Florida Federal Court Puts Florida’s Security of Communications Act in Play in the Ongoing Wave of Website Privacy Class Actions

In a significant development in the ever-expanding world of privacy class actions, earlier this month a federal judge in Florida denied dismissal of a website privacy claim brought under the Florida Security of Communications Act (FSCA). For years, Florida courts have been reluctant to find that this 50-year-old wiretapping statute could be applied to third-party technologies that analyzed consumer behavior on websites. When a wave of privacy class actions was filed under the FSCA a few years ago, the claims were almost uniformly rejected, as the courts found that the information allegedly intercepted by website technologies had little resemblance to the contents of a wiretapped telephone call. But on March 6, a district court in the Middle District of Florida took a new look at some of the latest website technologies and, in doing so, may have thrown the FSCA back into the mix of decades-old statutes that pose new dangers to consumer-facing websites.

In W.W. v. Orlando Health, Inc.,¹ a plaintiff brought a putative class action alleging that she, as a patient of the defendant hospital organization, had used the defendant’s website and shared private medical information to receive healthcare services. According to the plaintiff, this website used “tracking technologies” developed by social media companies and others that were intercepting her communications and using them for advertising purposes unrelated to her health, without her consent. The plaintiff claimed that these technologies violated state and federal wiretapping statutes, including the FSCA and the federal Wiretap Act, as amended by Electronic Communications Privacy Act (ECPA) of 1986.²  

These types of putative class actions are not new — hundreds have been filed in recent years, and Sidley has defended dozens of these cases and has offered guidance to companies on how to avoid these lawsuits.³ But most of these lawsuits have been brought under statutes such as California’s Invasion of Privacy Act or the federal Video Privacy Protection Act. In these cases, courts have been willing to interpret these decades-old statutes as applicable to websites or mobile applications. The FSCA is rarely invoked in such cases. In fact, when the plaintiffs’ bar suddenly began filing numerous FSCA cases based on alleged website privacy violations a few years ago, Florida courts repeatedly dismissed these cases. 

In the first meaningful decision involving these theories, Jacome v. Spirit Airlines, Inc.,⁴ a Florida state court found that the FSCA could not be applied to “session replay” technologies on websites. Although these technologies allegedly recorded mouse clicks, movements, keystrokes, and other information submitted on websites, the court found that they were not intercepting the “contents” of the plaintiffs’ interactions with websites. Florida federal courts found this reasoning persuasive, and similar theories of alleged privacy violations on consumer-facing websites were consistently rejected in the following year.⁵ 

In Orlando Health, the district court found that the alleged pixel tracking technologies allegedly operating on the healthcare organization’s website were different from the session replay technologies rejected by these courts. The court determined that based on the allegations, these pixel tracking technologies intercepted more than just “keystrokes” and “search terms.” They allegedly shared the content of website users’ communications with third parties, including information that reveals a “substantive message” about their health concerns. The court observed that a number of district courts in other states had reached similar conclusions regarding these technologies, notwithstanding that those decisions did not involve the FSCA and were interpreting different wiretapping statutes. Ultimately, the court concluded that the allegations raised “highly technical questions” about the information allegedly disclosed, which could not be resolved on a motion to dismiss.

It might seem hard to square the outcome in Orlando Health with the rulings from a few years earlier in Jacome and Goldstein, among others. In those cases, the session replay technologies also allegedly intercepted “information inputted by Plaintiff” and the “pages and content viewed by Plaintiff.”⁶ These allegations do not appear altogether different from the URL information allegedly disclosed by pixel technologies in Orlando Health. However, while Florida courts interpreting the FSCA were previously reluctant to find that technical website communications could be considered substantive content sufficient to trigger wiretapping liability, Orlando Health shows how these decisions may be reconsidered in light of newer website technologies and the nonstop wave of putative class actions challenging these technologies. These trends also underscore the importance of evaluating, inventorying, and managing website technologies to identify and manage privacy risk.

¹No. 6:24-cv-1068-JSS-RMN, 2025 WL 722892 (M.D. Fla. Mar. 6, 2025).
²18 U.S.C. § 2511(1).
³See When Acronyms Attack: Future-Proofing Your Website from CIPA, CDAFA, ECPA, and VPPA Privacy Class Actions, available at https://www.sidley.com/en/insights/events/2023/09/when-acronyms-attack.
⁴No. 2021-000947-CA-01, 2021 WL 3087860 (Fla. Cir. Ct. June 17, 2021).
⁵See, e.g., Goldstein v. Luxottica of Am., Inc., No. 21-80546-CIV, 2021 WL 4093295 (S.D. Fla. Aug. 23, 2021) (same), report and recommendation adopted, No. 21-80546-CIV, 2021 WL 4125357 (S.D. Fla. Sept. 9, 2021).
⁶Jacome, 2021 WL 3087860, at *4.