In 2025, many courts assessing claims under the federal Wiretap Act confronted a common fact pattern—use of modern web‑tracking technologies (e.g., pixels, session replay scripts, analytics tags) that contemporaneously intercept and disclose website visitors’ communications—but disagreed about whether the act’s crime/tort exception applies when the primary motivation for intercepting such communications was commercial gain. One set of decisions construed the exception to apply whenever the interceptor acted for the purpose of committing a qualifying act (such as disclosure that constitutes a tort or violates a law), even if advertising or profit was the overarching motivation. Other decisions required plaintiffs to allege a specific intent to commit a crime or tort, or to allege a purpose for the interception tied to a distinct downstream wrong.

The issue remains unsettled heading into 2026, with outcomes varying significantly based on the court, the specific facts alleged, and the crime or tort at issue. Please subscribe to the WilmerHale Privacy and Cybersecurity Law Blog to stay up to date on these and related developments.

Statutory Framework

The federal Electronic Communications Privacy Act (Wiretap Act) imposes liability for the intentional interception of wire, oral or electronic communications.¹ The statute includes a one-party consent safe harbor, under which a party to a communication is permitted to intercept the communication (or consent to its interception) without the consent of other parties.² However, this protection does not apply if the party’s interception or consent is tied to an independent criminal or tortious purpose.³ Courts have interpreted this crime/tort exception to require more than the act of interception itself; plaintiffs must allege that the interception was undertaken to commit a separate crime or tort, such as violating privacy or consumer protection laws.⁴

Common Facts, Different Conclusions

Recent litigation has focused on whether the Wiretap Act’s crime/tort exception applies to the interception and disclosure of website data for targeted advertising purposes (in other words, for commercial gain).

Many courts confronting the issue have construed the text of the act’s crime/tort exception—“unless such communication is intercepted for the purpose of committing any criminal or tortious act”—to mean that the exception applies whenever the interceptor acts for the purpose of committing an act that is criminal or tortious, regardless of whether the interceptor acted with a criminal/tortious purpose.⁵ On this view, it is irrelevant whether the interceptor had a primary pecuniary purpose for the interception. As one court put simply, “[i]f the purpose is to do X, and if X is a crime or a tort, then the crime-tort exception to the one-party consent rule applies.”⁶ The opposite reading, that court explained, would effectively import a mens rea element into the statute, which Congress could have required but did not.⁷ Many courts also reasoned that a pecuniary purpose and a criminal/tortious purpose are not mutually exclusive, and treating the presence of a pecuniary purpose as effectively exculpatory would risk swallowing the crime/tort exception entirely.⁸

Under this seemingly common interpretation, a complaint must include allegations about the purpose of the interception, and such purpose must be to commit an act that constitutes a crime or tort. For example, the interception of health data for the purpose of disclosing it to third parties could fall under the crime/tort exception if the disclosure of such data violates the Health Insurance Portability and Accountability Act (HIPAA);⁹ in contrast, the exception likely would not apply to the disclosure of generic web data that lacks similar legal protections,¹⁰ though such protections could arise in tort and need not extend from a statute.¹¹

A handful of courts have taken the opposite view, holding that application of the crime/tort exception requires a specific intent to commit a crime or tort. Under this interpretation, when a complaint alleges that an interceptor used website trackers only for marketing and advertising purposes—and not to knowingly commit a crime or tort—the exception cannot apply.¹²

But even where courts did not dispute the common textual interpretation, many nevertheless dismissed Wiretap Act claims after construing the statute to impose a heightened intent requirement whereby the interception must occur for the purpose of committing a separate, downstream wrong.¹³ As one court explained, the statute requires “the goal or aim of the interception itself” to be to commit an independent crime or tort; “[i]t is not enough that a crime or tort was a mere side‑effect of the interception.”¹⁴ On that view (and regardless of any specific intent to commit a further crime or tort), the exception cannot apply to the single act of deploying a web-tracking tool that simultaneously captures and shares data with third parties, because there is no separate, downstream disclosure of the data distinguished from the interception itself.¹⁵

Here, too, the specific facts pleaded matter greatly. For example, where a complaint alleges that health data was simultaneously intercepted, recorded and transmitted to third parties, there is no separate act of disclosure that could constitute a separate wrong (even if such disclosure separately may constitute a HIPAA violation);  but where a complaint frames the disclosure of health data as a distinct act—such that the interception occurred for the alleged purpose of separately disclosing such data—the crime/tort exception may apply.

Key Takeaways

These decisions reflect growing attempts to apply the Wiretap Act to modern web-tracking and advertising practices. The emerging picture is unsettled, and the viability of these claims frequently turns on how the alleged purpose, act and downstream consequences are articulated and proven. Allegations that describe only profit‑oriented interception, absent a separable act, typically fail. In contrast, those that articulate the specific act the interceptor set out to commit through the interception—and explain how that act is criminal or tortious under governing law—are more likely to survive early motions.

In any event, courts continue to treat the same sets of facts differently. Allegations involving HIPAA have emerged as a key example of this divide: Some courts treat knowing disclosure of individually identifiable health information as the qualifying act; others view HIPAA allegations as inseparable from contemporaneous capture/transmission and thus insufficient to show a separate wrong. Across all types of cases, results diverge depending on whether alleged uses or disclosures of web data are framed as qualifying acts under governing law, whether consent and policy disclosures are adequate, and whether the complaint ties the interception to a concrete legal violation rather than generalized commercial aims.

Given the absence of uniform rules and the sensitivity to factual framing, the risk landscape is fluid. Clients should expect court‑dependent variability as courts continue to refine the scope of the Wiretap Act’s crime/tort exception, particularly in the context of modern digital marketing.

Please join us at one of our East Coast offices—DC, NYC, or Boston—for a practical update on what’s ahead in 2026, including new state privacy and AI laws, enforcement and litigation trends, breach risks, and actionable compliance strategies. After the briefing, there will be a networking reception. CLE credit is pending.  Full details and an RSVP link are provided in the below link.

Full details and an RSVP link can be found here.

1. See 18 U.S.C. § 2511(1)(a).
2. See id. § 2511(2)(d).
3. See id.
4. See, e.g., Caro v. Weintraub, 618 F.3d 94, 100 (2d Cir. 2010).
5. See, e.g., B.N. v. Or. Reprod. Med., LLC, 2025 WL 3165965, at *4 (D. Or. Nov. 12, 2025); Stein v. Edward-Elmhurst Health, 2025 WL 580556, at *5–6 (N.D. Ill. Feb. 21, 2025).
6. Stein, 2025 WL 580556, at *6.
7. See id.
8. See, e.g., id.; B.N., 2025 WL 3165965, at *5; Riganian v. LiveRamp Holdings, Inc., 791 F. Supp. 3d 1075, 1090 (N.D. Cal. 2025); R.S. v. Prime Healthcare Servs., Inc., 2025 WL 103488, at *7 (C.D. Cal. Jan. 13, 2025).
9. See, e.g., R.S., 2025 WL 103488, at *7 (explaining that defendant’s financial gain “was contingent on disclosing HIPAA-protected information to third parties” and that “[l]egitimate objectives, like increasing revenue, do not shield a party from liability for crimes or torts committed in the process”); Doe v. Tenet Healthcare Corp., 789 F. Supp. 3d 814, 849–850 (E.D. Cal. 2025) (same).
10. See, e.g., Lakes v. Ubisoft, Inc., 777 F. Supp. 3d 1047, 1057–1058 (N.D. Cal. 2025) (dismissing Wiretap Act claim where only alleged purpose for intercepting non-health website data was to disclose it for targeted advertisements).
11. See, e.g., Smith v. Rack Room Shoes, Inc., 2025 WL 2210002, at *5 (N.D. Cal. Aug. 4, 2025) (holding that crime/tort exception applies where defendant disclosed web data without consent and its privacy policy did not disclose that a third party may collect, store and analyze a visitor’s browsing and purchase history or use that data for its own commercial purposes).
12. See, e.g., Goulart v. Cape Cod Healthcare, Inc., 2025 WL 1745732, at *4 (D. Mass. June 24, 2025) (“Because there are no factual allegations in the Complaint from which the court could conclude that [Defendant] installed [pixel] and software-tracking technology with the ‘primary motivation’ of knowingly committing a violation of HIPAA or perpetrating a tort, the Complaint fails.”), appeal filed No. 25-1672 (1st Cir. July 23, 2025); Doe v. Genesis Health Sys., 2025 WL 1000192, at *9 (C.D. Ill. Mar. 18, 2025) (“By Plaintiff’s own account, the ‘trackers’ were ‘used by the Defendant to benefit [Defendant] and its marketing and advertising purposes,’ not for the purpose of knowingly committing a violation of the HIPAA.”).
13. See, e.g., Doe v. Lawrence Gen. Hosp., 2025 WL 2808055, at *10–13 (D. Mass. Aug. 29, 2025), report and recommendation adopted in part, rejected in part, 2025 WL 2807673 (D. Mass. Sept. 30, 2025).
14. Id.
15. See, e.g., id.; Goulart, 2025 WL 1745732, at *4 n.3; Okash v. Essentia Health, 2025 WL 642913, at *3–4 (D. Minn. Feb. 27, 2025).
16. See, e.g., Doe, 2025 WL 2808055, at *13.