Florida Security of Communications Act (FSCA) - The Wiretapping Law

Florida is in the middle of the largest privacy-litigation surge in its history. Plaintiff firms are filing thousands of website wiretapping claims under a 1969 law most marketers have never read, and the demand letters land on six-figure ad-tech stacks first.

The statute behind the wave is the Florida Security of Communications Act, better known as Florida's wiretapping law, codified at Fla. Stat. § 934. It's a two-party consent statute that, before March 2025, was rarely applied to websites. Then a federal court let an FSCA pixel-tracking claim survive a motion to dismiss, and the plaintiff bar built a playbook around it.

This guide is what every founder, compliance lead, and in-house counsel selling into Florida needs to know in 2026: what the statute actually says, who's at risk, how it differs from California's CIPA, what penalties look like, and the seven-step compliance fix that protects your site from the next round of letters.

What is the Florida Security of Communications Act?

The Florida Security of Communications Act is a state wiretapping statute that prohibits the interception of any wire, oral, or electronic communication without the consent of every party to that communication. It was passed in 1969, modeled closely on Title III of the federal Omnibus Crime Control and Safe Streets Act of 1968, and has been amended materially in 1988 and 2002. The full text is codified at Fla. Stat. § 934.

Florida is a two-party consent state

Most U.S. states are one-party consent jurisdictions, meaning only one party to a conversation needs to agree to a recording. Florida is one of twelve states that require all parties to consent. That distinction is the legal core of the 2025–2026 web-tracking wave: when a website visitor doesn't know a third-party pixel is intercepting their input, the plaintiff theory is that no consent has been given by one of the "parties" to the communication.

Three provisions to know

Three sections of Chapter 934 drive most of the litigation activity:

• § 934.03. Prohibits the interception of wire, oral, and electronic communications. The catch-all section that defines what "wiretapping" means under Florida law.
• § 934.10. Establishes civil remedies. Statutory damages are $1,000 per violation, or $100 per day of violation, whichever is greater, plus actual damages, attorney's fees, and potential punitive damages.
• § 934.31. Prohibits the use of pen registers and trap-and-trace devices without a court order. This is the section plaintiff firms are stretching to apply to website analytics, ad pixels, and session replay tools.

From 1969 wiretapping to 2026 ad tech

For most of its history, FSCA was litigated in criminal cases and divorce proceedings, secret audio recordings, intercepted phone calls. It was rarely if ever applied to websites. That changed in March 2025, and the next section explains why.

Already received an FSCA demand letter?

The first 48 hours matter most. Calendar every deadline (a small-claims summons has a firm 20-day response window in most Florida counties), preserve evidence by backing up your live site and tag manager container today, notify your cyber liability carrier in writing, and retain Florida-licensed privacy counsel before you respond to the firm.

The full triage playbook, including how to identify which type of letter you got, settlement economics by tier, and the five things not to do, is in our Florida FSCA wiretapping demand letter resource.

How FSCA applies to websites in 2026

Before March 2025, Florida courts had consistently dismissed FSCA claims against websites. In Jacome v. Spirit Airlines and Goldstein v. Costco, federal judges ruled that ordinary website analytics, clicks, scrolls, page views, were not "contents" of a communication and therefore fell outside the wiretap statute. That distinction held the plaintiff bar at bay for years.

Then on March 6, 2025, a federal judge in the Middle District of Florida refused to dismiss the FSCA claim in W.W. v. Orlando Health, Inc. The court found that pixel-tracking technologies on a healthcare website intercepted "substantive messages" about patient health, not just behavioral metadata, and let the case proceed. Within ninety days, demand letters started arriving at volume.

What counts as a wiretap on a website

The post-Orlando Health theory treats third-party trackers as interceptors of "substantive" communications. In practice, plaintiffs target sites that deploy any of the following without prior, informed, all-party consent:

• Tracking pixels that transmit form inputs, search queries, button clicks, or sensitive-category browsing data, particularly Meta Pixel, TikTok Pixel, Floodlight, LinkedIn Insight Tag
• Session replay tools that capture mouse movements, scrolls, and keystroke-level data
• Chat widgets that record full transcripts and ship them to third-party processors
• Customer data platforms that ingest event-level data before a consent decision is made
• Ad retargeting scripts that hash and transmit visitor identifiers to ad networks

The line Florida courts are now drawing: if the tracker captures content the visitor sent, what they typed, searched, or clicked through to, it's in scope. If it captures pure movement, behavior, or session metadata, you still have the narrower 1988 movement-tracking defense available under Goldstein v. Costco. The line is moving, and pixels are firmly on the wrong side of it.

Who's at risk

Four industry verticals are absorbing the bulk of 2025–2026 FSCA filings:

• Healthcare. Highest exposure. Patient portals, appointment booking, symptom checkers, and any page that handles PHI is a triple-risk site (FSCA + HIPAA + state-specific health privacy law). Orlando Health was a healthcare defendant. 
• Ecommerce. High exposure. Checkout flows, account pages, and product-discovery journeys deploy the densest pixel stacks in the industry. Nike's pixel deployment is the subject of Magenheim v. Nike, the bellwether case discussed below.
• Financial services. Moderate-to-high exposure. Quote forms, account dashboards, and lead-capture pages collect substantive content covered by the statute.
• Ad tech and marketing platforms. Indirect exposure. Vendors whose code runs on customer sites can be named as co-defendants or third-party intermediaries.

The 2025–2026 FSCA litigation wave

Demand letters are arriving in three patterns, and the response playbook depends on which one shows up.

The four plaintiff firms behind most filings

A small number of firms are driving the majority of FSCA activity:

• Salpeter Gitkin. Federal class actions. Filed Magenheim v. Nike in the Southern District of Florida and a parallel action against The Walking Company. Amount in controversy exceeds $5 million in both.
• Johnson Dalal. Volume small-claims model. Hundreds of individual filings out of Broward County seeking $500 to $2,500 per plaintiff. Cheap to file, expensive to defend, designed to stack pressure for fast settlements.
• Morgan & Morgan. Multi-jurisdictional, often coordinating with out-of-state co-counsel on larger class actions.
• Bryson Harris Suciu Demay. Emerging filer with cross-statute claims that bundle FSCA with FTSA (the Florida Telephone Solicitation Act) and federal wiretap counts.

Three letter types

Most defendants will receive one of three documents:

1. Pre-suit demand letter. A settlement offer on firm letterhead citing §§ 934.03 and 934.31, usually with a five- or six-figure "early resolution" number. No case filed yet. Negotiable.
2. Small-claims summons. A real filing in Broward County Court with a firm 20-day response window. Default judgment if you miss it.
3. Federal class action. Filed in the Southern or Middle District of Florida, often with $5M+ amount in controversy. Bet-the-company tier.

The trial that resets the math: Magenheim v. Nike

Magenheim v. Nike (S.D. Fla.) is set for trial on November 2, 2026, the first major FSCA pixel case heading to a jury. A plaintiff verdict accelerates the wave nationwide; a defense win or mid-trial settlement dampens it. Either outcome reshapes settlement economics on every open demand letter. Track this case if you've received a letter, are negotiating one, or are deciding how much to invest in remediation.

FSCA vs CIPA: How Florida and California compare

Most of the FSCA playbook is borrowed from California's CIPA (the California Invasion of Privacy Act), same plaintiff theory, same pixel targets, similar damages model. The differences matter for compliance posture and litigation defense.

Both states are part of the twelve-state all-party consent club, which means the same compliance posture generally works in both, but FSCA's § 934.31 pen-register section is a discrete exposure CIPA doesn't carbon-copy, and the dollar math is different. California's $5,000-per-violation floor is five times Florida's, but Florida's $100-per-day mechanic can stack faster on a long-running uncured site.

A short version: if you're already CIPA-compliant in California, you're 80% of the way to FSCA compliance in Florida. The last 20% is auditing your tag stack against § 934.31's pen-register theory and documenting consent timestamps that hold up in Florida court specifically.

Penalties under FSCA: The cost of violations

Damages compound across three layers:

• Statutory damages. $1,000 per violation, or $100 per day of violation, whichever is greater.
• Actual damages. Plaintiffs can recover documented financial harm on top of statutory damages, though this is rarely the largest component in pixel-tracking cases.
• Attorney's fees and costs. Awarded to a prevailing plaintiff, the primary economic driver for the firms running volume strategies.
• Punitive damages. Available in cases of intentional or willful violation.

The class-action math is what makes the threat real. A site with 100,000 Florida visitors during a class period, at $1,000 statutory minimum per visitor, produces $100 million in theoretical exposure. Actual settlements run far lower, typically $2M to $20M for mid-market defendants, depending on facts and discovery, but the theoretical ceiling is what drives plaintiff firms to file and pushes defendants toward early resolution.

Cyber liability and commercial general liability insurance policies sometimes cover privacy claims, but most have 30-day notice requirements and material carve-outs.

How to comply with FSCA on your website

Compliance with FSCA is not a cookie banner, it's a system. The defense playbook that works in Florida courts today rests on seven repeatable steps that close the gap between what your site collects and what your visitor agreed to. Each step maps to a specific FSCA element that a plaintiff's complaint will reference.

Step 1. Run a tag audit. Inventory every third-party script firing on every page. For each tag, record what data it captures, when it fires (pre-consent vs. post-consent), and which jurisdiction it serves. This list is the evidence file your counsel needs and the punch list your engineering team will work from.

Step 2. Deploy a true consent gate. No non-essential tag fires until the visitor explicitly opts in. "By using this site you agree" language has been repeatedly rejected by Florida courts. A consent management platform that blocks scripts at the loader level, not just hides UI, is the standard.

Step 3. Make the banner statutorily compliant. "Prior, informed, all-party consent" is the FSCA standard. The banner must disclose what's being collected, by whom, and for what purpose, before any non-essential pixel fires. Generic "we use cookies" copy fails this test.

Step 4. Honor Global Privacy Control (GPC) signals. Florida courts have not yet ruled on GPC the way California has, but every plaintiff complaint we've reviewed includes GPC-ignoring allegations. Honoring GPC at the browser level removes an entire category of exposure with zero conversion downside.

Step 5. Maintain timestamped consent logs. Every accept, every reject, every preference change, logged with timestamp, IP, and consent string. This audit trail is what gets demand letters withdrawn before they become filings. Two Enzuzo customers have used theirs to dismiss FSCA letters in 2026.

Step 6. Update your privacy policy with named tools. Generic "we use analytics" language fails. Name Meta Pixel, GA4, Floodlight, your session replay vendor, your chat widget, every CDP. Transparency is the opposite side of the same consent coin and is required under the FSCA "informed" prong. Enzuzo's privacy policy generator maintains a live tag-to-policy map so the policy never drifts from what your site actually runs.

Step 7. Re-audit every 90 days. Tag stacks change. Marketers add scripts without telling legal. New campaigns drop new pixels. The single most common cause of an FSCA letter is a tag that wasn't there last quarter. Quarterly re-audits are the only durable defense.

This is what Enzuzo's consent management platform is built for. It blocks non-essential scripts until the visitor consents, honors GPC at the browser level, produces timestamped audit logs that stand up in court, and generates a policy that names every tool your site runs, and is certified for Google Consent Mode v2 for marketers who need the conversion modeling kept intact.

The same configuration covers Florida, California, GDPR, CCPA, Colorado, and every other jurisdiction in scope.

Book a no-obligation compliance review to understand your exposure

Frequently asked questions

What is the Florida Security of Communications Act (FSCA)?

FSCA is a Florida state wiretapping statute codified at Fla. Stat. § 934 that prohibits the interception of any wire, oral, or electronic communication without the consent of every party to that communication. It was passed in 1969, models the federal Wiretap Act, and is now being applied to website tracking pixels and session replay tools after the March 2025 ruling in W.W. v. Orlando Health.

Is Florida a one-party or two-party consent state?

Florida is a two-party (all-party) consent state. Every party to an intercepted communication must consent before the interception is lawful. This is the legal foundation for the 2025–2026 website wiretapping wave: when a visitor doesn't know a third-party tracker is intercepting their input, the plaintiff theory is that no consent has been given.

Do website tracking pixels really count as wiretapping under FSCA?

After W.W. v. Orlando Health (March 6, 2025), the answer in Florida federal court is yes, at least for pixels that transmit "substantive messages" like form inputs, search queries, or sensitive-category browsing. Before that ruling, Florida courts had dismissed similar claims in Jacome v. Spirit Airlines and Goldstein v. Costco. The line is moving against defendants for pixel-tracking specifically.

What changed with W.W. v. Orlando Health?

A federal judge in the Middle District of Florida refused to dismiss an FSCA claim against Orlando Health, ruling that pixel tracking on the hospital's website intercepted "substantive messages" about patient health rather than mere behavioral metadata. The ruling broke from prior FSCA dismissals and triggered the 2025–2026 demand letter surge. Within 90 days of the decision, plaintiff firms had filed hundreds of new letters.

How is FSCA different from California's CIPA?

Both are two-party consent wiretapping laws being applied to website trackers, but the dollar math and statutory mechanics differ. CIPA's statutory damages are $5,000 per violation; FSCA's are $1,000 per violation or $100/day, whichever is greater. FSCA's § 934.31 pen-register theory is a discrete exposure CIPA doesn't fully mirror. Most compliance work that satisfies CIPA also satisfies FSCA, with audit adjustments for the pen-register angle.

How much can an FSCA violation cost?

Statutory damages under Fla. Stat. § 934.10 are $1,000 per violation minimum, or $100 per day of violation, whichever is greater, plus actual damages, attorney's fees, and possible punitive damages. Class actions multiply this across every Florida visitor in the class period. Realistic mid-market settlements have landed between $2 million and $20 million in 2025–2026 filings; pre-suit demand letters typically request $15,000 to $50,000.

Does FSCA apply if my business is based outside Florida?

Yes. FSCA applies based on the location of the intercepted party, not the business. If your website has Florida visitors and your trackers fire on them without consent, you are in scope. Out-of-state defendants are routinely named in Florida filings, and the venue is almost always Broward County small-claims court or the Southern District of Florida federal court.

Is a cookie banner enough for FSCA compliance?

No. A banner that doesn't actually block trackers from firing, what plaintiffs call a "decorative banner", fails FSCA's prior, informed, all-party consent requirement and has been repeatedly dismissed as a defense in Florida court. Compliance requires a true consent gate: non-essential tags must not fire until the visitor explicitly opts in, and the consent event must be logged with a timestamp.

What is a "trap and trace device" under § 934.31?

Section 934.31 prohibits the use of pen registers and trap-and-trace devices without a court order. Historically these were physical devices that captured phone-number routing information. Plaintiff firms are now arguing that website analytics scripts, ad pixels, and fingerprinting tools function as pen registers when they capture and transmit visitor identifiers and request metadata. This is the most aggressive FSCA theory in the current wave.

Will my cyber liability insurance cover an FSCA lawsuit?

Sometimes. Cyber liability and commercial general liability policies may cover privacy claims, but most have 30-day notice requirements and specific carve-outs for statutory privacy violations. Notify your carrier in writing within 30 days of any demand letter, even if coverage is uncertain, missing the notice window almost always voids coverage.

The next FSCA letter you get is preventable

Most Florida defendants share one thing in common: a cookie banner that looked compliant but didn't actually block trackers from firing pre-consent. Enzuzo's consent management platform closes that gap on day one, across Florida, California, the EU, and every other jurisdiction your visitors come from.

Start building for free, no credit card needed.