Somewhere right now, an automated scanner from Kind Law or Swigart Law is crawling WordPress stores and logging every session replay script that fires before consent. Approximately 1,500 CIPA lawsuits were filed in the 18 months before August 2025 (Seresa research, 2025), most of them triggered by exactly that kind of industrial scanning. If you run Hotjar, Microsoft Clarity, FullStory, Lucky Orange, or Inspectlet on a WooCommerce checkout, you are already in the index.
The Meta Pixel wave was first. Session replay is next — a whole separate class of tool most SMB owners installed because they thought it was “just a heatmap.” The case law is genuinely split, the legislative safe harbor failed to pass, and no consent banner alone is a reliable defence. The fix is architectural.
What the Scanners Actually Look For
Plaintiff-side firms have industrialised this. Kind Law systematically scans consumer-facing websites for session replay scripts (Hotjar, Microsoft Clarity, FullStory, LogRocket, Inspectlet, Lucky Orange), Meta Pixel and similar advertising pixels deployed without user consent gating, and chat tools that enable third-party access to conversation logs (Captain Compliance, April 2026). A site either loads one of these scripts before a user has agreed to be tracked, or it does not. That is a binary the scanner can check at scale.
The pattern the scanner flags is not “you have session replay.” It is “session replay fired before consent, on a page that includes form inputs or PII.” Checkout pages are the sharpest version of that pattern because they combine keystroke capture with payment-data context. It is the single page on a WooCommerce site where the scanner’s output is most likely to become a demand letter.
The footprint is not small. A Princeton CITP study identified session replay scripts (FullStory, Hotjar, SmartLook, SessionCam, Yandex) on 482 of the Alexa top 50,000 websites (Princeton CITP, 2017), and adoption has grown steadily since — Microsoft Clarity’s free tier alone put replay on tens of thousands more sites that never existed in the original sample.
Settlement ranges tell you how the economics work. Swigart Law Group settlements reportedly range from $10,000 to $200,000 or more, depending on violation count and California traffic volume (Enzuzo via Seresa, 2026). CIPA Section 631 carries $5,000 in statutory damages per alleged violation (Ninth Circuit analysis, 2025) — and a “violation” in these complaints typically means per session or per page load, not per case.
The Case Law Is Genuinely Split
Honest framing matters here, because compliance-vendor content tends to pick whichever case supports a sale. The real picture is less tidy.
The direct party vs third party doctrine is the fault line. If the session replay vendor is treated as a direct party to the communication — a participant, not an eavesdropper — there is no wiretap. If the vendor is treated as a third-party extension of the site’s ears — a tape recorder parked in the corner — liability attaches. Courts have come down on both sides.
Saleh v. Nike survived a motion to dismiss in the Central District of California, with the plaintiff complaint arguing the session replay feature was “highly intrusive” because it records sensitive input including passwords and card numbers. Graham v. Noom went the other way, with the court treating the replay vendor as a direct party to the communication. Thomas v. Papa John’s was affirmed in the defendant’s favour. Mikulsky and Camplisson v. Adidas survived at the pleading stage, with Camplisson notably advancing under the Section 638.51 pen-register theory in November 2025.
Three takeaways from that split, without over-reading it:
- Nothing about this is settled. Any article telling you session replay is “fine” or “banned” in California is wrong in both directions.
- Cases that survive pleading get expensive fast, even when the defendant ultimately wins.
- The direct-party question often turns on contract language with the replay vendor — which most SMB owners have never read and cannot unilaterally change.
Then there’s the legislature. California SB 690 — which would have created a commercial-business-purpose safe harbor — failed to advance in 2025 and is now a two-year bill with an earliest effective date of 2027 (Byte Back / Alston & Bird, 2025). Waiting for the law to catch up is a two-year bet on a bill that already lost once.
You may be interested in: Meta Pixel Is a $5,000-Per-Page-Load CIPA Lawsuit Waiting to Happen on Your WooCommerce Store
Two Separate Legal Theories — Two Separate Mechanical Problems
Section 631 is the wiretapping theory. Plaintiffs argue the session replay script intercepts communications in transit — keystrokes, clicks, and form entries recorded as they happen, in real time. The mechanical fact that matters: the recording is happening while the user is still typing, not after they submit. That is what makes it look like interception rather than logging.
Section 638.51 is the pen-register theory, and it’s newer. It targets the metadata side — IP, click sequences, page history, device fingerprints — collected without consent. Camplisson v. Adidas survived dismissal under this theory, which is why it matters: it opens a second independent vector plaintiffs can plead, even if the §631 count fails.
Most articles conflate the two. They are separate theories, they require different defences, and a site can be exposed on one while safe on the other.
Why a Consent Banner Alone Isn’t Enough
The scanners do not flag sites that have a banner. They flag sites where the tracker fired before the user interacted with the banner. That is a timing problem, not a disclosure problem.
This is where most WordPress configurations fail in the same way. The replay script is loaded in the <head> via a plugin or GTM tag. The consent banner loads slightly after. By the time the user sees a cookie banner, the replay vendor already has the first few seconds of the session — and the first few seconds of a checkout session are exactly what the complaint targets.
You may be interested in: Your WooCommerce Store Is Putting Microsoft Clarity in the Wrong Consent Category
For Microsoft Clarity specifically, there is a second problem: it often gets placed in the “analytics” consent category on WordPress sites when plaintiffs argue it belongs in the “behavioural tracking / session recording” category. A banner that asks for analytics consent does not grant session-replay consent under that argument.
The Architectural Answer
If the exposure pattern is pre-consent fire on a PII page, recorded by a third-party vendor, each word in that phrase is an architectural choice you can make differently. Three moves cover most of the risk.
1. Consent-gate the script, properly. The replay tag does not load at all until consent is granted, and it loads in the correct category. This is a tag-sequencing problem, not a plugin-setting problem. If your GTM configuration fires the replay tag in the same trigger group as Google Analytics, consent for one is being treated as consent for both — which the complaints explicitly challenge.
You may be interested in: GTM Tag Sequencing for WooCommerce: Why Your Consent Check Fires After Your Google Ads Tag
2. Exclude checkout and logged-in pages entirely. There is no UX reason to record form inputs on the page where users type credit card numbers. Every major replay vendor supports URL exclusions and input masking; most sites never configure them because nobody treated the default as a legal question. Exclude the checkout flow, the account page, and any step that collects PII.
3. Move behavioural signals server-side where you can. Most of what session replay is actually used for — understanding abandonment, funnel drop-off, form-field friction — can be reconstructed from server-side event data without the third-party-eavesdropper theory applying at all. Time-on-step, field-error patterns, checkout progression: these are all events your server already knows about.
How This Lines Up on WooCommerce
Transmute Engine™ is a first-party Node.js server that runs on your subdomain and already captures the behavioural signal most SMBs bought Hotjar for — cart events, checkout step progression, field-level abandonment timing — directly from WooCommerce hooks via the inPIPE plugin. The third-party-vendor theory does not apply to events that originate on the merchant’s own server. Session replay still has legitimate UX uses above the funnel. It does not need to be running on the checkout, and for many stores the server-side event stream removes the reason it was there in the first place.
Key Takeaways
- Approximately 1,500 CIPA lawsuits filed in the 18 months before August 2025, scanned and triaged at industrial scale.
- Case law is genuinely split. Saleh, Mikulsky, and Camplisson survived pleading; Graham and Thomas went for the defendant. Nothing is settled.
- Consent banners alone don’t fix the pattern scanners flag. The issue is pre-consent firing, not disclosure.
- Two separate legal theories — §631 (wiretap) and §638.51 (pen register) — require different architectural responses.
- Checkout and logged-in pages should never run client-side replay. The behavioural signal belongs server-side, where the third-party-vendor theory does not apply.
FAQ
Clarity is free, which is why it shows up on so many WordPress sites, but on a checkout page it presents the same legal profile as any other session replay tool: keystroke and form-field capture that plaintiffs characterise as real-time interception. On pages collecting PII or payment data the structural answer is not to run client-side replay at all — regardless of vendor.
Only if it actually blocks the script from loading before consent is granted, and only in the categories the courts accept. Several cases survived dismissal specifically because the recording script fired before the user interacted with the banner. A banner that appears while the tracker is already running is not a defence.
It is the fault line the cases turn on. If the session replay vendor is a direct party to the communication (Graham v. Noom reasoning), there is no wiretap. If the vendor is a third-party extension of the site’s ears — a tape recorder, not a party to the call (Saleh v. Nike reasoning) — liability attaches. Courts are genuinely split, and the outcome often depends on how the contract with the vendor is written.
Not necessarily. The exposure comes from three specific mechanics: firing before consent, recording sensitive input fields, and characterising the vendor as a third-party interceptor. Removing the tool from checkout and logged-in account pages, consent-gating it properly on the pages where it does run, and enabling masked-input features eliminates most of the pattern the scanners look for.
No. This is an architectural analysis of tracking infrastructure, not legal counsel. CIPA case law is genuinely split and evolves month to month. Decisions about litigation risk, cyber insurance, and vendor contract language should be made with a lawyer who can look at your specific California traffic, customer base, and existing disclosures.
If you can’t name — without looking — which consent category Hotjar or Clarity is in on your checkout page and whether the tag fires before or after the banner, the scanners can. Start here.