and for escalating proposed changes to appropriate legal, compliance and IT personnel for vetting. 

Our Take

The ECPA Privacy Policy Order did not create a new privacy statute. Rather, it established a new application of an existing law that was promulgated to regulate a completely different technology (at the pleading stage at least). In doing so, it opened a pathway for plaintiffs’ firms to bring federal wiretapping claims against virtually any company that operates a website with third-party tracking technologies and privacy disclosures that do not accurately describe what those technologies do.  Unfortunately, many privacy disclosures were drafted at a time when ECPA exposure was not on the radar.  Many contain legacy language that does nothing more than increase litigation risk.

Complaints are being filed at an accelerating pace, across industries, in courts nationwide. The plaintiffs’ bar has a formula. It works at the motion to dismiss stage. And the potential statutory damages exposure — $10,000, multiplied across a class of website visitors — creates settlement pressure that few companies can ignore.

The reality is that addressing ECPA tracking technology risk requires the same balanced approach applicable to CIPA: close collaboration between legal, technology, and business stakeholders to assess the situation, calibration of the risk, and implementation of solutions that are defensible without crippling business operations. The difference now is that the risk is national, the formula is simpler, and a more diverse group of plaintiffs’ firms are bringing claims.  Fortunately, organizations can mitigate their litigation risk by reviewing and updating their privacy disclosures and taking steps to ensure their consent management platform works properly.