Session replay software was designed to help UX teams understand how users navigate websites—recording mouse movements, clicks, scrolls, and form interactions to improve digital experiences. But Kind Law, a Los Angeles and Las Vegas-based plaintiff firm, has made session replay technology the centerpiece of a growing series of digital wiretapping class actions under California law.
If your website uses Hotjar, Microsoft Clarity, FullStory, or any similar tool, Kind Law’s litigation strategy is directly relevant to your compliance posture.
About Kind Law
Kind Law is a plaintiff litigation boutique with offices in Los Angeles, California and Las Vegas, Nevada. The firm is led by Michael Kind and specializes exclusively in digital privacy violations, including unauthorized call recording, CIPA wiretapping claims, and session replay class actions.
One of Kind Law’s distinguishing characteristics is its collaborative approach. The firm regularly co-counsels with other plaintiff firms to file multi-jurisdictional cases in both California and Nevada, targeting companies whose use of digital tracking and session replay technology creates exposure under both states’ privacy statutes. This collaborative model amplifies their litigation reach and enables them to pursue defendants across a broader geographic scope than a solo-firm operation.
Key Legal Theories
Digital Wiretapping — CIPA Section 631
Kind Law’s core theory holds that session replay software and advertising pixels constitute electronic eavesdropping devices under California’s wiretapping statute, CIPA § 631. Their argument: tools like Hotjar and FullStory capture keystrokes, form entries, mouse movements, and page interactions in real time—effectively recording the user’s communications with the website without their meaningful consent.
This framing treats session replay not as an analytics tool but as a wiretapping device—one that enables a third party (the session replay vendor) to observe user behavior simultaneously with the user, without disclosure. Each session recorded without consent is a potential $5,000 statutory damages claim under CIPA.
Pen Register Theory — CIPA Section 638.51
Kind Law also pursues pen register claims, arguing that tracking tools recording users’ behavioral patterns—pages visited, IP addresses, click sequences—function as illegal pen registers under CIPA § 638.51. Combined with wiretapping claims, this two-pronged approach creates compounding statutory damages exposure.
Nevada Privacy Wiretapping Claims
In addition to California CIPA litigation, Kind Law leverages Nevada’s wiretapping statute (NRS 200.620) for cases involving Nevada residents or businesses. Nevada’s statute similarly prohibits the interception of wire communications without consent, and its application to digital tracking is an area Kind Law has actively pursued in Nevada state courts.
How They Identify Targets
Kind Law systematically scans consumer-facing websites for:
- Session replay scripts (Hotjar, Microsoft Clarity, FullStory, LogRocket, Inspectlet, Lucky Orange)
- Meta Pixel and similar advertising pixels deployed without user consent gating
- Chat tools that enable third-party access to conversation logs
- Any website serving California or Nevada residents with behavioral tracking technology
E-commerce sites, subscription services, SaaS platforms, healthcare portals, and consumer apps are among the most common targets because of their high session volumes and reliance on behavioral analytics to optimize conversion funnels.
Notable Cases and Activity
Kind Law has filed a series of class action complaints in both California and Nevada courts. Their cases often name both the website operator and the session replay vendor as co-defendants—a strategy that increases settlement pressure on the primary business defendant while drawing attention to the technology provider’s liability exposure.
The firm has secured significant settlements in cases involving unauthorized call recording and digital wiretapping. In one notable arbitration settlement, the firm recovered approximately $2 million for a class of California residents in a matter involving digital privacy violations.
Their collaborative model with other plaintiff firms also means that Kind Law cases often arrive as part of coordinated filing campaigns—multiple cases filed against similar defendants in the same time period, creating a coordinated media and legal pressure campaign.
CIPA Risks for Your Business if Kind Law Finds Your Website
Session replay tools are among the most commonly overlooked CIPA risks. Many businesses implement them as a routine part of their UX and product development stack without ever considering their legal implications under California or Nevada law.
The risk profile is substantial:
- Session replay tools that run without consent on California or Nevada visitor sessions create per-session liability
- The “third-party doctrine” means your session replay vendor’s access to recordings creates independent wiretapping exposure
- Co-defendant naming of technology vendors does not protect the website operator—both parties may face liability
- Class certification in session replay cases can create exposure across millions of historical user sessions
Compliance Action Steps
- 1. Identify All Session Replay Tools: Audit every session replay tool on your website. Confirm whether it runs for all visitors by default or only after consent is obtained.
- 2. Gate Session Replay Behind Explicit Consent: Configure session replay and behavioral analytics tools to activate only after a user has affirmatively consented to tracking—not merely by continuing to browse.
- 3. Limit Vendor Data Access: Review any configurations that allow your session replay vendor to access raw session data. Consider data minimization settings that exclude keystroke logging and form field captures.
- 4. Update Privacy Disclosures: Clearly disclose the use of session replay technology in your Privacy Policy and Cookie Policy, identifying the vendor and explaining what data is collected.
- 5. Assess Historical Exposure: If you have historical session replay data collected without clear consent, consult with a privacy attorney about your exposure and potential remediation options.
Conclusion
Kind Law has identified session replay software as a high-value litigation target—and the legal theory, while contested in some courts, has survived enough early dismissal challenges to remain a serious threat. For businesses that rely on behavioral analytics and session recording, the compliance ask is direct: consent before recording, disclose what you collect, and limit vendor access to the minimum necessary.
The businesses most at risk are those that have deployed session replay as a default-on tool without a consent layer. The businesses best positioned are those that have treated it as the privacy-sensitive technology it legally is.
